In the Linux kernel, the following vulnerability has been resolved:
can: bcm: Fix UAF in bcmprocshow()
BUG: KASAN: slab-use-after-free in bcmprocshow+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862
CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dumpstacklvl+0xd5/0x150 printreport+0xc1/0x5e0 kasanreport+0xba/0xf0 bcmprocshow+0x969/0xa80 seqreaditer+0x4f6/0x1260 seqread+0x165/0x210 procregread+0x227/0x300 vfsread+0x1d5/0x8d0 ksysread+0x11e/0x240 dosyscall64+0x35/0xb0 entrySYSCALL64after_hwframe+0x63/0xcd
Allocated by task 7846: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasankmalloc+0x9e/0xa0 bcmsendmsg+0x264b/0x44e0 socksendmsg+0xda/0x180 _syssendmsg+0x735/0x920 _syssendmsg+0x11d/0x1b0 _syssendmsg+0xfa/0x1d0 dosyscall64+0x35/0xb0 entrySYSCALL64afterhwframe+0x63/0xcd
Freed by task 7846: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansavefreeinfo+0x27/0x40 __kasanslabfree+0x161/0x1c0 slabfreefreelisthook+0x119/0x220 _kmemcachefree+0xb4/0x2e0 rcucore+0x809/0x1bd0
bcmop is freed before procfs entry be removed in bcmrelease(), this lead to bcmprocshow() may read the freed bcm_op.
[
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cf254b4f68e480e73dab055014e002b77aed30ed",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "bcm_release",
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-010187a8",
"digest": {
"length": 1291.0,
"function_hash": "216992020897215971684824131849382084385"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "bcm_release",
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-05180b72",
"digest": {
"length": 1291.0,
"function_hash": "216992020897215971684824131849382084385"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@995f47d76647708ec26c6e388663ad4f3f264787",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "bcm_release",
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-109f48e2",
"digest": {
"length": 1291.0,
"function_hash": "216992020897215971684824131849382084385"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@11b8e27ed448baa385d90154a141466bd5e92f18",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-240cb73c",
"digest": {
"threshold": 0.9,
"line_hashes": [
"244374509034032648690373615305139958682",
"37463384322345293591228078688890457460",
"63589772167700462110979852086399718811",
"146933764147713894800962757318386847700",
"339979201729233469224006349967693534179",
"154934445975240281519610662621640933381",
"3723452781760947881429710738663566218",
"126936211198395946198455763369466892445",
"78093004544339997307677406415333479243",
"259332039886536515828888991794453341655"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c3941bb1eb53abe7d640ffee5c4d6b559829ab3",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-328baef4",
"digest": {
"threshold": 0.9,
"line_hashes": [
"244374509034032648690373615305139958682",
"37463384322345293591228078688890457460",
"63589772167700462110979852086399718811",
"146933764147713894800962757318386847700",
"339979201729233469224006349967693534179",
"154934445975240281519610662621640933381",
"3723452781760947881429710738663566218",
"126936211198395946198455763369466892445",
"78093004544339997307677406415333479243",
"259332039886536515828888991794453341655"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@995f47d76647708ec26c6e388663ad4f3f264787",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-4f2e5486",
"digest": {
"threshold": 0.9,
"line_hashes": [
"244374509034032648690373615305139958682",
"37463384322345293591228078688890457460",
"63589772167700462110979852086399718811",
"146933764147713894800962757318386847700",
"339979201729233469224006349967693534179",
"154934445975240281519610662621640933381",
"3723452781760947881429710738663566218",
"126936211198395946198455763369466892445",
"78093004544339997307677406415333479243",
"259332039886536515828888991794453341655"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "bcm_release",
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-717723cc",
"digest": {
"length": 1291.0,
"function_hash": "216992020897215971684824131849382084385"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@55c3b96074f3f9b0aee19bf93cd71af7516582bb",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-71be9f05",
"digest": {
"threshold": 0.9,
"line_hashes": [
"244374509034032648690373615305139958682",
"37463384322345293591228078688890457460",
"63589772167700462110979852086399718811",
"146933764147713894800962757318386847700",
"339979201729233469224006349967693534179",
"154934445975240281519610662621640933381",
"3723452781760947881429710738663566218",
"126936211198395946198455763369466892445",
"78093004544339997307677406415333479243",
"259332039886536515828888991794453341655"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c3941bb1eb53abe7d640ffee5c4d6b559829ab3",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "bcm_release",
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-73f49d60",
"digest": {
"length": 1291.0,
"function_hash": "216992020897215971684824131849382084385"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@55c3b96074f3f9b0aee19bf93cd71af7516582bb",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "bcm_release",
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-9b24582a",
"digest": {
"length": 1291.0,
"function_hash": "216992020897215971684824131849382084385"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@11b8e27ed448baa385d90154a141466bd5e92f18",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "bcm_release",
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-a7a77937",
"digest": {
"length": 1291.0,
"function_hash": "216992020897215971684824131849382084385"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff",
"signature_version": "v1",
"deprecated": false,
"target": {
"function": "bcm_release",
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-ae74e0bc",
"digest": {
"length": 1291.0,
"function_hash": "216992020897215971684824131849382084385"
},
"signature_type": "Function"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-b83f853c",
"digest": {
"threshold": 0.9,
"line_hashes": [
"244374509034032648690373615305139958682",
"37463384322345293591228078688890457460",
"63589772167700462110979852086399718811",
"146933764147713894800962757318386847700",
"339979201729233469224006349967693534179",
"154934445975240281519610662621640933381",
"3723452781760947881429710738663566218",
"126936211198395946198455763369466892445",
"78093004544339997307677406415333479243",
"259332039886536515828888991794453341655"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-c09cd9b7",
"digest": {
"threshold": 0.9,
"line_hashes": [
"244374509034032648690373615305139958682",
"37463384322345293591228078688890457460",
"63589772167700462110979852086399718811",
"146933764147713894800962757318386847700",
"339979201729233469224006349967693534179",
"154934445975240281519610662621640933381",
"3723452781760947881429710738663566218",
"126936211198395946198455763369466892445",
"78093004544339997307677406415333479243",
"259332039886536515828888991794453341655"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-dbf20667",
"digest": {
"threshold": 0.9,
"line_hashes": [
"244374509034032648690373615305139958682",
"37463384322345293591228078688890457460",
"63589772167700462110979852086399718811",
"146933764147713894800962757318386847700",
"339979201729233469224006349967693534179",
"154934445975240281519610662621640933381",
"3723452781760947881429710738663566218",
"126936211198395946198455763369466892445",
"78093004544339997307677406415333479243",
"259332039886536515828888991794453341655"
]
},
"signature_type": "Line"
},
{
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cf254b4f68e480e73dab055014e002b77aed30ed",
"signature_version": "v1",
"deprecated": false,
"target": {
"file": "net/can/bcm.c"
},
"id": "CVE-2023-52922-dc8815f4",
"digest": {
"threshold": 0.9,
"line_hashes": [
"244374509034032648690373615305139958682",
"37463384322345293591228078688890457460",
"63589772167700462110979852086399718811",
"146933764147713894800962757318386847700",
"339979201729233469224006349967693534179",
"154934445975240281519610662621640933381",
"3723452781760947881429710738663566218",
"126936211198395946198455763369466892445",
"78093004544339997307677406415333479243",
"259332039886536515828888991794453341655"
]
},
"signature_type": "Line"
}
]