APPLIED: [SRU][J/N/O][PATCH 0/2] CVE-2025-21756

Stefan Bader stefan.bader at canonical.com
Thu Mar 13 14:08:40 UTC 2025 

On 05.03.25 23:03, Tim Whisonant wrote:
> [Impact]
> 
> vsock: Keep the binding until socket destruction
> 
> Preserve sockets bindings; this includes both resulting from an explicit
> bind() and those implicitly bound through autobind during connect().
> 
> Prevents socket unbinding during a transport reassignment, which fixes a
> use-after-free:
> 
>      1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
>      2. transport->release() calls vsock_remove_bound() without checking if
>         sk was bound and moved to bound list (refcnt=1)
>      3. vsock_bind() assumes sk is in unbound list and before
>         __vsock_insert_bound(vsock_bound_sockets()) calls
>         __vsock_remove_bound() which does:
>             list_del_init(&vsk->bound_table); // nop
>             sock_put(&vsk->sk);               // refcnt=0
> 
> vsock: Orphan socket after transport release
> 
> During socket release, sock_orphan() is called without considering that it
> sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a
> null pointer dereferenced in virtio_transport_wait_close().
> 
> Orphan the socket only after transport release.
> 
> Partially reverts the 'Fixes:' commit.
> 
> [Backport]
> 
> Backported from upstream.
> 
> [Fix]
> 
> Oracular: cherry picked from upstream
> Noble:    applied Jammy patch
> Jammy:    backported from upstream
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
> 
> [Test Plan]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> The change affects the ordering of vsock orphan versus release
> to correct a NULL pointer dereference. Problems could appear in
> the socket release path.
> 
> Michal Luczaj (2):
>    vsock: Keep the binding until socket destruction
>    vsock: Orphan socket after transport release
> 
>   net/vmw_vsock/af_vsock.c | 12 +++++++++++-
>   1 file changed, 11 insertions(+), 1 deletion(-)
> 
Applied to oracular,noble,jammy:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 47863 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250313/b6406f3f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250313/b6406f3f/attachment-0001.sig>

More information about the kernel-team mailing list