[SRU][J/N/P][PATCH 0/1] CVE-2025-38618

[Ian Whitfield]

[Impact]

vsock: Do not allow binding to VMADDR_PORT_ANY

It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
cause a use-after-free when a connection is made to the bound socket.
The socket returned by accept() also has port VMADDR_PORT_ANY but is not
on the list of unbound sockets. Binding it will result in an extra
refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
the binding until socket destruction).

Modify the check in __vsock_bind_connectible() to also prevent binding
to VMADDR_PORT_ANY.

[Backport]

Patch cherry-picked cleanly.

[Fix]

Plucky:   cherry pick
Noble:    cherry pick
Jammy:    cherry pick
Focal:    sent to esm ML
Bionic:   sent to esm ML
Xenial:   sent to esm ML
Trusty:   Ignored, non-critical CVE

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use the VMware vSockets (virtual sockets) driver. An
issue with this fix would be visible to the user as unexpected behavior around
binding virtual sockets to ports.

Budimir Markovic (1):
  vsock: Do not allow binding to VMADDR_PORT_ANY

 net/vmw_vsock/af_vsock.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

-- 
2.43.0