In the Linux kernel, the following vulnerability has been resolved: net: atm: fix crash due to unvalidated vcc pointer in sigd_send() Reproducer available at [1]. The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc pointer from msg->vcc and uses it directly without any validation. This pointer comes from userspace via sendmsg() and can be arbitrarily forged: int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0); ioctl(fd, ATMSIGD_CTRL); // become ATM signaling daemon struct msghdr msg = { .msg_iov = &iov, ... }; *(unsigned long *)(buf + 4) = 0xdeadbeef; // fake vcc pointer sendmsg(fd, &msg, 0); // kernel dereferences 0xdeadbeef In normal operation, the kernel sends the vcc pointer to the signaling daemon via sigd_enq() when processing operations like connect(), bind(), or listen(). The daemon is expected to return the same pointer when responding. However, a malicious daemon can send arbitrary pointer values. Fix this by introducing find_get_vcc() which validates the pointer by searching through vcc_hash (similar to how sigd_close() iterates over all VCCs), and acquires a reference via sock_hold() if found. Since struct atm_vcc embeds struct sock as its first member, they share the same lifetime. Therefore using sock_hold/sock_put is sufficient to keep the vcc alive while it is being used. Note that there may be a race with sigd_close() which could mark the vcc with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns. However, sock_hold() guarantees the memory remains valid, so this race only affects the logical state, not memory safety. [1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-476
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc4c0e40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc130e40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc369240> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcc126ec0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc4c1140> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc345400> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc36a2c0> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdc345700> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bfc36a7c0> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bfc4c3d40> | Operating System |
| linux | linux_kernel | 2.6.12 | <built-in method update of dict object at 0x702bdc59e580> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc36a540> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc130d40> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc36a040> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc372840> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc368200> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc1333c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bfc4c3c00> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:2.6.12:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |