References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

In the Linux kernel, the following vulnerability has been resolved:

net: rose: convert 'use' field to refcount_t

The 'use' field in struct rose_neigh is used as a reference counter but
lacks atomicity. This can lead to race conditions where a rose_neigh
structure is freed while still being referenced by other code paths.

For example, when rose_neigh->use becomes zero during an ioctl operation
via rose_rt_ioctl(), the structure may be removed while its timer is
still active, potentially causing use-after-free issues.

This patch changes the type of 'use' from unsigned short to refcount_t and
updates all code paths to use rose_neigh_hold() and rose_neigh_put() which
operate reference counts atomically.

https://git.kernel.org/stable/c/0085b250fcc79f900c82a69980ec2f3e1871823b

https://git.kernel.org/stable/c/203e4f42596ede31498744018716a3db6dbb7f51

https://git.kernel.org/stable/c/d860d1faa6b2ce3becfdb8b0c2b048ad31800061

https://git.kernel.org/stable/c/f8c29fc437d03a98fb075c31c5be761cc8326284

https://git.kernel.org/stable/c/fb07156cc0742ba4e93dfcc84280c011d05b301f