CVE-2023-53344

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53344
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53344.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-53344
Downstream
Related
Published
2025-09-17T14:56:37.024Z
Modified
2026-03-20T12:33:06.176770Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write
Details

In the Linux kernel, the following vulnerability has been resolved:

can: bcm: bcmtxsetup(): fix KMSAN uninit-value in vfs_write

Syzkaller reported the following issue:

===================================================== BUG: KMSAN: uninit-value in aiorwdone fs/aio.c:1520 [inline] BUG: KMSAN: uninit-value in aiowrite+0x899/0x950 fs/aio.c:1600 aiorwdone fs/aio.c:1520 [inline] aiowrite+0x899/0x950 fs/aio.c:1600 iosubmitone+0x1d1c/0x3bf0 fs/aio.c:2019 __dosysio_submit fs/aio.c:2078 [inline] __sesysio_submit+0x293/0x770 fs/aio.c:2048 _x64sysiosubmit+0x92/0xd0 fs/aio.c:2048 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

Uninit was created at: slabpostallochook mm/slab.h:766 [inline] slaballoc_node mm/slub.c:3452 [inline] __kmemcachealloc_node+0x71f/0xce0 mm/slub.c:3491 __dokmallocnode mm/slab_common.c:967 [inline] __kmalloc+0x11d/0x3b0 mm/slabcommon.c:981 kmallocarray include/linux/slab.h:636 [inline] bcmtxsetup+0x80e/0x29d0 net/can/bcm.c:930 bcmsendmsg+0x3a2/0xce0 net/can/bcm.c:1351 socksendmsgnosec net/socket.c:714 [inline] socksendmsg net/socket.c:734 [inline] sockwriteiter+0x495/0x5e0 net/socket.c:1108 callwriteiter include/linux/fs.h:2189 [inline] aiowrite+0x63a/0x950 fs/aio.c:1600 iosubmit_one+0x1d1c/0x3bf0 fs/aio.c:2019 __dosysio_submit fs/aio.c:2078 [inline] __sesysio_submit+0x293/0x770 fs/aio.c:2048 _x64sysiosubmit+0x92/0xd0 fs/aio.c:2048 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x3d/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

CPU: 1 PID: 5034 Comm: syz-executor350 Not tainted 6.2.0-rc6-syzkaller-80422-geda666ff2276 #0

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023

We can follow the call chain and find that 'bcmtxsetup' function calls 'memcpyfrommsg' to copy some content to the newly allocated frame of 'op->frames'. After that the 'len' field of copied structure being compared with some constant value (64 or 8). However, if 'memcpyfrommsg' returns an error, we will compare some uninitialized memory. This triggers 'uninit-value' issue.

This patch will add 'memcpyfrommsg' possible errors processing to avoid uninit-value issue.

Tested via syzkaller

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/53xxx/CVE-2023-53344.json",
    "cna_assigner": "Linux"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
6f3b911d5f29b98752e5da86a295210c0c4f4e14
Fixed
3fa0f1e0e31b1b73cdf59d4c36c7242e6ef821be
Fixed
618b15d09fed6126356101543451d49860db4388
Fixed
78bc7f0ab99458221224d3ab97199c0f8e6861f1
Fixed
ab2a55907823f0bca56b6d03ea05e4071ba8535f
Fixed
bf70e0eab64c625da84d9fdf4e84466b79418920
Fixed
c11dbc7705b3739974ac31a13f4ab81e61a5fb07
Fixed
2e6ad51c709fa794e0ce26003c9c9cd944e3383a
Fixed
2b4c99f7d9a57ecd644eda9b1fb0a1072414959f

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-53344.json"