Linux Kernel ATM VCC Pointer Validation Vulnerability in Signal Daemon Send Function

A vulnerability in the Linux kernel's ATM subsystem allows for a crash due to an unvalidated virtual circuit (VCC) pointer in the signaling daemon's send function. The issue arises because the VCC pointer is read directly from user space via the sendmsg() system call, without any validation. This can lead to the kernel dereferencing arbitrary memory addresses, potentially causing a crash or other unintended behavior. The vulnerability has been addressed by introducing a validation function that checks the VCC pointer against a hash table of registered VCCs before it is used.

Impact

Exploitation of this vulnerability can lead to a kernel crash or undefined behavior by allowing the signaling daemon to manipulate VCC pointers arbitrarily, potentially causing the kernel to access invalid memory.

Reproduction

The vulnerability can be reproduced by creating a socket with the AF_ATMSVC address family and SOCK_DGRAM type. After obtaining a file descriptor for the socket, the ATMSIGD_CTRL ioctl can be used to register the socket as the ATM signaling daemon. Once this is done, a message can be constructed to include a forged VCC pointer, such as 0xdeadbeef, and sent through the socket. The kernel will then dereference the fake pointer, leading to a crash.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for updating the kernel can be found in the official Linux kernel documentation.