cve/published/2025/CVE-2025-21756.mbox

From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: <linux-cve-announce@vger.kernel.org>
Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
Subject: CVE-2025-21756: vsock: Keep the binding until socket destruction

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

vsock: Keep the binding until socket destruction

Preserve sockets bindings; this includes both resulting from an explicit
bind() and those implicitly bound through autobind during connect().

Prevents socket unbinding during a transport reassignment, which fixes a
use-after-free:

    1. vsock_create() (refcnt=1) calls vsock_insert_unbound() (refcnt=2)
    2. transport->release() calls vsock_remove_bound() without checking if
       sk was bound and moved to bound list (refcnt=1)
    3. vsock_bind() assumes sk is in unbound list and before
       __vsock_insert_bound(vsock_bound_sockets()) calls
       __vsock_remove_bound() which does:
           list_del_init(&vsk->bound_table); // nop
           sock_put(&vsk->sk);               // refcnt=0

BUG: KASAN: slab-use-after-free in __vsock_bind+0x62e/0x730
Read of size 4 at addr ffff88816b46a74c by task a.out/2057
 dump_stack_lvl+0x68/0x90
 print_report+0x174/0x4f6
 kasan_report+0xb9/0x190
 __vsock_bind+0x62e/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Allocated by task 2057:
 kasan_save_stack+0x1e/0x40
 kasan_save_track+0x10/0x30
 __kasan_slab_alloc+0x85/0x90
 kmem_cache_alloc_noprof+0x131/0x450
 sk_prot_alloc+0x5b/0x220
 sk_alloc+0x2c/0x870
 __vsock_create.constprop.0+0x2e/0xb60
 vsock_create+0xe4/0x420
 __sock_create+0x241/0x650
 __sys_socket+0xf2/0x1a0
 __x64_sys_socket+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Freed by task 2057:
 kasan_save_stack+0x1e/0x40
 kasan_save_track+0x10/0x30
 kasan_save_free_info+0x37/0x60
 __kasan_slab_free+0x4b/0x70
 kmem_cache_free+0x1a1/0x590
 __sk_destruct+0x388/0x5a0
 __vsock_bind+0x5e1/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: addition on 0; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:25 refcount_warn_saturate+0xce/0x150
RIP: 0010:refcount_warn_saturate+0xce/0x150
 __vsock_bind+0x66d/0x730
 vsock_bind+0x97/0xe0
 __sys_bind+0x154/0x1f0
 __x64_sys_bind+0x6e/0xb0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

refcount_t: underflow; use-after-free.
WARNING: CPU: 7 PID: 2057 at lib/refcount.c:28 refcount_warn_saturate+0xee/0x150
RIP: 0010:refcount_warn_saturate+0xee/0x150
 vsock_remove_bound+0x187/0x1e0
 __vsock_release+0x383/0x4a0
 vsock_release+0x90/0x120
 __sock_release+0xa3/0x250
 sock_close+0x14/0x20
 __fput+0x359/0xa80
 task_work_run+0x107/0x1d0
 do_exit+0x847/0x2560
 do_group_exit+0xb8/0x250
 __x64_sys_exit_group+0x3a/0x50
 x64_sys_call+0xfec/0x14f0
 do_syscall_64+0x93/0x1b0
 entry_SYSCALL_64_after_hwframe+0x76/0x7e

The Linux kernel CVE team has assigned CVE-2025-21756 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 5.10.235 with commit e7754d564579a5db9c5c9f74228df5d6dd6f1173
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 5.15.179 with commit e48fcb403c2d0e574c19683f09399ab4cf67809c
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.1.131 with commit 42b33381e5e1f2b967dc4fb4221ddb9aaf10d197
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.6.79 with commit 3f43540166128951cc1be7ab1ce6b7f05c670d8b
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.12.16 with commit 645ce25aa0e67895b11d89f27bb86c9d444c40f8
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.13.4 with commit b1afd40321f1c243cffbcf40ea7ca41aca87fa5e
	Issue introduced in 5.5 with commit c0cfa2d8a788fcf45df5bf4070ab2474c88d543a and fixed in 6.14 with commit fcdd2242c0231032fc84e1404315c245ae56322a

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21756
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/vmw_vsock/af_vsock.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/e7754d564579a5db9c5c9f74228df5d6dd6f1173
	https://git.kernel.org/stable/c/e48fcb403c2d0e574c19683f09399ab4cf67809c
	https://git.kernel.org/stable/c/42b33381e5e1f2b967dc4fb4221ddb9aaf10d197
	https://git.kernel.org/stable/c/3f43540166128951cc1be7ab1ce6b7f05c670d8b
	https://git.kernel.org/stable/c/645ce25aa0e67895b11d89f27bb86c9d444c40f8
	https://git.kernel.org/stable/c/b1afd40321f1c243cffbcf40ea7ca41aca87fa5e
	https://git.kernel.org/stable/c/fcdd2242c0231032fc84e1404315c245ae56322a