CVE-2025-37838 Information

Apr 19, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

In the ssi_protocol_probe() function &ssi->work is bound with ssip_xmit_work() In ssip_pn_setup() the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work.

If we remove the module which will call ssi_protocol_remove() to make a cleanup it will free ssi through kfree(ssi) while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows:

CPU0 CPU1

                    | ssip_xmit_work

ssi_protocol_remove | kfree(ssi); | | struct hsi_client cl = ssi->cl; | // use ssi

Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().

Reference

https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11

Share on: