Linux Kernel Refcount Leak Vulnerability in Microchip PCIe Controller Driver

A refcount leak vulnerability has been identified in the Linux kernel's PCI Microchip controller driver, specifically within the 'mc_pcie_init_irq_domains' function. This issue arises because the function fails to properly decrement the reference count of a node pointer obtained from 'of_get_next_child', which can lead to memory management issues. The vulnerability is present in the stable versions of the Linux kernel that include the Microchip PolarFire PCIe controller driver.

Impact

Exploitation of this vulnerability can lead to a refcount leak, causing memory management issues that could be exploited for denial-of-service.

Reproduction

The vulnerability can be reproduced by loading the Microchip PolarFire PCIe controller driver in the Linux kernel. The 'mc_pcie_init_irq_domains' function will be called, during which the 'of_get_next_child' function returns a node pointer with an incremented reference count. The vulnerability occurs because the 'of_node_put' function, which is supposed to decrement the reference count when the node is no longer needed, is not called in some error handling paths. This missing call creates a refcount leak, as the reference count of the node remains artificially high, potentially leading to memory management issues.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patch can be downloaded from the Linux kernel Git repository.