Linux Kernel ATM TCP Invalid Length SKB Free Vulnerability

A vulnerability in the Linux kernel's ATM TCP implementation has been addressed. The issue involved the improper handling of socket buffer (SKB) lengths in the 'atmtcp_c_send' function. When the SKB length was zero, the function failed to correctly free the SKB, leading to a memory leak. Additionally, the function's validation of the SKB length was insufficient, allowing uninitialized data to be accessed. The vulnerability was reported by syzbot.

Impact

Exploitation of this vulnerability could lead to memory leaks and the potential for using uninitialized data, which can cause undefined behavior in the kernel.

Reproduction

The vulnerability can be reproduced by sending a message over an ATM socket using the 'vcc_sendmsg' function. This function will copy data from userspace into an SKB and pass it to the appropriate device operations. The 'atmtcp_c_send' function will then be called, where the vulnerability lies. The SKB length check will incorrectly allow a zero length to be processed, leading to the memory leak and access to uninitialized data.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.