APPLIED: [SRU][J/N/P][PATCH 0/1] CVE-2025-38618

[Stefan Bader]

On 26/08/2025 00:16, Ian Whitfield wrote:
> [Impact]
> 
> vsock: Do not allow binding to VMADDR_PORT_ANY
> 
> It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
> cause a use-after-free when a connection is made to the bound socket.
> The socket returned by accept() also has port VMADDR_PORT_ANY but is not
> on the list of unbound sockets. Binding it will result in an extra
> refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
> the binding until socket destruction).
> 
> Modify the check in __vsock_bind_connectible() to also prevent binding
> to VMADDR_PORT_ANY.
> 
> [Backport]
> 
> Patch cherry-picked cleanly.
> 
> [Fix]
> 
> Plucky:   cherry pick
> Noble:    cherry pick
> Jammy:    cherry pick
> Focal:    sent to esm ML
> Bionic:   sent to esm ML
> Xenial:   sent to esm ML
> Trusty:   Ignored, non-critical CVE
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the VMware vSockets (virtual sockets) driver. An
> issue with this fix would be visible to the user as unexpected behavior around
> binding virtual sockets to ports.
> 
> Budimir Markovic (1):
>    vsock: Do not allow binding to VMADDR_PORT_ANY
> 
>   net/vmw_vsock/af_vsock.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 


Applied to plucky,noble,jammy:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250911/e5682a9e/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250911/e5682a9e/attachment-0001.sig>