The Linux kernel is a critical component of the operating system and any vulnerability in it can pose a severe security risk. In this article, we'll look into a recently resolved vulnerability, CVE-2025-21670, which involves a NULL pointer dereference issue in the vsock (Virtual Socket) subsystem of the Linux kernel. This article highlights the details of the vulnerability, the fix, and its impact.
Background
Vsock is a virtual socket implementation used for communication among virtual machines and their host. The vsock subsystem leverages the Berkeley Packet Filter (BPF) to implement its core functions, some of which can only be called if the transport has been assigned.
Details of the Vulnerability
Michal Kubecek reported that a socket might have the transport set as NULL or not assigned, for example, after a failed connect() attempt. In such cases, it may lead to the following kernel trace:
BUG: kernel NULL pointer dereference, address: 00000000000000a
#PF: supervisor read access in kernel mode
#PF: error_code(x000) - not-present page
PGD 12faf8067 P4D 12faf8067 PUD 113670067 PMD
Oops: Oops: 000 [#1] PREEMPT SMP NOPTI
CPU: 15 UID: PID: 1198 Comm: a.out Not tainted 6.13.-rc2+
RIP: 001:vsock_connectible_has_data+x1f/x40
Call Trace:
vsock_bpf_recvmsg+xca/x5e
sock_recvmsg+xb9/xc
__sys_recvfrom+xb3/x130
__x64_sys_recvfrom+x20/x30
do_syscall_64+x93/x180
entry_SYSCALL_64_after_hwframe+x76/x7e
This occurs because the vsock_connectible_has_data() function, which is called by vsock_bpf_recvmsg(), tries to access the transport without checking if it's assigned. The code snippet that causes this issue is in the vsock_connectible_has_data() function:
int vsock_connectible_has_data(struct vsock_sock *vsk)
{
return !list_empty(&vsk->transport->stream_has_data);
}
Proposed Fix
The fix for this issue is simple: before calling the problematic function, one should ensure that vsk->transport is not NULL, especially for connected sockets (stream or sequenced packet) since the same check is already performed in the __vsock_connectible_recvmsg() function.
The patch can be implemented as follows
ssize_t vsock_bpf_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
unsigned int flags)
{
struct vsock_sock *vsk = vsock_sk(sock->sk);
if (is_stream_or_seqpacket(sock->sk->sk_socket->type) && !vsk->transport)
return -ENOTCONN;
Original report by Michal Kubecek, detailing the error and the solution
* net/vsock: check NULL transport in vsock_bpf_recvmsg()
Patch Link
* net/vsock: check NULL transport in vsock_bpf_recvmsg()
Conclusion
CVE-2025-21670 was a vulnerability in the Linux kernel's vsock subsystem, leading to a NULL pointer dereference. Sightful users, including system administrators, should ensure that they apply the latest available patches to their kernels to stay protected from such vulnerabilities.
Timeline
Published on: 01/31/2025 12:15:28 UTC
Last modified on: 02/04/2025 15:37:25 UTC