github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
4cff5c05e0
linux/net/atm
History
Jiayuan Chen ae88a5d2f2 net: atm: fix crash due to unvalidated vcc pointer in sigd_send() 
Reproducer available at [1].

The ATM send path (sendmsg -> vcc_sendmsg -> sigd_send) reads the vcc
pointer from msg->vcc and uses it directly without any validation. This
pointer comes from userspace via sendmsg() and can be arbitrarily forged:

    int fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);
    ioctl(fd, ATMSIGD_CTRL);  // become ATM signaling daemon
    struct msghdr msg = { .msg_iov = &iov, ... };
    *(unsigned long *)(buf + 4) = 0xdeadbeef;  // fake vcc pointer
    sendmsg(fd, &msg, 0);  // kernel dereferences 0xdeadbeef

In normal operation, the kernel sends the vcc pointer to the signaling
daemon via sigd_enq() when processing operations like connect(), bind(),
or listen(). The daemon is expected to return the same pointer when
responding. However, a malicious daemon can send arbitrary pointer values.

Fix this by introducing find_get_vcc() which validates the pointer by
searching through vcc_hash (similar to how sigd_close() iterates over
all VCCs), and acquires a reference via sock_hold() if found.

Since struct atm_vcc embeds struct sock as its first member, they share
the same lifetime. Therefore using sock_hold/sock_put is sufficient to
keep the vcc alive while it is being used.

Note that there may be a race with sigd_close() which could mark the vcc
with various flags (e.g., ATM_VF_RELEASED) after find_get_vcc() returns.
However, sock_hold() guarantees the memory remains valid, so this race
only affects the logical state, not memory safety.

[1]: https://gist.github.com/mrpre/1ba5949c45529c511152e2f4c755b0f3
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: syzbot+1f22cb1769f249df9fa0@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69039850.a70a0220.5b2ed.005d.GAE@google.com/T/
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260205095501.131890-1-jiayuan.chen@linux.dev
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
2026-02-10 11:24:47 +01:00
..
addr.c
addr.h
atm_misc.c
atm_sysfs.c net: atm: Remove redundant check. 2023-10-23 08:45:25 +01:00
br2684.c net: atm: use address setting helpers 2021-10-24 13:59:45 +01:00
clip.c neighbour: Convert rwlock of struct neigh_table to spinlock. 2025-10-24 17:57:20 -07:00
common.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-11-27 12:19:08 -08:00
common.h net: pass a sockptr_t into ->setsockopt 2020-07-24 15:41:54 -07:00
ioctl.c atm: clean up a put_user() calls 2024-06-14 19:08:50 -07:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
lec_arpc.h net: atm: lec_arpc.h: delete duplicated word 2020-07-19 18:14:21 -07:00
lec.c net: atm: fix /proc/net/atm/lec handling 2025-06-19 08:36:31 -07:00
lec.h
Makefile
mpc.c treewide: Switch/rename to timer_delete[_sync]() 2025-04-05 10:30:12 +02:00
mpc.h
mpoa_caches.c mm, treewide: rename kzfree() to kfree_sensitive() 2020-08-07 11:33:22 -07:00
mpoa_caches.h
mpoa_proc.c net/atm: fix proc_mpc_write incorrect return value 2022-10-15 11:08:36 +01:00
pppoatm.c net: atm: pppoatm: use new API for wakeup tasklet 2021-01-29 18:24:05 -08:00
proc.c proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
protocols.h
pvc.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
raw.c atm: Revert atm_account_tx() if copy_from_iter_full() fails. 2025-06-17 18:42:44 -07:00
resources.c net: atm: fix memory leak in atm_register_sysfs when device_register fail 2025-09-04 09:53:44 +02:00
resources.h atm: lift copyin from atm_dev_ioctl() 2020-05-20 20:31:35 -04:00
signaling.c net: atm: fix crash due to unvalidated vcc pointer in sigd_send() 2026-02-10 11:24:47 +01:00
signaling.h
svc.c net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00