Linux Kernel ROSE Socket NULL Pointer Dereference Vulnerability

A NULL pointer dereference vulnerability has been identified in the Linux kernel's ROSE (Radio Over Serial Link Emulation) socket implementation. This issue arises in versions of the Linux kernel prior to the latest patch, when the rose_connect() function is called a second time while a previous connection attempt is still in progress. The function fails to properly validate the connection state, leading to a situation where a NULL neighbour reference is created. When the socket is later closed, this NULL reference is dereferenced, causing a crash. The vulnerability was reported by syzkaller, and the reproducer is available on GitHub.

Impact

Exploitation of this vulnerability leads to a system crash due to a NULL pointer dereference.

Reproduction

To reproduce this vulnerability, initiate a connection using the rose_connect() function and then attempt to connect again before the first connection is fully established. This will overwrite the neighbour reference with a NULL value. When the socket is closed, the system will attempt to transmit data over the link, but will encounter a NULL pointer, causing a crash.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.