ACK: [SRU][N][PATCH 0/1] CVE-2025-37838
Alessio Faina
alessio.faina at canonical.com
Mon Oct 6 07:30:51 UTC 2025
On Thu, Oct 02, 2025 at 04:28:55PM -0700, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition
>
> In the ssi_protocol_probe() function, &ssi->work is bound with
> ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function
> within the ssip_pn_ops structure is capable of starting the
> work.
>
> If we remove the module which will call ssi_protocol_remove()
> to make a cleanup, it will free ssi through kfree(ssi),
> while the work mentioned above will be used. The sequence
> of operations that may lead to a UAF bug is as follows:
>
> CPU0 CPU1
>
> | ssip_xmit_work
> ssi_protocol_remove |
> kfree(ssi); |
> | struct hsi_client *cl = ssi->cl;
> | // use ssi
>
> Fix it by ensuring that the work is canceled before proceeding
> with the cleanup in ssi_protocol_remove().
>
> [Fix]
>
> Plucky: not affected
> Noble: cherry picked from upstream
> Jammy: not affected
> Focal: submitted separately
> Bionic: patch sent to ESM ML
> Xenial: patch sent to ESM ML
> Trusty: out of scope (medium CVE)
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The change affects the High Speed Synchronous Serial Interface
> client driver in the ssip_reset() function. Issues would affect
> the reliability of these devices.
>
> Kaixin Wang (1):
> HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol
> Driver Due to Race Condition
>
> drivers/hsi/clients/ssi_protocol.c | 1 +
> 1 file changed, 1 insertion(+)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Alessio Faina <alessio.faina at canonical.com>
More information about the kernel-team
mailing list