CVE-2025-37838 - Linux Kernel HSI ssi_protocol Driver Hit by Use-After-Free Race Condition

Date published: June 2024
Author: [Your Name]


A major bug was recently fixed in the Linux kernel's HSI (High-Speed Synchronous Serial Interface) ssi_protocol driver—a use-after-free (UAF) vulnerability caused by a race condition. This vulnerability, tracked as CVE-2025-37838, could potentially allow attackers or careless users to trigger kernel crashes or even escalate privileges, especially if the driver is used in a multi-threaded environment or with rapid load/unload cycles.

In this post, we'll explain what happened, how the bug worked, and what code changes were used to fix it.

What is HSI and the ssi_protocol Driver?

HSI stands for High-Speed Synchronous Serial Interface, a hardware interface used for communication between devices. In Linux, the ssi_protocol driver is one of several protocol drivers that interact with HSI hardware.

The Vulnerability in Plain English

A use-after-free (UAF) vulnerability happens when software continues to use a piece of memory after it’s been freed (released). This is dangerous because, after memory is freed, it might be given to another part of the system or overwritten, leading to unpredictable behavior or security problems.

In the ssi_protocol driver, the problem occurred like this

- ssi_protocol_probe() sets up a *work item* (kind of like a delayed job in the kernel) using ssip_xmit_work().

The function ssip_pn_setup() can *trigger* that work.

- If the ssi_protocol module is suddenly removed (via rmmod or similar), the ssi_protocol_remove() function runs.
- Inside ssi_protocol_remove(), the driver releases memory (kfree(ssi)) before making sure all pending work is finished.
- This means that on another CPU, the work handler might be running at the *same time*, still using the now-freed ssi structure—leading to a use-after-free.

Explaining the Race

CPU                               CPU 1
ssi_protocol_remove()              
    |                               |
kfree(ssi);                        |   ssip_xmit_work (starts)
                                   |   struct hsi_client *cl = ssi->cl;
                                   |   // ssi is now dangling!
                                   |   (crash or exploit)

The Fix: Canceling Work Before Free

The right way to fix a UAF caused by pending work is simple: cancel the work before you free the memory associated with it!

Patch Example

Here’s a simplified, annotated code snippet that shows how the kernel maintainers fixed the bug:

Old (Vulnerable) code

static int ssi_protocol_remove(struct hsi_client *cl)
{
    struct ssi_protocol *ssi = hsi_client_drvdata(cl);
    // ... do some cleanup ...
    kfree(ssi); // ❌ Potential UAF - work might still be running!
    return ;
}

Patched (Safe) code

#include <linux/workqueue.h>

// Assume struct ssi_protocol has a 'work' field

static int ssi_protocol_remove(struct hsi_client *cl)
{
    struct ssi_protocol *ssi = hsi_client_drvdata(cl);

    /* Cancel any pending or running work first */
    cancel_work_sync(&ssi->work);

    // ... do other cleanup steps ...

    kfree(ssi); // ✅ Now safe, no work can use 'ssi' anymore.
    return ;
}

The key kernel API is cancel_work_sync(), which ensures the work is either not queued or completed before freeing ssi.

Full Patch Link

- Upstream commit diff (patch)

Exploitation: How Could an Attacker Abuse This?

A capable attacker (or even fast scripts) could hammer the HSI interface, repeatedly triggering work while simultaneously unloading the driver module (or causing device disconnects if hot-pluggable). If their timing is right, the work would dereference the freed ssi structure, giving access to freed memory.

Data leaks

- Elevation of privileges (if carefully crafted to execute malicious code in memory previously held by ssi)

Here's a *rough* proof-of-concept in pseudocode for how someone might attempt to trigger the bug

# Bash: Rapidly load/unload the driver while spamming the HSI interface
while true; do
    modprobe ssi_protocol &
    # Do something to trigger ssip_pn_xmit()
    rmmod ssi_protocol
done

This is, of course, unsafe for your system and is provided for educational awareness only.

References

- Official CVE entry (when available): CVE-2025-37838
- Linux kernel workqueue documentation
- Linux kernel patch (commit)
- Original discussion on LKML

Conclusion

CVE-2025-37838 highlights how multi-threading and asynchronous operations make resource management challenging, even for seasoned kernel developers. Always be sure to synchronize and cancel outstanding operations before freeing shared structures in kernel programming.

Patched kernels are now safe, but if you're using custom drivers that use workqueues, review your cleanup logic!


#### Do you maintain a kernel module? Double-check your remove/cleanup paths!

*Curated and explained exclusively by [Your Name] for [Your Blog/Newsletter].*

Timeline

Published on: 04/18/2025 15:15:59 UTC
Last modified on: 05/02/2025 07:16:04 UTC