Linux Kernel VSOCK Binding Vulnerability to VMADDR_PORT_ANY

A vulnerability in the Linux kernel's VSOCK implementation allows sockets to bind to VMADDR_PORT_ANY, leading to a use-after-free condition when a connection is established. The issue arises because the socket returned by accept() also uses VMADDR_PORT_ANY but is not listed as unbound. Binding this socket creates an additional reference count decrement, similar to a previously addressed issue, which can disrupt proper socket management. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing potential memory corruption issues.

Reproduction

To reproduce this vulnerability, create a VSOCK socket and allow it to autobind to VMADDR_PORT_ANY. When a connection is made to this socket, the binding will cause a use-after-free condition by improperly managing the socket's reference count. This can be observed by monitoring the socket's state and reference count before and after the connection is established.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.