lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5xay32omz7hmdys53oub34dsp6654bw6flelc77e3kk6ltpeeg@n2x3qf5psf52>
Date: Thu, 7 Aug 2025 10:02:50 +0200
From: Stefano Garzarella <sgarzare@...hat.com>
To: Budimir Markovic <markovicbudimir@...il.com>
Cc: netdev@...r.kernel.org
Subject: Re: [PATCH net] vsock: Do not allow binding to VMADDR_PORT_ANY

On Thu, Aug 07, 2025 at 04:18:11AM +0000, Budimir Markovic wrote:
>It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
>cause a use-after-free when a connection is made to the bound socket.
>The socket returned by accept() also has port VMADDR_PORT_ANY but is not
>on the list of unbound sockets. Binding it will result in an extra
>refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep
>the binding until socket destruction).
>
>Modify the check in __vsock_bind_connectible() to also prevent binding
>to VMADDR_PORT_ANY.
>
>Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
>Reported-by: Budimir Markovic <markovicbudimir@...il.com>
>Signed-off-by: Budimir Markovic <markovicbudimir@...il.com>
>---
> net/vmw_vsock/af_vsock.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)

Thanks for the fix!

Reviewed-by: Stefano Garzarella <sgarzare@...hat.com>

Please next time use `./scripts/get_maintainer.pl` to cc all the
maintainers and mailing lists.

If this patch will not be merged, resend it (with my R-b) to all the
maintainers/list. I'll be offline for the next 2 weeks, so remember to
carry my R-b.

Thanks,
Stefano

>
>diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
>index ead6a3c14..bebb355f3 100644
>--- a/net/vmw_vsock/af_vsock.c
>+++ b/net/vmw_vsock/af_vsock.c
>@@ -689,7 +689,8 @@ static int __vsock_bind_connectible(struct vsock_sock *vsk,
> 		unsigned int i;
>
> 		for (i = 0; i < MAX_PORT_RETRIES; i++) {
>-			if (port <= LAST_RESERVED_PORT)
>+			if (port == VMADDR_PORT_ANY ||
>+			    port <= LAST_RESERVED_PORT)
> 				port = LAST_RESERVED_PORT + 1;
>
> 			new_addr.svm_port = port++;
>-- 
>2.49.1
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