Linux Kernel Rose Protocol Invalid Array Index Vulnerability in Socket Management

An invalid array index vulnerability has been identified in the Linux kernel's handling of the Rose protocol. The issue arises in the 'rose_kill_by_device' function, which collects sockets into a local array and iterates over them to disconnect sockets bound to a device being shut down. The vulnerability is caused by the loop incorrectly indexing the array, leading to the potential reading of uninitialized data or out-of-bounds access. This mismanagement can result in an invalid socket pointer dereference, causing a crash, and also leaks socket references that were held, creating a risk of use-after-free vulnerabilities.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by crashing the system or service, and may also lead to a use-after-free vulnerability by leaking socket references that were held.

Reproduction

The vulnerability can be reproduced by invoking the 'rose_kill_by_device' function with a device that is being brought down. The function will collect sockets into a local array and iterate over them. Due to the incorrect indexing of the array, the function will read an uninitialized entry or access memory out-of-bounds, leading to a crash or a use-after-free condition.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux kernel repositories. Instructions for upgrading the kernel can be found in the documentation for the specific Linux distribution being used.