Acknowledged
Created: Jun 9, 2025
Updated: Jun 12, 2025
Found In Version: 10.22.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 22
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]can: bcm: add locking for bcm_op runtime updates[EOL][EOL]The CAN broadcast manager (CAN BCM) can send a sequence of CAN frames via[EOL]hrtimer. The content and also the length of the sequence can be changed[EOL]resp reduced at runtime where the 'currframe' counter is then set to zero.[EOL][EOL]Although this appeared to be a safe operation the updates of 'currframe'[EOL]can be triggered from user space and hrtimer context in bcm_can_tx().[EOL]Anderson Nascimento created a proof of concept that triggered a KASAN[EOL]slab-out-of-bounds read access which can be prevented with a spin_lock_bh.[EOL][EOL]At the rework of bcm_can_tx() the 'count' variable has been moved into[EOL]the protected section as this variable can be modified from both contexts[EOL]too.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38004 (https://nvd.nist.gov/vuln/detail/CVE-2025-38004)
