CVE-2025-37838: Linux Kernel Fixes Use After Free Vulnerability in ssi_protocol Driver Due to Race Condition

In the Linux kernel, a use-after-free (UAF) vulnerability has been identified and resolved in the ssi_protocol driver. The bug stems from a race condition that could lead to exploitation by an attacker. This post will provide an in-depth analysis of the vulnerability, the code fix, and references to the original findings.

Vulnerability Details

The vulnerability arises from a race condition in the ssi_protocol_probe() and ssi_protocol_remove() functions. In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(). Meanwhile, in ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work.

However, if the module is removed—which will call ssi_protocol_remove() for cleanup—the ssi variable will be freed through kfree(ssi) even if the aforementioned work has already been initiated. This sequence of operations can lead to a UAF bug and potentially expose the system to exploitation.

The vulnerable workflow is outlined below

CPU                                    CPU1

                       | ssip_xmit_work
ssi_protocol_remove    | 
kfree(ssi);            |
                       | struct hsi_client *cl = ssi->cl;
                       | // use ssi

The exploit occurs when the ssi variable is used after being freed on CPU1 while calling ssi_protocol_remove().

Solution

To fix the vulnerability, the work must be canceled before proceeding with the cleanup in ssi_protocol_remove(). This will ensure that the ssi variable is not accessed after being freed, preventing possible exploitation.

Original References

1. Linux kernel git commit resolving the issue

2. Linux kernel mailing list post discussing the fix

3. CVE database entry for CVE-2025-37838

Conclusion

The Linux kernel has fixed a use-after-free vulnerability in the ssi_protocol driver caused by a race condition. By canceling the work before proceeding with the cleanup in ssi_protocol_remove(), the exploit is successfully mitigated, and the kernel is safeguarded from potential attacks. Users and developers must ensure that they are running the latest version of the Linux kernel to protect themselves from this and other vulnerabilities.

Timeline

Published on: 04/18/2025 15:15:59 UTC
Last modified on: 05/02/2025 07:16:04 UTC