ACK: [SRU][J/N/O][PATCH 0/2] CVE-2025-21756

Stewart Hore stewart.hore at canonical.com
Fri Mar 7 03:58:32 UTC 2025 

On Wed, Mar 05, 2025 at 02:03:29PM -0800, Tim Whisonant wrote:
> [Impact]
>
> vsock: Keep the binding until socket destruction
>
> Preserve sockets bindings; this includes both resulting from an explicit
> bind() and those implicitly bound through autobind during connect().
>
> Prevents socket unbinding during a transport reassignment, which fixes a
> use-after-free:
>
>     1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
>     2. transport->release() calls vsock_remove_bound() without checking if
>        sk was bound and moved to bound list (refcnt=1)
>     3. vsock_bind() assumes sk is in unbound list and before
>        __vsock_insert_bound(vsock_bound_sockets()) calls
>        __vsock_remove_bound() which does:
>            list_del_init(&vsk->bound_table); // nop
>            sock_put(&vsk->sk);               // refcnt=0
>
> vsock: Orphan socket after transport release
>
> During socket release, sock_orphan() is called without considering that it
> sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
> null pointer dereferenced in virtio_transport_wait_close().
>
> Orphan the socket only after transport release.
>
> Partially reverts the 'Fixes:' commit.
>
> [Backport]
>
> Backported from upstream.
>
> [Fix]
>
> Oracular: cherry picked from upstream
> Noble:    applied Jammy patch
> Jammy:    backported from upstream
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the ordering of vsock orphan versus release
> to correct a NULL pointer dereference. Problems could appear in
> the socket release path.
>
> Michal Luczaj (2):
>   vsock: Keep the binding until socket destruction
>   vsock: Orphan socket after transport release
>
>  net/vmw_vsock/af_vsock.c | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
>
> --
> 2.43.0

Acked-by: Stewart Hore <stewart.hore at canonical.com>

> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list