References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

In the Linux kernel, the following vulnerability has been resolved:

net: rose: fix invalid array index in rose_kill_by_device()

rose_kill_by_device() collects sockets into a local array[] and then
iterates over them to disconnect sockets bound to a device being brought
down.

The loop mistakenly indexes array[cnt] instead of array[i]. For cnt <
ARRAY_SIZE(array), this reads an uninitialized entry; for cnt ==
ARRAY_SIZE(array), it is an out-of-bounds read. Either case can lead to
an invalid socket pointer dereference and also leaks references taken
via sock_hold().

Fix the index to use i.

https://git.kernel.org/stable/c/1418c12cd3bba79dc56b57b61c99efe40f579981

https://git.kernel.org/stable/c/6595beb40fb0ec47223d3f6058ee40354694c8e4

https://git.kernel.org/stable/c/92d900aac3a5721fb54f3328f1e089b44a861c38

https://git.kernel.org/stable/c/9f6185a32496834d6980b168cffcccc2d6b17280

https://git.kernel.org/stable/c/b409ba9e1e63ccf3ab4cc061e33c1f804183543e