2.1 KiB
CVE-2025-21854
Description
In the Linux kernel, the following vulnerability has been resolved:sockmap, vsock: For connectible sockets allow only connectedsockmap expects all vsocks to have a transport assigned, which is expressedin vsock_proto::psock_update_sk_prot(). However, there is an edge casewhere an unconnected (connectible) socket may lose its previously assignedtransport. This is handled with a NULL check in the vsock/BPF recv path.Another design detail is that listening vsocks are not supposed to have anytransport assigned at all. Which implies they are not supported by thesockmap. But this is complicated by the fact that a socket, beforeswitching to TCP_LISTEN, may have had some transport assigned during afailed connect() attempt. Hence, we may end up with a listening vsock in asockmap, which blows up quickly:KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127]CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+Workqueue: vsock-loopback vsock_loopback_workRIP: 0010:vsock_read_skb+0x4b/0x90Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30For connectible sockets, instead of relying solely on the state ofvsk->transport, tell sockmap to only allow those representing establishedconnections. This aligns with the behaviour for AF_INET and AF_UNIX.
POC
Reference
No PoCs from references.