CVE-2023-52922

In the Linux kernel, the following vulnerability has been resolved: can: bcm: Fix UAF in bcm_proc_show() BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862 CPU: 1 PID: 7862 Comm: cat Not tainted 6.5.0-rc1-00153-gc8746099c197 #230 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 kasan_report+0xba/0xf0 bcm_proc_show+0x969/0xa80 seq_read_iter+0x4f6/0x1260 seq_read+0x165/0x210 proc_reg_read+0x227/0x300 vfs_read+0x1d5/0x8d0 ksys_read+0x11e/0x240 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Allocated by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op is freed before procfs entry be removed in bcm_release(), this lead to bcm_proc_show() may read the freed bcm_op.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/11b8e27ed448baa385d90154a141466bd5e92f18	Patch
https://git.kernel.org/stable/c/3c3941bb1eb53abe7d640ffee5c4d6b559829ab3	Patch
https://git.kernel.org/stable/c/55c3b96074f3f9b0aee19bf93cd71af7516582bb	Patch
https://git.kernel.org/stable/c/9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6	Patch
https://git.kernel.org/stable/c/995f47d76647708ec26c6e388663ad4f3f264787	Patch
https://git.kernel.org/stable/c/9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff	Patch
https://git.kernel.org/stable/c/cf254b4f68e480e73dab055014e002b77aed30ed	Patch
https://git.kernel.org/stable/c/dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7	Patch
https://allelesecurity.com/use-after-free-vulnerability-in-can-bcm-subsystem-leading-to-information-disclosure-cve-2023-52922/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.5:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.5:rc2::::::

History

13 Jun 2025, 20:15

Type	Values Removed	Values Added
References		() https://allelesecurity.com/use-after-free-vulnerability-in-can-bcm-subsystem-leading-to-information-disclosure-cve-2023-52922/ -

24 Mar 2025, 17:21

Type	Values Removed	Values Added
First Time		Linux linux Kernel Linux
References	~~() https://git.kernel.org/stable/c/11b8e27ed448baa385d90154a141466bd5e92f18 -~~	() https://git.kernel.org/stable/c/11b8e27ed448baa385d90154a141466bd5e92f18 - Patch
References	~~() https://git.kernel.org/stable/c/3c3941bb1eb53abe7d640ffee5c4d6b559829ab3 -~~	() https://git.kernel.org/stable/c/3c3941bb1eb53abe7d640ffee5c4d6b559829ab3 - Patch
References	~~() https://git.kernel.org/stable/c/55c3b96074f3f9b0aee19bf93cd71af7516582bb -~~	() https://git.kernel.org/stable/c/55c3b96074f3f9b0aee19bf93cd71af7516582bb - Patch
References	~~() https://git.kernel.org/stable/c/9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6 -~~	() https://git.kernel.org/stable/c/9533dbfac0ff7edd77a5fa2c24974b1d66c8b0a6 - Patch
References	~~() https://git.kernel.org/stable/c/995f47d76647708ec26c6e388663ad4f3f264787 -~~	() https://git.kernel.org/stable/c/995f47d76647708ec26c6e388663ad4f3f264787 - Patch
References	~~() https://git.kernel.org/stable/c/9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff -~~	() https://git.kernel.org/stable/c/9b58d36d0c1ea29a9571e0222a9c29df0ccfb7ff - Patch
References	~~() https://git.kernel.org/stable/c/cf254b4f68e480e73dab055014e002b77aed30ed -~~	() https://git.kernel.org/stable/c/cf254b4f68e480e73dab055014e002b77aed30ed - Patch
References	~~() https://git.kernel.org/stable/c/dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7 -~~	() https://git.kernel.org/stable/c/dfd0aa26e9a07f2ce546ccf8304ead6a2914e8a7 - Patch
CPE		cpe:2.3:o:linux:linux_kernel:6.5:rc2:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.5:rc1::::::

11 Dec 2024, 15:15

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.8
CWE		CWE-416
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: can: bcm: Fix UAF en bcm_proc_show() BUG: KASAN: slab-use-after-free en bcm_proc_show+0x969/0xa80 Lectura de tamaño 8 en la dirección ffff888155846230 por la tarea cat/7862 CPU: 1 PID: 7862 Comm: cat No contaminado 6.5.0-rc1-00153-gc8746099c197 #230 Nombre del hardware: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Seguimiento de llamadas: dump_stack_lvl+0xd5/0x150 print_report+0xc1/0x5e0 Asignado por la tarea 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x9e/0xa0 bcm_sendmsg+0x264b/0x44e0 sock_sendmsg+0xda/0x180 ____sys_sendmsg+0x735/0x920 ___sys_sendmsg+0x11d/0x1b0 __sys_sendmsg+0xfa/0x1d0 do_syscall_64+0x35/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd Liberado por la tarea 7846: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x27/0x40 ____kasan_slab_free+0x161/0x1c0 slab_free_freelist_hook+0x119/0x220 __kmem_cache_free+0xb4/0x2e0 rcu_core+0x809/0x1bd0 bcm_op se libera antes de que se elimine la entrada procfs en bcm_release(), esto lleva a que bcm_proc_show() pueda leer el bcm_op liberado.

28 Nov 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-28 15:15

Updated : 2025-06-13 20:15

NVD link : CVE-2023-52922

Mitre link : CVE-2023-52922

CVE.ORG link : CVE-2023-52922

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-416

Use After Free

7.8 /10