A use-after-free vulnerability (CVE-2023-52922) was recently discovered in the Linux kernel, specifically in the can: bcm: bcm_proc_show() function. This issue has been fixed, and in this post, we will provide a detailed analysis of the vulnerability, including code snippets, links to original references, and exploit details.

Vulnerability Details

The vulnerability was reported as KASAN: slab-use-after-free in bcm_proc_show+x969/xa80 and was traced back to the bcm_proc_show() function in the can: bcm module of the Linux kernel. Analyzing the call trace, it was identified that the bug was caused due to improper handling of freeing bcm_op before the procfs entry being removed in bcm_release(), causing bcm_proc_show() to potentially read the freed bcm_op.

To better understand this vulnerability, let's take a closer look at the code snippet which caused this issue:

void bcm_release(struct kref *kref)
{
...
  bcm_op = container_of(kref, struct bcm_op, kref);
...
  list_del(&op->list);
  kfree_skb(op->skb);
  kfree_skb(op->rx_skb);
  op->skb = NULL;
  op->rx_skb = NULL;
...
  up_read(&ifaddr->bcmop_bh_sem);
  kfree(op);
...
  proc_remove(p);
}

Here, bcm_op is being freed with kfree(op) before the procfs entry is removed using proc_remove(p). This causes a use-after-free vulnerability in the bcm_proc_show() function, which tries to read the memory of the already freed bcm_op.

Fix:
The fix was implemented by ensuring that the procfs entry is removed before freeing bcm_op in the bcm_release() function.

void bcm_release(struct kref *kref)
{
...
  bcm_op = container_of(kref, struct bcm_op, kref);
...
  list_del(&op->list);
  kfree_skb(op->skb);
  kfree_skb(op->rx_skb);
  op->skb = NULL;
  op->rx_skb = NULL;
...
  up_read(&ifaddr->bcmop_bh_sem);
  proc_remove(p);
  kfree(op);
}

By moving proc_remove(p) before kfree(op), the use-after-free vulnerability is resolved.

1. Linux kernel source code: CAN subsystem
2. Linux kernel mailing list thread discussing the issue
3. CVE-2023-52922

Conclusion

The use-after-free vulnerability in the Linux kernel's can: bcm module (CVE-2023-52922) has been fixed by ensuring the procfs entry is removed before freeing bcm_op in the bcm_release() function. It is essential for Linux kernel maintainers and users to be aware of this issue and apply the patch to their systems to mitigate potential security risks.

Timeline

Published on: 11/28/2024 15:15:17 UTC
Last modified on: 12/19/2024 08:28:37 UTC