HIGH
scsi aic94xx Tasklet UAF
CVE-2025-71075
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI7.8HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module unload), race condition can occur. The fix adds tasklet_kill() before freeing the asd_ha structure, ensuring all scheduled tasklets complete before cleanup proceeds.
02KernelScan AI Analysis
Risk summary
An attacker with physical access or administrative privileges could trigger device removal to cause kernel memory corruption, potentially leading to system crashes or privilege escalation. The vulnerability affects systems using aic94xx SCSI controllers and requires either physical device manipulation or root access to exploit.
Vulnerability analysis
Summary: Use-after-free vulnerability in SCSI aic94xx driver during device removal
Root Cause: Missing synchronization with pending tasklets before freeing the asd_ha structure in the device removal path
Attack Surface: Local attack surface requiring physical access to trigger device removal or sufficient privileges to unload kernel modules. The vulnerability is triggered through hardware hot-plug events or administrative module operations.
Fix Mechanism: The patch adds a tasklet_kill(&asd_ha->seq.dl_tasklet) call before freeing resources, which synchronously waits for any running tasklet to complete and prevents new tasklets from being scheduled
Details: The vulnerability occurs in the asd_pci_remove() function when a SCSI device is removed (via hot-unplug or module unload). The function frees the asd_ha structure without first ensuring that all pending tasklets have completed execution. This creates a race condition where tasklets scheduled on other CPU cores may continue to access the freed asd_ha structure, leading to use-after-free corruption.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.248 | c8f6f88cd1df |
| 5.15 | 5.15.198 | 278455a82245 |
| 6.1 | 6.1.160 | b3e655e52b98 |
| 6.12 | 6.12.64 | a41dc180b6e1 |
| 6.18 | 6.18.3 | 751c19635c2b |
| 6.6 | 6.6.120 | e354793a7ab9 |
| mainline | 6.19 | f6ab594672d4 |