cve/published/2023/CVE-2023-52503.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52503: tee: amdtee: fix use-after-free vulnerability in amdtee_close_session

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tee: amdtee: fix use-after-free vulnerability in amdtee_close_session

 There is a potential race condition in amdtee_close_session that may
 cause use-after-free in amdtee_open_session. For instance, if a session
 has refcount == 1, and one thread tries to free this session via:

     kref_put(&sess->refcount, destroy_session);

 the reference count will get decremented, and the next step would be to
 call destroy_session(). However, if in another thread,
 amdtee_open_session() is called before destroy_session() has completed
 execution, alloc_session() may return 'sess' that will be freed up
 later in destroy_session() leading to use-after-free in
 amdtee_open_session.

 To fix this issue, treat decrement of sess->refcount and removal of
 'sess' from session list in destroy_session() as a critical section, so
 that it is executed atomically.

 The Linux kernel CVE team has assigned CVE-2023-52503 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 5.10.199 with commit da7ce52a2f6c468946195b116615297d3d113a27
 	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 5.15.136 with commit 1680c82929bc14d706065f123dab77f2f1293116
 	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.1.59 with commit 60c3e7a00db954947c265b55099c21b216f2a05c
 	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.5.8 with commit 1c95574350cd63bc3c5c2fa06658010768f2a0ce
 	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.6 with commit f4384b3e54ea813868bb81a861bf5b2406e15d8f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52503
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/tee/amdtee/core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27
 	https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116
 	https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c
 	https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce
 	https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52503: tee: amdtee: fix use-after-free vulnerability in amdtee_close_session

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tee: amdtee: fix use-after-free vulnerability in amdtee_close_session

	There is a potential race condition in amdtee_close_session that may
	cause use-after-free in amdtee_open_session. For instance, if a session
	has refcount == 1, and one thread tries to free this session via:

	kref_put(&sess->refcount, destroy_session);

	the reference count will get decremented, and the next step would be to
	call destroy_session(). However, if in another thread,
	amdtee_open_session() is called before destroy_session() has completed
	execution, alloc_session() may return 'sess' that will be freed up
	later in destroy_session() leading to use-after-free in
	amdtee_open_session.

	To fix this issue, treat decrement of sess->refcount and removal of
	'sess' from session list in destroy_session() as a critical section, so
	that it is executed atomically.

	The Linux kernel CVE team has assigned CVE-2023-52503 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 5.10.199 with commit da7ce52a2f6c468946195b116615297d3d113a27
	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 5.15.136 with commit 1680c82929bc14d706065f123dab77f2f1293116
	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.1.59 with commit 60c3e7a00db954947c265b55099c21b216f2a05c
	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.5.8 with commit 1c95574350cd63bc3c5c2fa06658010768f2a0ce
	Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.6 with commit f4384b3e54ea813868bb81a861bf5b2406e15d8f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52503
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/tee/amdtee/core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/da7ce52a2f6c468946195b116615297d3d113a27
	https://git.kernel.org/stable/c/1680c82929bc14d706065f123dab77f2f1293116
	https://git.kernel.org/stable/c/60c3e7a00db954947c265b55099c21b216f2a05c
	https://git.kernel.org/stable/c/1c95574350cd63bc3c5c2fa06658010768f2a0ce
	https://git.kernel.org/stable/c/f4384b3e54ea813868bb81a861bf5b2406e15d8f