Linux Kernel ATM ATMTCP Driver Arbitrary Write Vulnerability in Control Message Handling

A vulnerability has been identified in the Linux kernel's ATM ATMTCP driver, specifically in the handling of control messages. This issue allows for arbitrary writes to kernel pointers from user space. The vulnerability arises because the 'atmtcp_control' structure, which is part of the user API, includes a field for an in-kernel pointer but lacks proper validation when messages are sent from user space. As a result, a crafted message can overwrite kernel pointers, potentially leading to memory corruption or other malicious outcomes.

Impact

Exploitation of this vulnerability can cause a general protection fault, indicating a crash due to invalid memory access. However, the nature of the vulnerability allows for arbitrary writes to kernel pointers, which could be exploited to manipulate kernel memory and potentially execute arbitrary code in the kernel context.

Reproduction

The vulnerability can be reproduced by sending a control message through the ATMTCP socket interface that includes the ATMTCP_HDR_MAGIC value in the header length. This message will be processed by the 'atmtcp_recv_control' function, which is called from 'atmtcp_c_send'. The 'atmtcp_c_send' function does not validate the message length, allowing the crafted message to overwrite any kernel pointer specified in the 'atmtcp_control' structure.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux kernel documentation.