From: Cyril Hrubis <chrubis@suse.cz>
To: Andrea Cervesato <andrea.cervesato@suse.de>
Cc: ltp@lists.linux.it
Subject: Re: [LTP] [PATCH v2 2/2] cve: add test reproducer for cve-2025-21756
Date: Tue, 23 Sep 2025 13:55:33 +0200 [thread overview]
Message-ID: <aNKKtXeaxoAfTsT8@yuki.lan> (raw)
In-Reply-To: <20250923-cve-2025-21756-v2-2-3bb1a6363123@suse.com>
Hi!
> This test is verifying kernel commit fcdd2242c023 "vsock: Keep the
> binding until socket destruction" merged inside v6.14.
>
> Beware, it will crash the system!
>
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
> runtest/cve | 1 +
> testcases/cve/.gitignore | 1 +
> testcases/cve/cve-2025-21756.c | 95 ++++++++++++++++++++++++++++++++++++++++++
> 3 files changed, 97 insertions(+)
>
> diff --git a/runtest/cve b/runtest/cve
> index 6d575aa2165bcd46e5ca36a07db33f69a91bd94a..c3ecd74dd9f837924b810b7b431ebb911d809966 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -92,3 +92,4 @@ cve-2020-25704 perf_event_open03
> cve-2022-0185 fsconfig03
> cve-2022-4378 cve-2022-4378
> cve-2025-38236 cve-2025-38236
> +cve-2025-21756 cve-2025-21756
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index 8eb17ce56b01070e47917f9bb44cf146c0c5b338..dc1dad5b0d0d02a3ab57e72516c33ee7949c8431 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -14,3 +14,4 @@ cve-2022-4378
> icmp_rate_limit01
> tcindex01
> cve-2025-38236
> +cve-2025-21756
> diff --git a/testcases/cve/cve-2025-21756.c b/testcases/cve/cve-2025-21756.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..80fb84c473207fb2497f6ca6bb53166f0b1734cc
> --- /dev/null
> +++ b/testcases/cve/cve-2025-21756.c
> @@ -0,0 +1,95 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * Test for CVE-2025-21756 fixed in kernel v6.14:
> + * fcdd2242c023 vsock: Keep the binding until socket destruction
> + *
> + * Reproducer based on:
> + * https://lore.kernel.org/all/20250128-vsock-transport-vs-autobind-v3-5-1cf57065b770@rbox.co/
> + *
> + * Beware, this test will crash the system.
> + */
> +
> +#include "tst_test.h"
> +#include "lapi/vm_sockets.h"
> +
> +#define MAX_PORT_RETRIES 24
> +#define VMADDR_CID_NONEXISTING 42
> +
> +static int vsock_bind(unsigned int cid, unsigned int port, int type)
> +{
> + int sock;
> +
> + struct sockaddr_vm sa = {
> + .svm_family = AF_VSOCK,
> + .svm_cid = cid,
> + .svm_port = port,
> + };
> +
> + sock = SAFE_SOCKET(AF_VSOCK, type, 0);
So this generally works all the way back to the oldest LTP supported
kernel? I would expect that we would need an EINVAL check here.
Otherwise:
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>
--
Cyril Hrubis
chrubis@suse.cz
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2025-09-23 11:55 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-23 8:40 [LTP] [PATCH v2 0/2] cve-2025-21756 reproducer Andrea Cervesato
2025-09-23 8:40 ` [LTP] [PATCH v2 1/2] lapi: add struct sockaddr_vm fallback Andrea Cervesato
2025-09-23 11:52 ` Cyril Hrubis
2025-09-23 8:41 ` [LTP] [PATCH v2 2/2] cve: add test reproducer for cve-2025-21756 Andrea Cervesato
2025-09-23 11:55 ` Cyril Hrubis [this message]
2025-09-23 12:09 ` Andrea Cervesato via ltp
2025-09-23 12:16 ` Cyril Hrubis
2025-09-23 13:28 ` Andrea Cervesato via ltp
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aNKKtXeaxoAfTsT8@yuki.lan \
--to=chrubis@suse.cz \
--cc=andrea.cervesato@suse.de \
--cc=ltp@lists.linux.it \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.