Linux Kernel PCI Device Reference Count Leak Vulnerability in IOMMU AMD Driver

A vulnerability has been identified in the Linux kernel's IOMMU AMD driver, where a reference count leak occurs in the PCI device management. This issue arises because the function 'pci_get_domain_bus_and_slot()' increments the reference count of a PCI device, and the caller is responsible for decrementing it before the function returns. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability leads to a reference count leak, which can cause memory management issues, potentially allowing for use-after-free vulnerabilities or other memory corruption problems.

Reproduction

The vulnerability can be reproduced by using the IOMMU AMD driver in a Linux kernel version that is affected by this issue. When a PCI device is accessed through 'pci_get_domain_bus_and_slot()', the reference count is increased. If the reference count is not properly decremented by calling 'pci_dev_put()' before the function exits, a leak occurs. This can be observed by monitoring the reference count of PCI devices before and after the 'ppr_notifier()' function is called.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The commit that addresses this issue is available in the Linux kernel stable tree.