CVE-2025-21670
31.01.2025, 12:15
In the Linux kernel, the following vulnerability has been resolved:
vsock/bpf: return early if transport is not assigned
Some of the core functions can only be called if the transport
has been assigned.
As Michal reported, a socket might have the transport at NULL,
for example after a failed connect(), causing the following trace:
BUG: kernel NULL pointer dereference, address: 00000000000000a0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 15 UID: 0 PID: 1198 Comm: a.out Not tainted 6.13.0-rc2+
RIP: 0010:vsock_connectible_has_data+0x1f/0x40
Call Trace:
vsock_bpf_recvmsg+0xca/0x5e0
sock_recvmsg+0xb9/0xc0
__sys_recvfrom+0xb3/0x130
__x64_sys_recvfrom+0x20/0x30
do_syscall_64+0x93/0x180
entry_SYSCALL_64_after_hwframe+0x76/0x7e
So we need to check the `vsk->transport` in vsock_bpf_recvmsg(),
especially for connected sockets (stream/seqpacket) as we already
do in __vsock_connectible_recvmsg().Enginsight| Vendor | Product | Version |
|---|---|---|
| linux | linux_kernel | 6.4 ≤ 𝑥 < 6.6.74 |
| linux | linux_kernel | 6.7 ≤ 𝑥 < 6.12.11 |
| linux | linux_kernel | 6.13:rc1 |
| linux | linux_kernel | 6.13:rc2 |
| linux | linux_kernel | 6.13:rc3 |
| linux | linux_kernel | 6.13:rc4 |
| linux | linux_kernel | 6.13:rc5 |
| linux | linux_kernel | 6.13:rc6 |
| linux | linux_kernel | 6.13:rc7 |
𝑥
= Vulnerable software versions
Debian Releases
Common Weakness Enumeration