Linux Kernel ATM Clip Infinite Recursion Vulnerability

A vulnerability in the Linux kernel's ATM clip handling has been identified, which can lead to an infinite recursive call in the 'clip_push()' function. This issue arises when the 'ioctl(ATMARP_MKIP)' command is called multiple times on the same virtual circuit (VCC). The first call sets the VCC's push function, while the second call overwrites it with a reference to the old push function. When the socket is closed, the destruction process inadvertently triggers the old push function, causing a recursive loop. The vulnerability has been addressed by modifying the 'clip_mkip()' function to prevent this second 'ioctl(ATMARP_MKIP)' call from occurring, thus eliminating the potential for recursion.

Impact

Exploitation of this vulnerability causes a stack overflow due to infinite recursion, which can lead to a crash of the affected process or system.

Reproduction

To reproduce this vulnerability, call 'ioctl(ATMARP_MKIP)' on a virtual circuit more than once. The first call will execute normally, but the second call will introduce the vulnerability by overwriting the push function with a reference that, when accessed later, causes an infinite loop. This can be observed by monitoring the system's response, which will indicate a stack overflow error.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.