Bug 2360979 (CVE-2025-37838) - CVE-2025-37838 kernel: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
Summary: CVE-2025-37838 kernel: HSI: ssi_protocol: Fix use after free vulnerability in...
Keywords:
Status: NEW
Alias: CVE-2025-37838
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-04-18 15:01 UTC by OSIDB Bzimport
Modified: 2025-04-21 03:38 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-04-18 15:01:12 UTC 
In the Linux kernel, the following vulnerability has been resolved:

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

In the ssi_protocol_probe() function, &ssi->work is bound with
ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
within the ssip_pn_ops structure is capable of starting the
work.

If we remove the module which will call ssi_protocol_remove()
to make a cleanup, it will free ssi through kfree(ssi),
while the work mentioned above will be used. The sequence
of operations that may lead to a UAF bug is as follows:

CPU0                                    CPU1

                        | ssip_xmit_work
ssi_protocol_remove     |
kfree(ssi);             |
                        | struct hsi_client *cl = ssi->cl;
                        | // use ssi

Fix it by ensuring that the work is canceled before proceeding
with the cleanup in ssi_protocol_remove().
Comment 1 Avinash Hanwate 2025-04-21 03:32:05 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025041858-CVE-2025-37838-2253@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.