CVE-2022-49916

In the Linux kernel, the following vulnerability has been resolved:

rose: Fix NULL pointer dereference in rosesendframe()

The syzkaller reported an issue:

KASAN: null-ptr-deref in range [0x0000000000000380-0x0000000000000387] CPU: 0 PID: 4069 Comm: kworker/0:15 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 Workqueue: rcugp srcuinvokecallbacks RIP: 0010:rosesendframe+0x1dd/0x2f0 net/rose/roselink.c:101 Call Trace: <IRQ> rosetransmitclearrequest+0x1d5/0x290 net/rose/roselink.c:255 roserxcallrequest+0x4c0/0x1bc0 net/rose/afrose.c:1009 roseloopbacktimer+0x19e/0x590 net/rose/roseloopback.c:111 calltimerfn+0x1a0/0x6b0 kernel/time/timer.c:1474 expiretimers kernel/time/timer.c:1519 [inline] __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790 __runtimers kernel/time/timer.c:1768 [inline] runtimer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 _dosoftirq+0x1d0/0x9c8 kernel/softirq.c:571 [...] </IRQ>

It triggers NULL pointer dereference when 'neigh->dev->devaddr' is called in the rosesendframe(). It's the first occurrence of the neigh is in roseloopbacktimer() as `roseloopbackneigh', and the 'dev' in 'roseloopback_neigh' is initialized sa nullptr.

It had been fixed by commit 3b3fd068c56e3fbea30090859216a368398e39bf ("rose: Fix Null pointer dereference in rosesendframe()") ever. But it's introduced by commit 3c53cd65dece47dd1f9d3a809f32e59d1d87b2b8 ("rose: check NULL roseloopbackneigh->loopback") again.

We fix it by add NULL check in rosetransmitclear_request(). When the 'dev' in 'neigh' is NULL, we don't reply the request and just clear it.

syzkaller don't provide repro, and I provide a syz repro like: r0 = syzinitnetsocket$btsco(0x1f, 0x5, 0x2) ioctl$sockinetSIOCSIFFLAGS(r0, 0x8914, &(0x7f0000000180)={'rose0\x00', 0x201}) r1 = syzinitnet_socket$rose(0xb, 0x5, 0x0) bind$rose(r1, &(0x7f00000000c0)=@full={0xb, @dev, @null, 0x0, [@null, @null, @netrom, @netrom, @default, @null]}, 0x40) connect$rose(r1, &(0x7f0000000240)=@short={0xb, @dev={0xbb, 0xbb, 0xbb, 0x1, 0x0}, @remote={0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0xcc, 0x1}, 0x1, @netrom={0xbb, 0xbb, 0xbb, 0xbb, 0xbb, 0x0, 0x0}}, 0x1c)