CVE-2025-22083
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-22083
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22083.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-22083
- Downstream
- Related
- Published
- 2025-04-16T14:12:32Z
- Modified
- 2025-10-22T11:26:50.232039Z
- Summary
- vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
vhost-scsi: Fix handling of multiple calls to vhostscsiset_endpoint
If vhostscsisetendpoint is called multiple times without a vhostscsiclearendpoint between them, we can hit multiple bugs found by Haoran Zhang:
- Use-after-free when no tpgs are found:
This fixes a use after free that occurs when vhostscsisetendpoint is called more than once and calls after the first call do not find any tpgs to add to the vstpg. When vhostscsisetendpoint first finds tpgs to add to the vstpg array match=true, so we will do:
vhostvqsetbackend(vq, vstpg); ...
kfree(vs->vstpg); vs->vstpg = vs_tpg;
If vhostscsisetendpoint is called again and no tpgs are found match=false so we skip the vhostvqsetbackend call leaving the pointer to the vs_tpg we then free via:
kfree(vs->vstpg); vs->vstpg = vs_tpg;
If a scsi request is then sent we do:
vhostscsihandlevq -> vhostscsigetreq -> vhostvqget_backend
which sees the vs_tpg we just did a kfree on.
- Tpg dir removal hang:
This patch fixes an issue where we cannot remove a LIO/target layer tpg (and structs above it like the target) dir due to the refcount dropping to -1.
The problem is that if vhostscsisetendpoint detects a tpg is already in the vs->vstpg array or if the tpg has been removed so targetdependitem fails, the undepend goto handler will do targetundependitem on all tpgs in the vstpg array dropping their refcount to 0. At this time vstpg contains both the tpgs we have added in the current vhostscsisetendpoint call as well as tpgs we added in previous calls which are also in vs->vstpg.
Later, when vhostscsiclearendpoint runs it will do targetundependitem on all the tpgs in the vs->vstpg which will drop their refcount to -1. Userspace will then not be able to remove the tpg and will hang when it tries to do rmdir on the tpg dir.
- Tpg leak:
This fixes a bug where we can leak tpgs and cause them to be un-removable because the target name is overwritten when vhostscsiset_endpoint is called multiple times but with different target names.
The bug occurs if a user has called VHOSTSCSISETENDPOINT and setup a vhost-scsi device to target/tpg mapping, then calls VHOSTSCSISETENDPOINT again with a new target name that has tpgs we haven't seen before (target1 has tpg1 but target2 has tpg2). When this happens we don't teardown the old target tpg mapping and just overwrite the target name and the vs->vstpg array. Later when we do vhostscsiclearendpoint, we are passed in either target1 or target2's name and we will only match that target's tpgs when we loop over the vs->vstpg. We will then return from the function without doing targetundepend_item on the tpgs.
Because of all these bugs, it looks like being able to call vhostscsisetendpoint multiple times was never supported. The major user, QEMU, already has checks to prevent this use case. So to fix the issues, this patch prevents vhostscsisetendpoint from being called if it's already successfully added tpgs. To add, remove or change the tpg config or target name, you must do a vhostscsiclear_endpoint first.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/2b34bdc42df047794542f3e220fe989124e4499a
- https://git.kernel.org/stable/c/3a19eb3d9818e28f14c818a18dc913344a52ca92
- https://git.kernel.org/stable/c/3fd054baf382a426bbf5135ede0fc5673db74d3e
- https://git.kernel.org/stable/c/5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6
- https://git.kernel.org/stable/c/63b449f73ab0dcc0ba11ceaa4c5c70bc86ccf03c
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3Fixed2b34bdc42df047794542f3e220fe989124e4499a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3Fixed3a19eb3d9818e28f14c818a18dc913344a52ca92
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3Fixed3fd054baf382a426bbf5135ede0fc5673db74d3e
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3Fixed63b449f73ab0dcc0ba11ceaa4c5c70bc86ccf03c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3Fixed5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6