CVE-2025-38074

{"id": "CVE-2025-38074", "cveTags": [], "metrics": {}, "published": "2025-06-18T10:15:40.850", "references": [{"url": "https://git.kernel.org/stable/c/59614c5acf6688f7af3c245d359082c0e9e53117", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/80cf68489681c165ded460930e391b1eb37b5f6f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8312a1ccff1566f375191a89b9ba71b6eb48a8cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bd8c9404e44adb9f6219c09b3409a61ab7ce3427", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c0039e3afda29be469d29b3013d7f9bdee136834", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f591cf9fce724e5075cc67488c43c6e39e8cbe27", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: protect vq->log_used with vq->mutex\n\nThe vhost-scsi completion path may access vq->log_base when vq->log_used is\nalready set to false.\n\n vhost-thread QEMU-thread\n\nvhost_scsi_complete_cmd_work()\n-> vhost_add_used()\n -> vhost_add_used_n()\n if (unlikely(vq->log_used))\n QEMU disables vq->log_used\n via VHOST_SET_VRING_ADDR.\n mutex_lock(&vq->mutex);\n vq->log_used = false now!\n mutex_unlock(&vq->mutex);\n\n\t\t\t\t QEMU gfree(vq->log_base)\n log_used()\n -> log_write(vq->log_base)\n\nAssuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be\nreclaimed via gfree(). As a result, this causes invalid memory writes to\nQEMU userspace.\n\nThe control queue path has the same issue."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vhost-scsi: proteger vq->log_used con vq->mutex La ruta de finalizaci\u00f3n de vhost-scsi puede acceder a vq->log_base cuando vq->log_used ya est\u00e1 configurado como falso. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU deshabilita vq->log_used mediante VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_write(vq->log_base) Suponiendo que el VMM es QEMU. La ruta vq->log_base proviene del espacio de usuario de QEMU y se puede recuperar mediante gfree(). Como resultado, esto provoca escrituras de memoria no v\u00e1lidas en el espacio de usuario de QEMU. La ruta de la cola de control presenta el mismo problema."}], "lastModified": "2025-07-17T17:15:36.540", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}