| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025013159-CVE-2025-21670-5d52@gregkh>
Date: Fri, 31 Jan 2025 12:31:02 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2025-21670: vsock/bpf: return early if transport is not assigned
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
vsock/bpf: return early if transport is not assigned
Some of the core functions can only be called if the transport
has been assigned.
As Michal reported, a socket might have the transport at NULL,
for example after a failed connect(), causing the following trace:
BUG: kernel NULL pointer dereference, address: 00000000000000a0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+
RIP: 0010:vsock_connectible_has_data+0x1f/0x40
Call Trace:
vsock_bpf_recvmsg+0xca/0x5e0
sock_recvmsg+0xb9/0xc0
__sys_recvfrom+0xb3/0x130
__x64_sys_recvfrom+0x20/0x30
do_syscall_64+0x93/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
So we need to check the `vsk->transport` in vsock_bpf_recvmsg(),
especially for connected sockets (stream/seqpacket) as we already
do in __vsock_connectible_recvmsg().
The Linux kernel CVE team has assigned CVE-2025-21670 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.4 with commit 634f1a7110b439c65fd8a809171c1d2d28bcea6f and fixed in 6.6.74 with commit 58e586c30d0b6f5dc0174a41026f2b0a48c9aab6
Issue introduced in 6.4 with commit 634f1a7110b439c65fd8a809171c1d2d28bcea6f and fixed in 6.12.11 with commit 6771e1279dadf1d92a72e1465134257d9e6f2459
Issue introduced in 6.4 with commit 634f1a7110b439c65fd8a809171c1d2d28bcea6f and fixed in 6.13 with commit f6abafcd32f9cfc4b1a2f820ecea70773e26d423
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-21670
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/vmw_vsock/vsock_bpf.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/58e586c30d0b6f5dc0174a41026f2b0a48c9aab6
https://git.kernel.org/stable/c/6771e1279dadf1d92a72e1465134257d9e6f2459
https://git.kernel.org/stable/c/f6abafcd32f9cfc4b1a2f820ecea70773e26d423
Powered by blists - more mailing lists