Описание
In the Linux kernel, the following vulnerability has been resolved:
vsock: Orphan socket after transport release
During socket release, sock_orphan() is called without considering that it sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a null pointer dereferenced in virtio_transport_wait_close().
Orphan the socket only after transport release.
Partially reverts the 'Fixes:' commit.
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] lock_acquire+0x19e/0x500 _raw_spin_lock_irqsave+0x47/0x70 add_wait_queue+0x46/0x230 virtio_transport_release+0x4e7/0x7f0 __vsock_release+0xfd/0x490 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x35e/0xa90 __x64_sys_close+0x78/0xd0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
In the Linux kernel, the following vulnerability has been resolved:
vsock: Orphan socket after transport release
During socket release, sock_orphan() is called without considering that it sets sk->sk_wq to NULL. Later, if SO_LINGER is enabled, this leads to a null pointer dereferenced in virtio_transport_wait_close().
Orphan the socket only after transport release.
Partially reverts the 'Fixes:' commit.
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] lock_acquire+0x19e/0x500 _raw_spin_lock_irqsave+0x47/0x70 add_wait_queue+0x46/0x230 virtio_transport_release+0x4e7/0x7f0 __vsock_release+0xfd/0x490 vsock_release+0x90/0x120 __sock_release+0xa3/0x250 sock_close+0x14/0x20 __fput+0x35e/0xa90 __x64_sys_close+0x78/0xd0 do_syscall_64+0x93/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2025-21755
- https://git.kernel.org/stable/c/3a866f8376f0a5c848dcb59cd26df845fffbe6d8
- https://git.kernel.org/stable/c/631e00fdac7acca676103d6cbc96eb152625f449
- https://git.kernel.org/stable/c/78dafe1cf3afa02ed71084b350713b07e72a18fb
- https://git.kernel.org/stable/c/94d81870eec7ad2dd7af80bffd314ded26caea1a
- https://git.kernel.org/stable/c/bab61f41c942a20ef7b4feea50e9d36d19ad1a26
- https://git.kernel.org/stable/c/c6acb650a73d5705a93b9c5a2cd5e9c8161f0be3
- https://git.kernel.org/stable/c/f3b8e9d3414b2eb083d8293be25a949fe480897b
Связанные уязвимости
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
[REJECTED CVE] A vulnerability was identified in the Linux kernel’s vsock module where the socket was orphaned before releasing the transport, leading to a NULL pointer dereference if SO_LINGER was enabled. This was caused by sock_orphan() nullifying sk->sk_wq, which was later accessed in virtio_transport_wait_close(). An attacker exploiting this flaw could trigger a kernel crash by closing a vsock socket with SO_LINGER set, leading to a denial of service on the host system.
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Security update for the Linux Kernel (Live Patch 23 for SLE 15 SP5)
Security update for the Linux Kernel (Live Patch 26 for SLE 15 SP5)