| { |
| "containers": { |
| "cna": { |
| "providerMetadata": { |
| "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" |
| }, |
| "descriptions": [ |
| { |
| "lang": "en", |
| "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsockmap, vsock: For connectible sockets allow only connected\n\nsockmap expects all vsocks to have a transport assigned, which is expressed\nin vsock_proto::psock_update_sk_prot(). However, there is an edge case\nwhere an unconnected (connectible) socket may lose its previously assigned\ntransport. This is handled with a NULL check in the vsock/BPF recv path.\n\nAnother design detail is that listening vsocks are not supposed to have any\ntransport assigned at all. Which implies they are not supported by the\nsockmap. But this is complicated by the fact that a socket, before\nswitching to TCP_LISTEN, may have had some transport assigned during a\nfailed connect() attempt. Hence, we may end up with a listening vsock in a\nsockmap, which blows up quickly:\n\nKASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127]\nCPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+\nWorkqueue: vsock-loopback vsock_loopback_work\nRIP: 0010:vsock_read_skb+0x4b/0x90\nCall Trace:\n sk_psock_verdict_data_ready+0xa4/0x2e0\n virtio_transport_recv_pkt+0x1ca8/0x2acc\n vsock_loopback_work+0x27d/0x3f0\n process_one_work+0x846/0x1420\n worker_thread+0x5b3/0xf80\n kthread+0x35a/0x700\n ret_from_fork+0x2d/0x70\n ret_from_fork_asm+0x1a/0x30\n\nFor connectible sockets, instead of relying solely on the state of\nvsk->transport, tell sockmap to only allow those representing established\nconnections. This aligns with the behaviour for AF_INET and AF_UNIX." |
| } |
| ], |
| "affected": [ |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "unaffected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "net/core/sock_map.c" |
| ], |
| "versions": [ |
| { |
| "version": "634f1a7110b439c65fd8a809171c1d2d28bcea6f", |
| "lessThan": "cc9a7832ede53ade1ba9991f0e27314caa4029d8", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "634f1a7110b439c65fd8a809171c1d2d28bcea6f", |
| "lessThan": "22b683217ad2112791a708693cb236507abd637a", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "634f1a7110b439c65fd8a809171c1d2d28bcea6f", |
| "lessThan": "f7b473e35986835cc2813fef7b9d40336a09247e", |
| "status": "affected", |
| "versionType": "git" |
| }, |
| { |
| "version": "634f1a7110b439c65fd8a809171c1d2d28bcea6f", |
| "lessThan": "8fb5bb169d17cdd12c2dcc2e96830ed487d77a0f", |
| "status": "affected", |
| "versionType": "git" |
| } |
| ] |
| }, |
| { |
| "product": "Linux", |
| "vendor": "Linux", |
| "defaultStatus": "affected", |
| "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", |
| "programFiles": [ |
| "net/core/sock_map.c" |
| ], |
| "versions": [ |
| { |
| "version": "6.4", |
| "status": "affected" |
| }, |
| { |
| "version": "0", |
| "lessThan": "6.4", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.6.80", |
| "lessThanOrEqual": "6.6.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.12.17", |
| "lessThanOrEqual": "6.12.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.13.5", |
| "lessThanOrEqual": "6.13.*", |
| "status": "unaffected", |
| "versionType": "semver" |
| }, |
| { |
| "version": "6.14", |
| "lessThanOrEqual": "*", |
| "status": "unaffected", |
| "versionType": "original_commit_for_fix" |
| } |
| ] |
| } |
| ], |
| "cpeApplicability": [ |
| { |
| "nodes": [ |
| { |
| "operator": "OR", |
| "negate": false, |
| "cpeMatch": [ |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.4", |
| "versionEndExcluding": "6.6.80" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.4", |
| "versionEndExcluding": "6.12.17" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.4", |
| "versionEndExcluding": "6.13.5" |
| }, |
| { |
| "vulnerable": true, |
| "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", |
| "versionStartIncluding": "6.4", |
| "versionEndExcluding": "6.14" |
| } |
| ] |
| } |
| ] |
| } |
| ], |
| "references": [ |
| { |
| "url": "https://git.kernel.org/stable/c/cc9a7832ede53ade1ba9991f0e27314caa4029d8" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/22b683217ad2112791a708693cb236507abd637a" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/f7b473e35986835cc2813fef7b9d40336a09247e" |
| }, |
| { |
| "url": "https://git.kernel.org/stable/c/8fb5bb169d17cdd12c2dcc2e96830ed487d77a0f" |
| } |
| ], |
| "title": "sockmap, vsock: For connectible sockets allow only connected", |
| "x_generator": { |
| "engine": "bippy-1.2.0" |
| } |
| } |
| }, |
| "cveMetadata": { |
| "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", |
| "cveID": "CVE-2025-21854", |
| "requesterUserId": "gregkh@kernel.org", |
| "serial": "1", |
| "state": "PUBLISHED" |
| }, |
| "dataType": "CVE_RECORD", |
| "dataVersion": "5.0" |
| } |
