On Wed, Mar 20, 2019 at 04:59:02PM +0800, Jian Liu/Gmail wrote: > Hi all, > > We might find a security issue in function > 'write_parport_reg_nonbloc'(for source codes, please refer to > https://github.com/torvalds/linux/blob/master/drivers/usb/serial/mos7720.c), > which is logically an unbalanced reference count vulnerability. > > Let us check ref_count 'mos_parport->ref_count' of kernel object > 'mos_parport' in the function. In 'Line 369: > kref_get(&mos_parport->ref_count)' and 'Line 370: > urbtrack->mos_parport = mos_parport', the ref_count has been increased > because of a new variable 'urbtrack->mos_parport' pointing to > 'mos_parport', that make sense to balance ref_count. However, at 'Line > 373 and Line 379: kfree(urbtrack)', variable 'urbtrack' has been freed > before a return, which will make 'urbtrack->mos_parport' freed, too. > But, a decreasing of 'mos_parport->ref_count' is missing in the > current kernel version, which will bring an unbalanced reference > count. > > We have wrote a patch showed in Lin's email. The idea is simple. We > added a calling of 'kref_put(&mos_parport->ref_count, > destroy_mos_parport)' below Line 373 and Line 379. Currently, we are > not sure if this is really a vulnerability. If you are familiar with > codes, please help to verify it. Yes, this is a bugfix, but not really a "vulnerability" as it is almost impossible to keep hitting a memory allocation failure enough times to cause any problems here. The most that can happen is that the reference really is not dropped, and memory leaks. Not a big deal, if memory is failing to be allocated, your system has bigger issues at the moment :) So it's just a nice bugfix, for a failure mode that is pretty much impossible to ever hit in the "wild". thanks, greg k-h
