Linux Kernel vhost-scsi Multiple Bugs Leading to Use-After-Free and Resource Leaks

A vulnerability in the Linux kernel's vhost-scsi component has been addressed, which involved improper handling of multiple calls to the 'vhost_scsi_set_endpoint' function. This issue could lead to several problems, including a use-after-free vulnerability when no target port groups (TPGs) are found, a hang when removing TPG directories, and a leak of TPGs that become unmanageable. The root cause was that 'vhost_scsi_set_endpoint' could be called multiple times without clearing the endpoint first, a scenario not supported but possible through user error. QEMU, a major user of this functionality, already has checks in place to prevent such misuse.

Impact

The vulnerability could be exploited to create a use-after-free condition, leading to potential memory corruption. Additionally, the TPG leak could cause resource management issues, leaving TPGs in an unremovable state.

Remediation

Users should ensure that 'vhost_scsi_clear_endpoint' is called before 'vhost_scsi_set_endpoint' to avoid these issues. QEMU users can rely on the existing checks to prevent this vulnerability.