In the Linux kernel, the following vulnerability has been resolved:
sockmap, vsock: For connectible sockets allow only connected
sockmap expects all vsocks to have a transport assigned, which is expressed in vsockproto::psockupdateskprot(). However, there is an edge case where an unconnected (connectible) socket may lose its previously assigned transport. This is handled with a NULL check in the vsock/BPF recv path.
Another design detail is that listening vsocks are not supposed to have any transport assigned at all. Which implies they are not supported by the sockmap. But this is complicated by the fact that a socket, before switching to TCP_LISTEN, may have had some transport assigned during a failed connect() attempt. Hence, we may end up with a listening vsock in a sockmap, which blows up quickly:
KASAN: null-ptr-deref in range [0x0000000000000120-0x0000000000000127] CPU: 7 UID: 0 PID: 56 Comm: kworker/7:0 Not tainted 6.14.0-rc1+ Workqueue: vsock-loopback vsockloopbackwork RIP: 0010:vsockreadskb+0x4b/0x90 Call Trace: skpsockverdictdataready+0xa4/0x2e0 virtiotransportrecvpkt+0x1ca8/0x2acc vsockloopbackwork+0x27d/0x3f0 processonework+0x846/0x1420 workerthread+0x5b3/0xf80 kthread+0x35a/0x700 retfromfork+0x2d/0x70 retfromfork_asm+0x1a/0x30
For connectible sockets, instead of relying solely on the state of vsk->transport, tell sockmap to only allow those representing established connections. This aligns with the behaviour for AFINET and AFUNIX.