| The vulnerability occurs in the Linux kernel's HSO (High-Speed Office) USB driver, specifically in the `get_free_serial_index()` function. This function returns an available minor number for a tty device but doesn't assign it immediately. Instead, the assignment is done by the caller later. However, before this assignment, multiple calls to `get_free_serial_index()` would return the same minor number, leading to a race condition. |
| |
| When multiple ttys try to claim the same minor number, a double unregistration of the same device occurs. The first unregistration succeeds, but the next one results in a null-pointer dereference (null-ptr-deref) because the device has already been unregistered. |
| |
| To fix this issue, the `get_free_serial_index()` function was modified to assign the minor number immediately after finding an available one and renamed to `obtain_minor()`. The corresponding release function, `set_serial_by_index()`, was renamed to `release_minor()` and modified to free up the minor number of the given hso_serial. This ensures that every `obtain_minor()` call has a corresponding `release_minor()` call. |
| |
| The vulnerability was introduced in Linux kernel version 2.6.27 with commit 72dc1c096c70 and fixed in various versions, including 4.4.268, 4.9.268, 4.14.232, 4.19.187, 5.4.112, 5.10.30, 5.11.14, and 5.12. The affected file is `drivers/net/usb/hso.c`. |
| |
