Message-ID: <2025072507-CVE-2025-38462-3e15@gregkh>
Date: Fri, 25 Jul 2025 17:28:24 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-38462: vsock: Fix transport_{g2h,h2g} TOCTOU

From: Greg Kroah-Hartman <gregkh@...nel.org>

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

vsock: Fix transport_{g2h,h2g} TOCTOU

vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload.
transport_{g2h,h2g} may become NULL after the NULL check.

Introduce vsock_transport_local_cid() to protect from a potential
null-ptr-deref.

KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
RIP: 0010:vsock_find_cid+0x47/0x90
Call Trace:
 __vsock_bind+0x4b2/0x720
 vsock_bind+0x90/0xe0
 __sys_bind+0x14d/0x1e0
 __x64_sys_bind+0x6e/0xc0
 do_syscall_64+0x92/0x1c0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f]
RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0
Call Trace:
 __x64_sys_ioctl+0x12d/0x190
 do_syscall_64+0x92/0x1c0
 entry_SYSCALL_64_after_hwframe+0x4b/0x53

The Linux kernel CVE team has assigned CVE-2025-38462 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 5.10.240 with commit c5496ee685c48ed1cc183cd4263602579bb4a615
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 5.15.189 with commit 80d7dc15805a93d520a249ac6d13d4f4df161c1b
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.1.146 with commit 5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.6.99 with commit 401239811fa728fcdd53e360a91f157ffd23e1f4
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.12.39 with commit 3734d78210cceb2ee5615719a62a5c55ed381ff8
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.15.7 with commit 6a1bcab67bea797d83aa9dd948a0ac6ed52d121d
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.16-rc6 with commit 209fd720838aaf1420416494c5505096478156b4

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-38462
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/vmw_vsock/af_vsock.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c5496ee685c48ed1cc183cd4263602579bb4a615
	https://git.kernel.org/stable/c/80d7dc15805a93d520a249ac6d13d4f4df161c1b
	https://git.kernel.org/stable/c/5752d8dbb3dfd7f1a9faf0f65377e60826ea9a17
	https://git.kernel.org/stable/c/401239811fa728fcdd53e360a91f157ffd23e1f4
	https://git.kernel.org/stable/c/3734d78210cceb2ee5615719a62a5c55ed381ff8
	https://git.kernel.org/stable/c/6a1bcab67bea797d83aa9dd948a0ac6ed52d121d
	https://git.kernel.org/stable/c/209fd720838aaf1420416494c5505096478156b4

Powered by blists - more mailing lists