CVE-2022-49916

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fix of the NULL pointer dereference in rose send frame()

Description A NULL pointer dereference issue was found in the Linux kernel, specifically in the rose send frame() function. This issue was reported by syzkaller and occurs when the 'neigh->dev->dev addr' is called in rose send frame(). The 'neigh' variable is first seen in rose loopback timer() as 'rose loopback neigh', and the 'dev' in 'rose loopback neigh' is initialized as a nullptr. The issue was previously fixed but was reintroduced by a later commit. To fix this, a NULL check was added in rose transmit clear request(). When the 'dev' in 'neigh' is NULL, the request is not replied to and is simply cleared.

Recommendations For Linux kernel versions prior to the fix, consider applying the patch that adds a NULL check in rose transmit clear request() to prevent the NULL pointer dereference. As a temporary workaround, consider disabling the rose loopback timer() function until a patch is available. Restrict access to the rose send frame() function to minimize the risk of exploitation. Avoid using the 'neigh' variable in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.