CVE-2025-38074
vhost-scsi: protect vq->log_used with vq->mutex
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
vhost-scsi: protect vq->log_used with vq->mutex
In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be reclaimed via gfree(). As a result, this causes invalid memory writes to QEMU userspace. The control queue path has the same issue.
Reserved 2025-04-16 | Published 2025-06-18 | Updated 2025-06-18 | Assigner Linuxgit.kernel.org/...c/ca85c2d0db5f8309832be45858b960d933c2131c
git.kernel.org/...c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427
git.kernel.org/...c/c0039e3afda29be469d29b3013d7f9bdee136834
git.kernel.org/...c/f591cf9fce724e5075cc67488c43c6e39e8cbe27
Support options
