[LTP] [PATCH v2 2/2] cve: add test reproducer for cve-2025-21756

Cyril Hrubis chrubis@suse.cz
Tue Sep 23 13:55:33 CEST 2025 

Hi!
> This test is verifying kernel commit fcdd2242c023 "vsock: Keep the
> binding until socket destruction" merged inside v6.14.
> 
> Beware, it will crash the system!
> 
> Signed-off-by: Andrea Cervesato <andrea.cervesato@suse.com>
> ---
>  runtest/cve                    |  1 +
>  testcases/cve/.gitignore       |  1 +
>  testcases/cve/cve-2025-21756.c | 95 ++++++++++++++++++++++++++++++++++++++++++
>  3 files changed, 97 insertions(+)
> 
> diff --git a/runtest/cve b/runtest/cve
> index 6d575aa2165bcd46e5ca36a07db33f69a91bd94a..c3ecd74dd9f837924b810b7b431ebb911d809966 100644
> --- a/runtest/cve
> +++ b/runtest/cve
> @@ -92,3 +92,4 @@ cve-2020-25704 perf_event_open03
>  cve-2022-0185 fsconfig03
>  cve-2022-4378 cve-2022-4378
>  cve-2025-38236 cve-2025-38236
> +cve-2025-21756 cve-2025-21756
> diff --git a/testcases/cve/.gitignore b/testcases/cve/.gitignore
> index 8eb17ce56b01070e47917f9bb44cf146c0c5b338..dc1dad5b0d0d02a3ab57e72516c33ee7949c8431 100644
> --- a/testcases/cve/.gitignore
> +++ b/testcases/cve/.gitignore
> @@ -14,3 +14,4 @@ cve-2022-4378
>  icmp_rate_limit01
>  tcindex01
>  cve-2025-38236
> +cve-2025-21756
> diff --git a/testcases/cve/cve-2025-21756.c b/testcases/cve/cve-2025-21756.c
> new file mode 100644
> index 0000000000000000000000000000000000000000..80fb84c473207fb2497f6ca6bb53166f0b1734cc
> --- /dev/null
> +++ b/testcases/cve/cve-2025-21756.c
> @@ -0,0 +1,95 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2025 Andrea Cervesato <andrea.cervesato@suse.com>
> + */
> +
> +/*\
> + * Test for CVE-2025-21756 fixed in kernel v6.14:
> + * fcdd2242c023 vsock: Keep the binding until socket destruction
> + *
> + * Reproducer based on:
> + * https://lore.kernel.org/all/20250128-vsock-transport-vs-autobind-v3-5-1cf57065b770@rbox.co/
> + *
> + * Beware, this test will crash the system.
> + */
> +
> +#include "tst_test.h"
> +#include "lapi/vm_sockets.h"
> +
> +#define MAX_PORT_RETRIES	24
> +#define VMADDR_CID_NONEXISTING	42
> +
> +static int vsock_bind(unsigned int cid, unsigned int port, int type)
> +{
> +	int sock;
> +
> +	struct sockaddr_vm sa = {
> +		.svm_family = AF_VSOCK,
> +		.svm_cid = cid,
> +		.svm_port = port,
> +	};
> +
> +	sock = SAFE_SOCKET(AF_VSOCK, type, 0);

So this generally works all the way back to the oldest LTP supported
kernel? I would expect that we would need an EINVAL check here.

Otherwise:

Reviewed-by: Cyril Hrubis <chrubis@suse.cz>


-- 
Cyril Hrubis
chrubis@suse.cz

More information about the ltp mailing list