Acknowledged
Created: Jun 19, 2025
Updated: Jun 20, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]vhost-scsi: protect vq->log_used with vq->mutex[EOL][EOL]The vhost-scsi completion path may access vq->log_base when vq->log_used is[EOL]already set to false.[EOL][EOL] vhost-thread QEMU-thread[EOL][EOL]vhost_scsi_complete_cmd_work()[EOL]-> vhost_add_used()[EOL] -> vhost_add_used_n()[EOL] if (unlikely(vq->log_used))[EOL] QEMU disables vq->log_used[EOL] via VHOST_SET_VRING_ADDR.[EOL] mutex_lock(&vq->mutex);[EOL] vq->log_used = false now![EOL] mutex_unlock(&vq->mutex);[EOL][EOL]\t\t\t\t QEMU gfree(vq->log_base)[EOL] log_used()[EOL] -> log_write(vq->log_base)[EOL][EOL]Assuming the VMM is QEMU. The vq->log_base is from QEMU userpace and can be[EOL]reclaimed via gfree(). As a result, this causes invalid memory writes to[EOL]QEMU userspace.[EOL][EOL]The control queue path has the same issue.
CREATE(Triage):(User=lchen-cn) [CVE-2025-38074 (https://nvd.nist.gov/vuln/detail/CVE-2025-38074)
