CVE-2023-52922

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-52922
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-52922.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-52922
Downstream
Related
Published
2024-11-28T15:15:17Z
Modified
2025-08-09T19:01:26Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

can: bcm: Fix UAF in bcmprocshow()

BUG: KASAN: slab-use-after-free in bcmprocshow+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862

CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dumpstacklvl+0xd5/0x150 printreport+0xc1/0x5e0 kasanreport+0xba/0xf0 bcmprocshow+0x969/0xa80 seqreaditer+0x4f6/0x1260 seqread+0x165/0x210 procregread+0x227/0x300 vfsread+0x1d5/0x8d0 ksysread+0x11e/0x240 dosyscall64+0x35/0xb0 entrySYSCALL64after_hwframe+0x63/0xcd

Allocated by task 7846: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasankmalloc+0x9e/0xa0 bcmsendmsg+0x264b/0x44e0 socksendmsg+0xda/0x180 _syssendmsg+0x735/0x920 _syssendmsg+0x11d/0x1b0 _syssendmsg+0xfa/0x1d0 dosyscall64+0x35/0xb0 entrySYSCALL64afterhwframe+0x63/0xcd

Freed by task 7846: kasansavestack+0x1e/0x40 kasansettrack+0x21/0x30 kasansavefreeinfo+0x27/0x40 __kasanslabfree+0x161/0x1c0 slabfreefreelisthook+0x119/0x220 _kmemcachefree+0xb4/0x2e0 rcucore+0x809/0x1bd0

bcmop is freed before procfs entry be removed in bcmrelease(), this lead to bcmprocshow() may read the freed bcm_op.

References

Affected packages