Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race ConditionIn the ssi_protocol_probe() function, &ssi->work is bound withssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() functionwithin the ssip_pn_ops structure is capable of starting thework.If we remove the module which will call ssi_protocol_remove()to make a cleanup, it will free ssi through kfree(ssi),while the work mentioned above will be used. The sequenceof operations that may lead to a UAF bug is as follows:CPU0 CPU1 | ssip_xmit_workssi_protocol_remove |kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssiFix it by ensuring that the work is canceled before proceedingwith the cleanup in ssi_protocol_remove().
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/w4zu/Debian_security