Linux Kernel Refcount Leak Vulnerability in USB Gadget HID Function

A refcount leak vulnerability has been identified in the Linux kernel's USB gadget HID function. This issue arises when the allocation of a report descriptor fails; the reference count for the options structure has already been incremented. If not properly decremented, this leads to the options structure being permanently locked. The vulnerability is present in the Linux kernel stable tree.

Impact

Exploitation of this vulnerability causes a refcount leak, which can lead to a denial of service by causing the options structure to remain permanently locked.

Reproduction

The vulnerability can be reproduced by triggering a failure in the allocation of the report descriptor within the USB gadget HID function. This can be done by manipulating the conditions under which the allocation occurs, such as by causing a memory allocation failure. Once the failure occurs, the reference count for the options structure will not be properly decremented, leaving it locked.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for downloading the patched version can be found on the official Linux kernel website.