| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022633-CVE-2022-49287-2ed9@gregkh>
Date: Wed, 26 Feb 2025 02:58:12 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49287: tpm: fix reference counting for struct tpm_chip
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
tpm: fix reference counting for struct tpm_chip
The following sequence of operations results in a refcount warning:
1. Open device /dev/tpmrm.
2. Remove module tpm_tis_spi.
3. Write a TPM command to the file descriptor opened at step 1.
------------[ cut here ]------------
WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4
refcount_t: addition on 0; use-after-free.
Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac
sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4
brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes
raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm
snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]
CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2
Hardware name: BCM2711
[<c0410c3c>] (unwind_backtrace) from [<c040b580>] (show_stack+0x10/0x14)
[<c040b580>] (show_stack) from [<c1092174>] (dump_stack+0xc4/0xd8)
[<c1092174>] (dump_stack) from [<c0445a30>] (__warn+0x104/0x108)
[<c0445a30>] (__warn) from [<c0445aa8>] (warn_slowpath_fmt+0x74/0xb8)
[<c0445aa8>] (warn_slowpath_fmt) from [<c08435d0>] (kobject_get+0xa0/0xa4)
[<c08435d0>] (kobject_get) from [<bf0a715c>] (tpm_try_get_ops+0x14/0x54 [tpm])
[<bf0a715c>] (tpm_try_get_ops [tpm]) from [<bf0a7d6c>] (tpm_common_write+0x38/0x60 [tpm])
[<bf0a7d6c>] (tpm_common_write [tpm]) from [<c05a7ac0>] (vfs_write+0xc4/0x3c0)
[<c05a7ac0>] (vfs_write) from [<c05a7ee4>] (ksys_write+0x58/0xcc)
[<c05a7ee4>] (ksys_write) from [<c04001a0>] (ret_fast_syscall+0x0/0x4c)
Exception stack(0xc226bfa8 to 0xc226bff0)
bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000
bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684
bfe0: 0000006c beafe648 0001056c b6eb6944
---[ end trace d4b8409def9b8b1f ]---
The reason for this warning is the attempt to get the chip->dev reference
in tpm_common_write() although the reference counter is already zero.
Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the
extra reference used to prevent a premature zero counter is never taken,
because the required TPM_CHIP_FLAG_TPM2 flag is never set.
Fix this by moving the TPM 2 character device handling from
tpm_chip_alloc() to tpm_add_char_device() which is called at a later point
in time when the flag has been set in case of TPM2.
Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
already introduced function tpm_devs_release() to release the extra
reference but did not implement the required put on chip->devs that results
in the call of this function.
Fix this by putting chip->devs in tpm_chip_unregister().
Finally move the new implementation for the TPM 2 handling into a new
function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the
good case and error cases.
The Linux kernel CVE team has assigned CVE-2022-49287 to this issue.
Affected and fixed versions
===========================
Issue introduced in 4.12 with commit 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 and fixed in 4.14.276 with commit 473a66f99cb8173c14138c5a5c69bfad04e8f9ac
Issue introduced in 4.12 with commit 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 and fixed in 4.19.238 with commit cb64bd038beacb4331fe464a36c8b5481e8f51e2
Issue introduced in 4.12 with commit 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 and fixed in 5.4.189 with commit a27ed2f3695baf15f9b34d2d7a1f9fc105539a81
Issue introduced in 4.12 with commit 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 and fixed in 5.10.110 with commit 290e05f346d1829e849662c97e42d5ad984f5258
Issue introduced in 4.12 with commit 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 and fixed in 5.15.33 with commit 662893b4f6bd466ff9e1cd454c44c26d32d554fe
Issue introduced in 4.12 with commit 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 and fixed in 5.16.19 with commit 2f928c0d5c02dbab49e8c19d98725c822f6fc409
Issue introduced in 4.12 with commit 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 and fixed in 5.17.1 with commit 6e7baf84149fb43950631415de231b3a41915aa3
Issue introduced in 4.12 with commit 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 and fixed in 5.18 with commit 7e0438f83dc769465ee663bb5dcf8cc154940712
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49287
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/char/tpm/tpm-chip.c
drivers/char/tpm/tpm.h
drivers/char/tpm/tpm2-space.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/473a66f99cb8173c14138c5a5c69bfad04e8f9ac
https://git.kernel.org/stable/c/cb64bd038beacb4331fe464a36c8b5481e8f51e2
https://git.kernel.org/stable/c/a27ed2f3695baf15f9b34d2d7a1f9fc105539a81
https://git.kernel.org/stable/c/290e05f346d1829e849662c97e42d5ad984f5258
https://git.kernel.org/stable/c/662893b4f6bd466ff9e1cd454c44c26d32d554fe
https://git.kernel.org/stable/c/2f928c0d5c02dbab49e8c19d98725c822f6fc409
https://git.kernel.org/stable/c/6e7baf84149fb43950631415de231b3a41915aa3
https://git.kernel.org/stable/c/7e0438f83dc769465ee663bb5dcf8cc154940712
Powered by blists - more mailing lists