lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025031214-CVE-2025-21854-98fb@gregkh> Date: Wed, 12 Mar 2025 10:42:20 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2025-21854: sockmap, vsock: For connectible sockets allow only connected Description =========== In the Linux kernel, the following vulnerability has been resolved: sockmap, vsock: For connectible sockets allow only connected sockmap expects all vsocks to have a transport assigned, which is expressed in vsock_proto::psock_update_sk_prot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path. Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly: KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127] CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsock_loopback_work RIP: 0010:vsock_read_skb+0x4b/0x90 Call Trace: sk_psock_verdict_data_ready+0xa4/0x2e0 virtio_transport_recv_pkt+0x1ca8/0x2acc vsock_loopback_work+0x27d/0x3f0 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x35a/0x700 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AF_INET and AF_UNIX. The Linux kernel CVE team has assigned CVE-2025-21854 to this issue. Affected and fixed versions =========================== Issue introduced in 6.4 with commit 634f1a7110b439c65fd8a809171c1d2d28bcea6f and fixed in 6.6.80 with commit cc9a7832ede53ade1ba9991f0e27314caa4029d8 Issue introduced in 6.4 with commit 634f1a7110b439c65fd8a809171c1d2d28bcea6f and fixed in 6.12.17 with commit 22b683217ad2112791a708693cb236507abd637a Issue introduced in 6.4 with commit 634f1a7110b439c65fd8a809171c1d2d28bcea6f and fixed in 6.13.5 with commit f7b473e35986835cc2813fef7b9d40336a09247e Issue introduced in 6.4 with commit 634f1a7110b439c65fd8a809171c1d2d28bcea6f and fixed in 6.14-rc4 with commit 8fb5bb169d17cdd12c2dcc2e96830ed487d77a0f Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2025-21854 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/core/sock_map.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/cc9a7832ede53ade1ba9991f0e27314caa4029d8 https://git.kernel.org/stable/c/22b683217ad2112791a708693cb236507abd637a https://git.kernel.org/stable/c/f7b473e35986835cc2813fef7b9d40336a09247e https://git.kernel.org/stable/c/8fb5bb169d17cdd12c2dcc2e96830ed487d77a0f
Powered by blists - more mailing lists