Hi all, We might find a security issue in function 'write_parport_reg_nonbloc'(for source codes, please refer to https://github.com/torvalds/linux/blob/master/drivers/usb/serial/mos7720.c), which is logically an unbalanced reference count vulnerability. Let us check ref_count 'mos_parport->ref_count' of kernel object 'mos_parport' in the function. In 'Line 369: kref_get(&mos_parport->ref_count)' and 'Line 370: urbtrack->mos_parport = mos_parport', the ref_count has been increased because of a new variable 'urbtrack->mos_parport' pointing to 'mos_parport', that make sense to balance ref_count. However, at 'Line 373 and Line 379: kfree(urbtrack)', variable 'urbtrack' has been freed before a return, which will make 'urbtrack->mos_parport' freed, too. But, a decreasing of 'mos_parport->ref_count' is missing in the current kernel version, which will bring an unbalanced reference count. We have wrote a patch showed in Lin's email. The idea is simple. We added a calling of 'kref_put(&mos_parport->ref_count, destroy_mos_parport)' below Line 373 and Line 379. Currently, we are not sure if this is really a vulnerability. If you are familiar with codes, please help to verify it. Thanks. Jian 2019-03-20 10:29 GMT+08:00, Lin Yi <teroincn@xxxxxxx>: > write_parport_ref_nonblock increase mos_parport refcount without > decrease it when return -ENOMEM code, so need a decrement before function > return -ENOMEM. > > Signed-off-by: Lin Yi <teroincn@xxxxxxx> > --- > drivers/usb/serial/mos7720.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/drivers/usb/serial/mos7720.c b/drivers/usb/serial/mos7720.c > index fc52ac7..6abb335 100644 > --- a/drivers/usb/serial/mos7720.c > +++ b/drivers/usb/serial/mos7720.c > @@ -371,12 +371,14 @@ static int write_parport_reg_nonblock(struct > mos7715_parport *mos_parport, > urbtrack->urb = usb_alloc_urb(0, GFP_ATOMIC); > if (!urbtrack->urb) { > kfree(urbtrack); > + kref_put(&mos_parport->ref_count, destroy_mos_parport); > return -ENOMEM; > } > urbtrack->setup = kmalloc(sizeof(*urbtrack->setup), GFP_ATOMIC); > if (!urbtrack->setup) { > usb_free_urb(urbtrack->urb); > kfree(urbtrack); > + kref_put(&mos_parport->ref_count, destroy_mos_parport); > return -ENOMEM; > } > urbtrack->setup->bRequestType = (__u8)0x40; > -- > 1.9.1 > > > -- --- Jian Liu Institute of Information Engineering, Chinese Academy of Sciences. Beijing China.
