CVE-2025-37838
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
In the Linux kernel, the following vulnerability has been resolved:
HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.
If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| ssip_xmit_work
ssi_protocol_remove |
kfree(ssi); |
| struct hsi_client *cl = ssi->cl;
| // use ssi
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Productos afectados
Linux · Linux¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4fhttps://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffahttps://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11https://lists.debian.org/debian-lts-announce/2025/05/msg00030.htmlhttps://lists.debian.org/debian-lts-announce/2025/05/msg00045.html