In the Linux kernel, the following vulnerability has been resolved: net: rose: include node references in rose_neigh refcount Current implementation maintains two separate reference counting mechanisms: the 'count' field in struct rose_neigh tracks references from rose_node structures, while the 'use' field (now refcount_t) tracks references from rose_sock. This patch merges these two reference counting systems using 'use' field for proper reference management. Specifically, this patch adds incrementing and decrementing of rose_neigh->use when rose_neigh->count is incremented or decremented. This patch also modifies rose_rt_free(), rose_rt_device_down() and rose_clear_route() to properly release references to rose_neigh objects before freeing a rose_node through rose_remove_node(). These changes ensure rose_neigh structures are properly freed only when all references, including those from rose_node structures, are released. As a result, this resolves a slab-use-after-free issue reported by Syzbot.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-Other
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b70374c80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc2a61c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc59ea80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcc9b1480> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702b70376c40> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bde165c40> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702b703769c0> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdc59ea00> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdc59dcc0> | Operating System |
| linux | linux_kernel | 6.17 | <built-in method update of dict object at 0x702b70377380> | Operating System |
| linux | linux_kernel | 6.17 | <built-in method update of dict object at 0x702b70374e40> | Operating System |
| linux | linux_kernel | 6.17 | <built-in method update of dict object at 0x702bfc2a7a80> | Operating System |
| debian | debian_linux | 11.0 | <built-in method update of dict object at 0x702bdc6a7340> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.17:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.17:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.17:rc3:*:*:*:*:*:* |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |