CVE-2025-22083

{"id": "CVE-2025-22083", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2025-04-16T15:16:02.510", "references": [{"url": "https://git.kernel.org/stable/c/2b34bdc42df047794542f3e220fe989124e4499a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3a19eb3d9818e28f14c818a18dc913344a52ca92", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3fd054baf382a426bbf5135ede0fc5673db74d3e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/63b449f73ab0dcc0ba11ceaa4c5c70bc86ccf03c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint\n\nIf vhost_scsi_set_endpoint is called multiple times without a\nvhost_scsi_clear_endpoint between them, we can hit multiple bugs\nfound by Haoran Zhang:\n\n1. Use-after-free when no tpgs are found:\n\nThis fixes a use after free that occurs when vhost_scsi_set_endpoint is\ncalled more than once and calls after the first call do not find any\ntpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds\ntpgs to add to the vs_tpg array match=true, so we will do:\n\nvhost_vq_set_backend(vq, vs_tpg);\n...\n\nkfree(vs->vs_tpg);\nvs->vs_tpg = vs_tpg;\n\nIf vhost_scsi_set_endpoint is called again and no tpgs are found\nmatch=false so we skip the vhost_vq_set_backend call leaving the\npointer to the vs_tpg we then free via:\n\nkfree(vs->vs_tpg);\nvs->vs_tpg = vs_tpg;\n\nIf a scsi request is then sent we do:\n\nvhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend\n\nwhich sees the vs_tpg we just did a kfree on.\n\n2. Tpg dir removal hang:\n\nThis patch fixes an issue where we cannot remove a LIO/target layer\ntpg (and structs above it like the target) dir due to the refcount\ndropping to -1.\n\nThe problem is that if vhost_scsi_set_endpoint detects a tpg is already\nin the vs->vs_tpg array or if the tpg has been removed so\ntarget_depend_item fails, the undepend goto handler will do\ntarget_undepend_item on all tpgs in the vs_tpg array dropping their\nrefcount to 0. At this time vs_tpg contains both the tpgs we have added\nin the current vhost_scsi_set_endpoint call as well as tpgs we added in\nprevious calls which are also in vs->vs_tpg.\n\nLater, when vhost_scsi_clear_endpoint runs it will do\ntarget_undepend_item on all the tpgs in the vs->vs_tpg which will drop\ntheir refcount to -1. Userspace will then not be able to remove the tpg\nand will hang when it tries to do rmdir on the tpg dir.\n\n3. Tpg leak:\n\nThis fixes a bug where we can leak tpgs and cause them to be\nun-removable because the target name is overwritten when\nvhost_scsi_set_endpoint is called multiple times but with different\ntarget names.\n\nThe bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup\na vhost-scsi device to target/tpg mapping, then calls\nVHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we\nhaven't seen before (target1 has tpg1 but target2 has tpg2). When this\nhappens we don't teardown the old target tpg mapping and just overwrite\nthe target name and the vs->vs_tpg array. Later when we do\nvhost_scsi_clear_endpoint, we are passed in either target1 or target2's\nname and we will only match that target's tpgs when we loop over the\nvs->vs_tpg. We will then return from the function without doing\ntarget_undepend_item on the tpgs.\n\nBecause of all these bugs, it looks like being able to call\nvhost_scsi_set_endpoint multiple times was never supported. The major\nuser, QEMU, already has checks to prevent this use case. So to fix the\nissues, this patch prevents vhost_scsi_set_endpoint from being called\nif it's already successfully added tpgs. To add, remove or change the\ntpg config or target name, you must do a vhost_scsi_clear_endpoint\nfirst."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vhost-scsi: Se corrige la gesti\u00f3n de m\u00faltiples llamadas a vhost_scsi_set_endpoint Si vhost_scsi_set_endpoint se llama varias veces sin un vhost_scsi_clear_endpoint entre ellas, podemos encontrar m\u00faltiples errores encontrados por Haoran Zhang: 1. use-after-free cuando no se encuentran tpgs: Esto corrige un use-after-free que ocurre cuando vhost_scsi_set_endpoint se llama m\u00e1s de una vez y las llamadas despu\u00e9s de la primera llamada no encuentran ning\u00fan tpg para agregar al vs_tpg. Cuando vhost_scsi_set_endpoint encuentra primero tpgs para agregar a la matriz vs_tpg match=true, entonces haremos: vhost_vq_set_backend(vq, vs_tpg); ... kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; Si se llama nuevamente a vhost_scsi_set_endpoint y no se encuentran tpgs, match=false, por lo que omitimos la llamada a vhost_vq_set_backend dejando el puntero al vs_tpg que luego liberamos mediante: kfree(vs->vs_tpg); vs->vs_tpg = vs_tpg; Si luego se env\u00eda una solicitud scsi, hacemos: vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend que ve el vs_tpg en el que acabamos de realizar un kfree. 