Linux Kernel NULL Pointer Dereference Vulnerability in ROSE Protocol

A NULL pointer dereference vulnerability has been identified in the Linux kernel's ROSE (Routing Over Serial Lines) protocol implementation. This issue arises in version 6.0.0 when the 'rose_send_frame' function is called, specifically within the 'net/rose/rose_link.c' file. The vulnerability was introduced by a previous commit that failed to properly check for NULL values in the loopback neighbor structure, allowing a timer callback to dereference a NULL pointer. The issue was reported by syzkaller, a kernel fuzzer, which triggered the NULL pointer dereference by simulating ROSE protocol socket operations.

Impact

Exploitation of this vulnerability leads to a kernel panic due to a NULL pointer dereference, causing a denial of service condition.

Reproduction

The vulnerability can be reproduced by creating a ROSE protocol socket, binding it to a device, and then connecting it in a way that triggers the loopback timer. This process can be automated with a syzkaller reproduction script that simulates the necessary socket operations.

Remediation

The vulnerability has been fixed in the Linux kernel by adding proper NULL checks in the affected functions. Users should upgrade to the latest stable version of the kernel where this fix has been applied.