Linux Kernel Refcounting Vulnerability in ROSE Protocol Neighbor Structure

A vulnerability exists in the Linux kernel's handling of the ROSE protocol's neighbor structure, specifically in the reference counting mechanism. The 'use' field, intended as a reference counter, lacks atomicity, leading to potential race conditions. This issue can cause a 'rose_neigh' structure to be freed while still in use by other code paths, creating a use-after-free vulnerability. The problem is particularly evident when the 'use' counter reaches zero during an ioctl operation, allowing the structure to be removed while its timer is still active.

Impact

This vulnerability can lead to a use-after-free condition, where a freed structure is still referenced, potentially causing memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by performing operations that manipulate the ROSE protocol's neighbor structure, particularly through ioctl calls. The lack of atomic reference counting can be exploited, leading to a use-after-free condition.

Remediation

The vulnerability has been addressed by changing the 'use' field to use atomic reference counting, ensuring that the reference count is managed safely across different code paths. Users should upgrade to the latest version of the Linux kernel where this patch has been applied.