Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]atm: clip: Fix infinite recursive call of clip_push().[EOL][EOL]syzbot reported the splat below. [0][EOL][EOL]This happens if we call ioctl(ATMARP_MKIP) more than once.[EOL][EOL]During the first call, clip_mkip() sets clip_push() to vcc->push(),[EOL]and the second call copies it to clip_vcc->old_push().[EOL][EOL]Later, when the socket is close()d, vcc_destroy_socket() passes[EOL]NULL skb to clip_push(), which calls clip_vcc->old_push(),[EOL]triggering the infinite recursion.[EOL][EOL]Let's prevent the second ioctl(ATMARP_MKIP) by checking[EOL]vcc->user_back, which is allocated by the first call as clip_vcc.[EOL][EOL]Note also that we use lock_sock() to prevent racy calls.[EOL][EOL][0]:[EOL]BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000)[EOL]Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI[EOL]CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full)[EOL]Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014[EOL]RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191[EOL]Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00[EOL]RSP: 0018:ffffc9000d670000 EFLAGS: 00010246[EOL]RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000[EOL]RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000[EOL]RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e[EOL]R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300[EOL]R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578[EOL]FS:  000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000[EOL]CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0[EOL]Call Trace:[EOL] <TASK>[EOL] clip_push+0x6dc/0x720 net/atm/clip.c:200[EOL] clip_push+0x6dc/0x720 net/atm/clip.c:200[EOL] clip_push+0x6dc/0x720 net/atm/clip.c:200[EOL]...[EOL] clip_push+0x6dc/0x720 net/atm/clip.c:200[EOL] clip_push+0x6dc/0x720 net/atm/clip.c:200[EOL] clip_push+0x6dc/0x720 net/atm/clip.c:200[EOL] vcc_destroy_socket net/atm/common.c:183 [inline][EOL] vcc_release+0x157/0x460 net/atm/common.c:205[EOL] __sock_release net/socket.c:647 [inline][EOL] sock_close+0xc0/0x240 net/socket.c:1391[EOL] __fput+0x449/0xa70 fs/file_table.c:465[EOL] task_work_run+0x1d1/0x260 kernel/task_work.c:227[EOL] resume_user_mode_work include/linux/resume_user_mode.h:50 [inline][EOL] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114[EOL] exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline][EOL] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline][EOL] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline][EOL] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100[EOL] entry_SYSCALL_64_after_hwframe+0x77/0x7f[EOL]RIP: 0033:0x7ff31c98e929[EOL]Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48[EOL]RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4[EOL]RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929[EOL]RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003[EOL]RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f[EOL]R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c[EOL]R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090[EOL] </TASK>[EOL]Modules linked in:

CREATE(Triage):(User=admin) [CVE-2025-38459 (https://nvd.nist.gov/vuln/detail/CVE-2025-38459)