Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260203154656.lbkt4j7ucvv2lprh@shell.thinkmo.de>
Date: Tue, 3 Feb 2026 16:46:56 +0100
From: Bastian Blank <bblank@...nkmo.de>
To: oss-security@...ts.openwall.com
Subject: Re: Systemd vsock sshd

On Sat, Dec 27, 2025 at 08:46:49PM -0700, Greg Dahlman wrote:
>   **vsock exists in the global namespace** - Unlike "af_inet" sockets,
>   vsock connections are not bound to a particular network namespace.
>   By default they are visible to every namespace on the host.

Every address family in Linux needs to implement it's own namespace
handling.  In 2007, all existing address families got a check to only
allow the inital network namespace.  af_vsock is newer and never got
this check.

Every point after the first one is just a result, not a cause.

So a fix would be something like that (untested, no time right now):

--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -2553,6 +2553,9 @@ static int vsock_create(struct net *net, struct socket *sock,
         if (protocol && protocol != PF_VSOCK)
                 return -EPROTONOSUPPORT;
 
+        if (!net_eq(net, &init_net))
+                return -EAFNOSUPPORT;
+
         switch (sock->type) {
         case SOCK_DGRAM:
                 sock->ops = &vsock_dgram_ops;

But I have a question:  why do you name sshd, while every AF_VSOCK
listener is affected?

Bastian

-- 
Warp 7 -- It's a law we can live with.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.