cve/published/2021/CVE-2021-46951.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46951: tpm: efi: Use local variable for calculating final log size

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tpm: efi: Use local variable for calculating final log size

 When tpm_read_log_efi is called multiple times, which happens when
 one loads and unloads a TPM2 driver multiple times, then the global
 variable efi_tpm_final_log_size will at some point become a negative
 number due to the subtraction of final_events_preboot_size occurring
 each time. Use a local variable to avoid this integer underflow.

 The following issue is now resolved:

 Mar  8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
 Mar  8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy]
 Mar  8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20
 Mar  8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
 Mar  8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206
 Mar  8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f
 Mar  8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d
 Mar  8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073
 Mar  8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5
 Mar  8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018
 Mar  8 15:35:12 hibinst kernel: FS:  0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000
 Mar  8 15:35:12 hibinst kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 Mar  8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0
 Mar  8 15:35:12 hibinst kernel: Call Trace:
 Mar  8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7
 Mar  8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0
 Mar  8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260
 Mar  8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy]
 Mar  8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370
 Mar  8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0
 Mar  8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370

 The Linux kernel CVE team has assigned CVE-2021-46951 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.4.118 with commit 2f12258b5224cfaa808c54fd29345f3c1cbfca76
 	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.10.36 with commit 60a01ecc9f68067e4314a0b55148e39e5d58a51b
 	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.11.20 with commit 3818b753277f5ca0c170bf5b98e0a5a225542fcb
 	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.12.3 with commit ac07c557ca12ec9276c0375517bac7ae5be4e50c
 	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.13 with commit 48cff270b037022e37835d93361646205ca25101

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46951
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/char/tpm/eventlog/efi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2f12258b5224cfaa808c54fd29345f3c1cbfca76
 	https://git.kernel.org/stable/c/60a01ecc9f68067e4314a0b55148e39e5d58a51b
 	https://git.kernel.org/stable/c/3818b753277f5ca0c170bf5b98e0a5a225542fcb
 	https://git.kernel.org/stable/c/ac07c557ca12ec9276c0375517bac7ae5be4e50c
 	https://git.kernel.org/stable/c/48cff270b037022e37835d93361646205ca25101
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46951: tpm: efi: Use local variable for calculating final log size

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tpm: efi: Use local variable for calculating final log size

	When tpm_read_log_efi is called multiple times, which happens when
	one loads and unloads a TPM2 driver multiple times, then the global
	variable efi_tpm_final_log_size will at some point become a negative
	number due to the subtraction of final_events_preboot_size occurring
	each time. Use a local variable to avoid this integer underflow.

	The following issue is now resolved:

	Mar 8 15:35:12 hibinst kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
	Mar 8 15:35:12 hibinst kernel: Workqueue: tpm-vtpm vtpm_proxy_work [tpm_vtpm_proxy]
	Mar 8 15:35:12 hibinst kernel: RIP: 0010:__memcpy+0x12/0x20
	Mar 8 15:35:12 hibinst kernel: Code: 00 b8 01 00 00 00 85 d2 74 0a c7 05 44 7b ef 00 0f 00 00 00 c3 cc cc cc 66 66 90 66 90 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 <f3> 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 f3 a4
	Mar 8 15:35:12 hibinst kernel: RSP: 0018:ffff9ac4c0fcfde0 EFLAGS: 00010206
	Mar 8 15:35:12 hibinst kernel: RAX: ffff88f878cefed5 RBX: ffff88f878ce9000 RCX: 1ffffffffffffe0f
	Mar 8 15:35:12 hibinst kernel: RDX: 0000000000000003 RSI: ffff9ac4c003bff9 RDI: ffff88f878cf0e4d
	Mar 8 15:35:12 hibinst kernel: RBP: ffff9ac4c003b000 R08: 0000000000001000 R09: 000000007e9d6073
	Mar 8 15:35:12 hibinst kernel: R10: ffff9ac4c003b000 R11: ffff88f879ad3500 R12: 0000000000000ed5
	Mar 8 15:35:12 hibinst kernel: R13: ffff88f878ce9760 R14: 0000000000000002 R15: ffff88f77de7f018
	Mar 8 15:35:12 hibinst kernel: FS: 0000000000000000(0000) GS:ffff88f87bd00000(0000) knlGS:0000000000000000
	Mar 8 15:35:12 hibinst kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	Mar 8 15:35:12 hibinst kernel: CR2: ffff9ac4c003c000 CR3: 00000001785a6004 CR4: 0000000000060ee0
	Mar 8 15:35:12 hibinst kernel: Call Trace:
	Mar 8 15:35:12 hibinst kernel: tpm_read_log_efi+0x152/0x1a7
	Mar 8 15:35:12 hibinst kernel: tpm_bios_log_setup+0xc8/0x1c0
	Mar 8 15:35:12 hibinst kernel: tpm_chip_register+0x8f/0x260
	Mar 8 15:35:12 hibinst kernel: vtpm_proxy_work+0x16/0x60 [tpm_vtpm_proxy]
	Mar 8 15:35:12 hibinst kernel: process_one_work+0x1b4/0x370
	Mar 8 15:35:12 hibinst kernel: worker_thread+0x53/0x3e0
	Mar 8 15:35:12 hibinst kernel: ? process_one_work+0x370/0x370

	The Linux kernel CVE team has assigned CVE-2021-46951 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.4.118 with commit 2f12258b5224cfaa808c54fd29345f3c1cbfca76
	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.10.36 with commit 60a01ecc9f68067e4314a0b55148e39e5d58a51b
	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.11.20 with commit 3818b753277f5ca0c170bf5b98e0a5a225542fcb
	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.12.3 with commit ac07c557ca12ec9276c0375517bac7ae5be4e50c
	Issue introduced in 5.3 with commit 166a2809d65b282272c474835ec22c882a39ca1b and fixed in 5.13 with commit 48cff270b037022e37835d93361646205ca25101

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46951
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/char/tpm/eventlog/efi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2f12258b5224cfaa808c54fd29345f3c1cbfca76
	https://git.kernel.org/stable/c/60a01ecc9f68067e4314a0b55148e39e5d58a51b
	https://git.kernel.org/stable/c/3818b753277f5ca0c170bf5b98e0a5a225542fcb
	https://git.kernel.org/stable/c/ac07c557ca12ec9276c0375517bac7ae5be4e50c
	https://git.kernel.org/stable/c/48cff270b037022e37835d93361646205ca25101