Linux Kernel NULL Pointer Dereference Vulnerability in ATM VCC Message Sending

A NULL pointer dereference vulnerability has been identified in the Linux kernel's ATM (Asynchronous Transfer Mode) subsystem, specifically within the clip (AAL5) implementation. This issue arises because the atmarpd_dev_ops structure does not properly implement the 'send' method, leading to a potential crash. The vulnerability was reported by syzbot and is present in Linux kernel versions through 6.15.0-rc6.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a system crash. This type of error can often be exploited to execute arbitrary code in the kernel context, depending on the system configuration and the nature of the workload at the time of the crash.

Reproduction

The vulnerability can be reproduced by sending a message through a VCC (Virtual Channel Connection) using the 'sendmmsg' system call. This can be done by a process running with no specific user privileges, as the issue does not require elevated rights. The 'atmarpd_dev_ops' structure will fail to handle the message properly, resulting in a NULL pointer dereference.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.