vsock: Do not allow binding to VMADDR_PORT_ANY

It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can
cause a use-after-free when a connection is made to the bound socket.
The socket returned by accept() also has port VMADDR_PORT_ANY but is not
on the list of unbound sockets. Binding it will result in an extra
refcount decrement similar to the one fixed in fcdd224 (vsock: Keep
the binding until socket destruction).

Modify the check in __vsock_bind_connectible() to also prevent binding
to VMADDR_PORT_ANY.

Fixes: d021c34 ("VSOCK: Introduce VM Sockets")
Reported-by: Budimir Markovic<[email protected]>
Signed-off-by: Budimir Markovic<[email protected]>
Reviewed-by: Stefano Garzarella<[email protected]>
Link:https://patch.msgid.link/[email protected]
Signed-off-by: Jakub Kicinski<[email protected]>

CVE-2025-38618
(cherry picked from commit aba0c94f61ec05315fa7815d21aefa4c87f6a9f4)
Signed-off-by: Ian Whitfield<[email protected]>
Acked-by: Bethany Jamison <[email protected]>
Acked-by: Stefan Bader <[email protected]>
Signed-off-by: Stefan Bader <[email protected]>

Author: markovicbudimir

net/vmw_vsock/af_vsock.c

@@ -655,7 +655,8 @@ static int __vsock_bind_connectible(struct vsock_sock *vsk,
 		unsigned int i;
 
 		for (i = 0; i < MAX_PORT_RETRIES; i++) {
-			if (port <= LAST_RESERVED_PORT)
+			if (port == VMADDR_PORT_ANY ||
+			    port <= LAST_RESERVED_PORT)
 				port = LAST_RESERVED_PORT + 1;
 
 			new_addr.svm_port = port++;