Linux Kernel Rose Protocol Reference Count Management Vulnerability

A use-after-free vulnerability has been addressed in the Linux kernel's handling of the ROSE (Radio Operating Service) protocol. This issue arose from improper reference counting in the 'rose_neigh' structure, which manages neighbor nodes. The vulnerability was caused by two separate reference counting mechanisms: the 'count' field tracked references from 'rose_node' structures, while the 'use' field (now refcount_t) managed references from 'rose_sock'. The vulnerability allowed for a slab-use-after-free condition, where memory could be freed while still in use, potentially leading to arbitrary code execution or memory corruption.

Impact

Exploitation of this vulnerability could lead to a use-after-free condition, causing memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by manipulating the reference counting in the 'rose_neigh' structure. This can be done by incrementing and decrementing the 'count' field without properly managing the 'use' field, leading to a use-after-free condition. The issue can be triggered by adding and removing nodes in the ROSE protocol's routing management, specifically through the 'rose_add_node' and 'rose_del_node' functions, without the appropriate reference count adjustments.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.