2. Se bloquea la eliminaci\u00f3n del directorio tpg: este parche corrige un problema por el cual no podemos eliminar un directorio tpg de capa LIO/objetivo (y estructuras por encima de \u00e9l como el objetivo) debido a que el recuento de referencias cae a -1. El problema radica en que si vhost_scsi_set_endpoint detecta que ya hay un TPG en la matriz vs->vs_tpg, o si este se ha eliminado y, por lo tanto, target_depend_item falla, el controlador goto undepend ejecutar\u00e1 `target_undepend_item` en todos los TPG de la matriz vs_tpg, reduciendo su recuento de referencias a 0. En este momento, vs_tpg contiene tanto los TPG que hemos a\u00f1adido en la llamada actual a vhost_scsi_set_endpoint como los TPG a\u00f1adidos en llamadas anteriores que tambi\u00e9n est\u00e1n en vs->vs_tpg. Posteriormente, al ejecutarse vhost_scsi_clear_endpoint, ejecutar\u00e1 `target_undepend_item` en todos los TPG de vs->vs_tpg, lo que reducir\u00e1 su recuento de referencias a -1. En ese caso, el espacio de usuario no podr\u00e1 eliminar el TPG y se bloquear\u00e1 al intentar ejecutar `rmdir` en el directorio del TPG. 3. Fuga de TPG: Esto corrige un error que permit\u00eda filtrar TPG y hacer que no se pudieran eliminar, ya que el nombre del objetivo se sobrescrib\u00eda al llamar a vhost_scsi_set_endpoint varias veces, pero con nombres de objetivo diferentes. El error se produce si un usuario llama a VHOST_SCSI_SET_ENDPOINT y configura un dispositivo vhost-scsi para la asignaci\u00f3n de destino/TPG, y luego vuelve a llamar a VHOST_SCSI_SET_ENDPOINT con un nuevo nombre de objetivo que contiene TPG desconocidos (target1 tiene TPG1, pero target2 tiene TPG2). En este caso, no se elimina la antigua asignaci\u00f3n de TPG del objetivo, sino que se sobrescribe el nombre del objetivo y la matriz vs->vs_tpg. Posteriormente, al ejecutar vhost_scsi_clear_endpoint, se pasa el nombre de target1 o target2, y solo se coincidir\u00e1n los TPG de ese objetivo al recorrer vs->vs_tpg. Luego, regresaremos de la funci\u00f3n sin ejecutar `target_undepend_item` en los tpgs. Debido a todos estos errores, parece que nunca se permiti\u00f3 llamar a `vhost_scsi_set_endpoint` varias veces. El usuario principal, QEMU, ya cuenta con comprobaciones para evitar este caso de uso. Por lo tanto, para solucionar los problemas, este parche impide que se llame a `vhost_scsi_set_endpoint` si ya se han agregado correctamente los tpgs. Para agregar, eliminar o cambiar la configuraci\u00f3n de `tpg` o el nombre del destino, primero debe ejecutar `vhost_scsi_clear_endpoint`."}], "lastModified": "2025-10-31T20:58:31.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "431DA5D1-B644-4905-89C7-AE97D31B6CA6", "versionEndExcluding": "6.6.87", "versionStartIncluding": "3.9.1"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26CAB76D-F00F-43CE-BEAD-7097F8FB1D6C", "versionEndExcluding": "6.12.23", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7E864B0-8C00-4679-BA55-659B4C9C3AD3", "versionEndExcluding": "6.13.11", "versionStartIncluding": "6.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FADAE5D8-4808-442C-B218-77B2CE8780A0", "versionEndExcluding": "6.14.2", "versionStartIncluding": "6.14"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.9:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "526A1838-B777-4270-82B2-E8BC398CB046"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.9:rc7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "139700F0-BA32-40CF-B9DF-C9C450384FDE"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:3.9:rc8:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FC798CC-23F1-42C3-BA27-187C90B4E43C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}