CVE-2024-47709

can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

can: bcm: Clear bo->bcm_proc_read after remove_proc_entry().

syzbot reported a warning in bcm_release(). [0]

The blamed change fixed another warning that is triggered when
connect() is issued again for a socket whose connect()ed device has
been unregistered.

However, if the socket is just close()d without the 2nd connect(), the
remaining bo->bcm_proc_read triggers unnecessary remove_proc_entry()
in bcm_release().

Let's clear bo->bcm_proc_read after remove_proc_entry() in bcm_notify().

[0]
name '4986'
WARNING: CPU: 0 PID: 5234 at fs/proc/generic.c:711 remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Modules linked in:
CPU: 0 UID: 0 PID: 5234 Comm: syz-executor606 Not tainted 6.11.0-rc5-syzkaller-00178-g5517ae241919 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:remove_proc_entry+0x2e7/0x5d0 fs/proc/generic.c:711
Code: ff eb 05 e8 cb 1e 5e ff 48 8b 5c 24 10 48 c7 c7 e0 f7 aa 8e e8 2a 38 8e 09 90 48 c7 c7 60 3a 1b 8c 48 89 de e8 da 42 20 ff 90 <0f> 0b 90 90 48 8b 44 24 18 48 c7 44 24 40 0e 36 e0 45 49 c7 04 07
RSP: 0018:ffffc9000345fa20 EFLAGS: 00010246
RAX: 2a2d0aee2eb64600 RBX: ffff888032f1f548 RCX: ffff888029431e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc9000345fb08 R08: ffffffff8155b2f2 R09: 1ffff1101710519a
R10: dffffc0000000000 R11: ffffed101710519b R12: ffff888011d38640
R13: 0000000000000004 R14: 0000000000000000 R15: dffffc0000000000
FS: 0000000000000000(0000) GS:ffff8880b8800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fcfb52722f0 CR3: 000000000e734000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
bcm_release+0x250/0x880 net/can/bcm.c:1578
__sock_release net/socket.c:659 [inline]
sock_close+0xbc/0x240 net/socket.c:1421
__fput+0x24a/0x8a0 fs/file_table.c:422
task_work_run+0x24f/0x310 kernel/task_work.c:228
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0xa2f/0x27f0 kernel/exit.c:882
do_group_exit+0x207/0x2c0 kernel/exit.c:1031
__do_sys_exit_group kernel/exit.c:1042 [inline]
__se_sys_exit_group kernel/exit.c:1040 [inline]
__x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1040
x64_sys_call+0x2634/0x2640 arch/x86/include/generated/asm/syscalls_64.h:232
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fcfb51ee969
Code: Unable to access opcode bytes at 0x7fcfb51ee93f.
RSP: 002b:00007ffce0109ca8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fcfb51ee969
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000001
RBP: 00007fcfb526f3b0 R08: ffffffffffffffb8 R09: 0000555500000000
R10: 0000555500000000 R11: 0000000000000246 R12: 00007fcfb526f3b0
R13: 0000000000000000 R14: 00007fcfb5271ee0 R15: 00007fcfb51bf160
</TASK>

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-30 CVE Reserved
2024-10-21 CVE Published
2024-10-25 EPSS Updated
2024-11-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (17)

URL	Tag	Source
https://git.kernel.org/stable/c/5c680022c4e28ba18ea500f3e29f0428271afa92	Vuln. Introduced
https://git.kernel.org/stable/c/33ed4ba73caae39f34ab874ba79138badc2c65dd	Vuln. Introduced
https://git.kernel.org/stable/c/aec92dbebdbec7567d9f56d7c9296a572b8fd849	Vuln. Introduced
https://git.kernel.org/stable/c/10bfacbd5e8d821011d857bee73310457c9c989a	Vuln. Introduced
https://git.kernel.org/stable/c/3b39dc2901aa7a679a5ca981a3de9f8d5658afe8	Vuln. Introduced
https://git.kernel.org/stable/c/4377b79323df62eb5d310354f19b4d130ff58d50	Vuln. Introduced
https://git.kernel.org/stable/c/abb0a615569ec008e8a93d9f3ab2d5b418ea94d4	Vuln. Introduced
https://git.kernel.org/stable/c/76fe372ccb81b0c89b6cd2fec26e2f38c958be85	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f5059fae5ed518fc56494ce5bdd4f5360de4b3bc	2024-11-08
https://git.kernel.org/stable/c/a833da8eec20b51af39643faa7067b25c8b20f3e	2024-11-08
https://git.kernel.org/stable/c/5cc00913c1fdcab861c4e65fa20d1f1e1bbbf977	2024-10-17
https://git.kernel.org/stable/c/9550baada4c8ef8cebefccc746384842820b4dff	2024-10-17
https://git.kernel.org/stable/c/7a145d6ec2124bdb94bd6fc436b342ff6ddf2b70	2024-10-17
https://git.kernel.org/stable/c/c3d941cc734e0c8dc486c062926d5249070af5e4	2024-10-04
https://git.kernel.org/stable/c/770b463264426cc3c167b1d44efa85f6a526ce5b	2024-10-04
https://git.kernel.org/stable/c/b02ed2f01240b226570b4a19b5041d61f5125784	2024-10-04
https://git.kernel.org/stable/c/94b0818fa63555a65f6ba107080659ea6bcca63e	2024-09-12

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.322 < 4.19.323 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.322 < 4.19.323"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.284 < 5.4.285 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.284 < 5.4.285"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.226 < 5.10.227 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.226 < 5.10.227"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.167 < 5.15.168 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.167 < 5.15.168"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.110 < 6.1.113 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.110 < 6.1.113"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.51 < 6.6.54 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.51 < 6.6.54"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.10.10 < 6.10.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.10.10 < 6.10.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.11 < 6.11.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.11 < 6.11.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.11 < 6.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.11 < 6.12"		en		Affected