Linux Kernel ATM LEC Module Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in the Linux kernel's ATM LANE (LAN Emulation) module. This issue arises in the 'lec_arp_clear_vccs()' function, where the same ATM virtual circuit (VCC) can be shared by multiple LEC ARP table entries. When a VCC is closed, the 'lec_vcc_close()' function iterates over all ARP entries and calls 'lec_arp_clear_vccs()' for each matched entry. The vulnerability occurs because 'lec_arp_clear_vccs()' frees the associated VCC private data and sets the VCC user back pointer to NULL. In the next iteration, when 'lec_arp_clear_vccs()' is called again for another ARP entry sharing the same VCC, it attempts to dereference the NULL pointer, leading to a crash. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a crash of the affected system.

Reproduction

The vulnerability can be reproduced using the Syzkaller fuzzer, which will trigger the null pointer dereference in the 'lec_arp_clear_vccs()' function by closing a VCC that is shared by multiple LEC ARP table entries.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the Linux kernel can be found in the official Linux kernel documentation.