Bug 2373357 (CVE-2025-38074) - CVE-2025-38074 kernel: vhost-scsi: protect vq->log_used with vq->mutex
Summary: CVE-2025-38074 kernel: vhost-scsi: protect vq->log_used with vq->mutex
Keywords:
Status: NEW
Alias: CVE-2025-38074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-18 10:03 UTC by OSIDB Bzimport
Modified: 2025-06-20 19:05 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-18 10:03:21 UTC 
In the Linux kernel, the following vulnerability has been resolved:

vhost-scsi: protect vq->log_used with vq->mutex

The vhost-scsi completion path may access vq->log_base when vq->log_used is
already set to false.

    vhost-thread                       QEMU-thread

vhost_scsi_complete_cmd_work()
-> vhost_add_used()
   -> vhost_add_used_n()
      if (unlikely(vq->log_used))
                                      QEMU disables vq->log_used
                                      via VHOST_SET_VRING_ADDR.
                                      mutex_lock(&vq->mutex);
                                      vq->log_used = false now!
                                      mutex_unlock(&vq->mutex);

				      QEMU gfree(vq->log_base)
        log_used()
        -> log_write(vq->log_base)

Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be
reclaimed via gfree(). As a result, this causes invalid memory writes to
QEMU userspace.

The control queue path has the same issue.
Comment 1 Avinash Hanwate 2025-06-20 18:57:16 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025061839-CVE-2025-38074-dc14@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.