{"id":"CVE-2024-46771","summary":"can: bcm: Remove proc entry when dev is unregistered.","details":"In the Linux kernel, the following vulnerability has been resolved:\n\ncan: bcm: Remove proc entry when dev is unregistered.\n\nsyzkaller reported a warning in bcm_connect() below. [0]\n\nThe repro calls connect() to vxcan1, removes vxcan1, and calls\nconnect() with ifindex == 0.\n\nCalling connect() for a BCM socket allocates a proc entry.\nThen, bcm_sk(sk)-\u003ebound is set to 1 to prevent further connect().\n\nHowever, removing the bound device resets bcm_sk(sk)-\u003ebound to 0\nin bcm_notify().\n\nThe 2nd connect() tries to allocate a proc entry with the same\nname and sets NULL to bcm_sk(sk)-\u003ebcm_proc_read, leaking the\noriginal proc entry.\n\nSince the proc entry is available only for connect()ed sockets,\nlet's clean up the entry when the bound netdev is unregistered.\n\n[0]:\nproc_dir_entry 'can-bcm/2456' already registered\nWARNING: CPU: 1 PID: 394 at fs/proc/generic.c:376 proc_register+0x645/0x8f0 fs/proc/generic.c:375\nModules linked in:\nCPU: 1 PID: 394 Comm: syz-executor403 Not tainted 6.10.0-rc7-g852e42cc2dd4\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014\nRIP: 0010:proc_register+0x645/0x8f0 fs/proc/generic.c:375\nCode: 00 00 00 00 00 48 85 ed 0f 85 97 02 00 00 4d 85 f6 0f 85 9f 02 00 00 48 c7 c7 9b cb cf 87 48 89 de 4c 89 fa e8 1c 6f eb fe 90 \u003c0f\u003e 0b 90 90 48 c7 c7 98 37 99 89 e8 cb 7e 22 05 bb 00 00 00 10 48\nRSP: 0018:ffa0000000cd7c30 EFLAGS: 00010246\nRAX: 9e129be1950f0200 RBX: ff1100011b51582c RCX: ff1100011857cd80\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002\nRBP: 0000000000000000 R08: ffd400000000000f R09: ff1100013e78cac0\nR10: ffac800000cd7980 R11: ff1100013e12b1f0 R12: 0000000000000000\nR13: 0000000000000000 R14: 0000000000000000 R15: ff1100011a99a2ec\nFS:  00007fbd7086f740(0000) GS:ff1100013fd00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00000000200071c0 CR3: 0000000118556004 CR4: 0000000000771ef0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n proc_create_net_single+0x144/0x210 fs/proc/proc_net.c:220\n bcm_connect+0x472/0x840 net/can/bcm.c:1673\n __sys_connect_file net/socket.c:2049 [inline]\n __sys_connect+0x5d2/0x690 net/socket.c:2066\n __do_sys_connect net/socket.c:2076 [inline]\n __se_sys_connect net/socket.c:2073 [inline]\n __x64_sys_connect+0x8f/0x100 net/socket.c:2073\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xd9/0x1c0 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x4b/0x53\nRIP: 0033:0x7fbd708b0e5d\nCode: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48\nRSP: 002b:00007fff8cd33f08 EFLAGS: 00000246 ORIG_RAX: 000000000000002a\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fbd708b0e5d\nRDX: 0000000000000010 RSI: 0000000020000040 RDI: 0000000000000003\nRBP: 0000000000000000 R08: 0000000000000040 R09: 0000000000000040\nR10: 0000000000000040 R11: 0000000000000246 R12: 00007fff8cd34098\nR13: 0000000000401280 R14: 0000000000406de8 R15: 00007fbd70ab9000\n \u003c/TASK\u003e\nremove_proc_entry: removing non-empty directory 'net/can-bcm', leaking at least '2456'","modified":"2026-04-16T04:31:20.785101220Z","published":"2024-09-18T07:12:29.363Z","related":["SUSE-SU-2024:3551-1","SUSE-SU-2024:3553-1","SUSE-SU-2024:3561-1","SUSE-SU-2024:3564-1","SUSE-SU-2024:3569-1","SUSE-SU-2024:3587-1","SUSE-SU-2024:3592-1","SUSE-SU-2024:4367-1","SUSE-SU-2025:0035-1","SUSE-SU-2025:0236-1","SUSE-SU-2025:20073-1","SUSE-SU-2025:20077-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46771.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/10bfacbd5e8d821011d857bee73310457c9c989a"},{"type":"WEB","url":"https://git.kernel.org/stable/c/33ed4ba73caae39f34ab874ba79138badc2c65dd"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3b39dc2901aa7a679a5ca981a3de9f8d5658afe8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4377b79323df62eb5d310354f19b4d130ff58d50"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5c680022c4e28ba18ea500f3e29f0428271afa92"},{"type":"WEB","url":"https://git.kernel.org/stable/c/76fe372ccb81b0c89b6cd2fec26e2f38c958be85"},{"type":"WEB","url":"https://git.kernel.org/stable/c/abb0a615569ec008e8a93d9f3ab2d5b418ea94d4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/aec92dbebdbec7567d9f56d7c9296a572b8fd849"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00003.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/46xxx/CVE-2024-46771.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-46771"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"ffd980f976e7fd666c2e61bf8ab35107efd11828"},{"fixed":"5c680022c4e28ba18ea500f3e29f0428271afa92"},{"fixed":"33ed4ba73caae39f34ab874ba79138badc2c65dd"},{"fixed":"aec92dbebdbec7567d9f56d7c9296a572b8fd849"},{"fixed":"10bfacbd5e8d821011d857bee73310457c9c989a"},{"fixed":"3b39dc2901aa7a679a5ca981a3de9f8d5658afe8"},{"fixed":"4377b79323df62eb5d310354f19b4d130ff58d50"},{"fixed":"abb0a615569ec008e8a93d9f3ab2d5b418ea94d4"},{"fixed":"76fe372ccb81b0c89b6cd2fec26e2f38c958be85"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46771.json"}}],"schema_version":"1.7.5"}