ACK: [SRU][J/N/P][PATCH 0/1] CVE-2025-38618
Bethany Jamison
bethany.jamison at canonical.com
Thu Sep 4 19:48:12 UTC 2025
On 8/25/25 5:16 PM, Ian Whitfield wrote:
> [Impact]
>
> vsock: Do not allow binding to VMADDR_PORT_ANY
>
> It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
> cause a use-after-free when a connection is made to the bound socket.
> The socket returned by accept() also has port VMADDR_PORT_ANY but is not
> on the list of unbound sockets. Binding it will result in an extra
> refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
> the binding until socket destruction).
>
> Modify the check in __vsock_bind_connectible() to also prevent binding
> to VMADDR_PORT_ANY.
>
> [Backport]
>
> Patch cherry-picked cleanly.
>
> [Fix]
>
> Plucky: cherry pick
> Noble: cherry pick
> Jammy: cherry pick
> Focal: sent to esm ML
> Bionic: sent to esm ML
> Xenial: sent to esm ML
> Trusty: Ignored, non-critical CVE
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use the VMware vSockets (virtual sockets) driver. An
> issue with this fix would be visible to the user as unexpected behavior around
> binding virtual sockets to ports.
>
> Budimir Markovic (1):
> vsock: Do not allow binding to VMADDR_PORT_ANY
>
> net/vmw_vsock/af_vsock.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
Acked-by: Bethany Jamison <bethany.jamison at canonical.com>
More information about the kernel-team
mailing list