A use-after-free vulnerability (CVE-2023-52922) was recently discovered in the Linux kernel, specifically in the can: bcm: bcm_proc_show() function. This issue has been fixed, and in this post, we will provide a detailed analysis of the vulnerability, including code snippets, links to original references, and exploit details.
Vulnerability Details
The vulnerability was reported as KASAN: slab-use-after-free in bcm_proc_show+x969/xa80 and was traced back to the bcm_proc_show() function in the can: bcm module of the Linux kernel. Analyzing the call trace, it was identified that the bug was caused due to improper handling of freeing bcm_op before the procfs entry being removed in bcm_release(), causing bcm_proc_show() to potentially read the freed bcm_op.
To better understand this vulnerability, let's take a closer look at the code snippet which caused this issue:
void bcm_release(struct kref *kref)
{
...
bcm_op = container_of(kref, struct bcm_op, kref);
...
list_del(&op->list);
kfree_skb(op->skb);
kfree_skb(op->rx_skb);
op->skb = NULL;
op->rx_skb = NULL;
...
up_read(&ifaddr->bcmop_bh_sem);
kfree(op);
...
proc_remove(p);
}
Here, bcm_op is being freed with kfree(op) before the procfs entry is removed using proc_remove(p). This causes a use-after-free vulnerability in the bcm_proc_show() function, which tries to read the memory of the already freed bcm_op.
Fix:
The fix was implemented by ensuring that the procfs entry is removed before freeing bcm_op in the bcm_release() function.
void bcm_release(struct kref *kref)
{
...
bcm_op = container_of(kref, struct bcm_op, kref);
...
list_del(&op->list);
kfree_skb(op->skb);
kfree_skb(op->rx_skb);
op->skb = NULL;
op->rx_skb = NULL;
...
up_read(&ifaddr->bcmop_bh_sem);
proc_remove(p);
kfree(op);
}
By moving proc_remove(p) before kfree(op), the use-after-free vulnerability is resolved.
Links to Original References
1. Linux kernel source code: CAN subsystem
2. Linux kernel mailing list thread discussing the issue
3. CVE-2023-52922
Conclusion
The use-after-free vulnerability in the Linux kernel's can: bcm module (CVE-2023-52922) has been fixed by ensuring the procfs entry is removed before freeing bcm_op in the bcm_release() function. It is essential for Linux kernel maintainers and users to be aware of this issue and apply the patch to their systems to mitigate potential security risks.
Timeline
Published on: 11/28/2024 15:15:17 UTC
Last modified on: 12/19/2024 08:28:37 UTC