Linux Kernel NFC Subsystem Resource Leak Vulnerability

A resource leak vulnerability has been identified in the Linux kernel's NFC (Near Field Communication) subsystem, specifically within the netlink interface. The issue arises because the function nfc_get_device() acquires a reference to a device but fails to release it when no longer needed, potentially leading to resource leaks. This vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can lead to resource leaks, where references to devices are not properly released, potentially causing memory exhaustion or other resource-related issues.

Reproduction

The vulnerability can be reproduced by invoking NFC netlink commands that interact with devices. The nfc_genl_se_io and nfc_genl_vendor_cmd functions in the netlink.c file of the NFC subsystem can be used to replicate the issue. These functions handle vendor commands and SE (Secure Element) API interactions, respectively. The absence of proper device reference management in these operations creates the resource leak.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability. The patches are included in the official Linux kernel Git repository.