cve/published/2022/CVE-2022-48997.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48997: char: tpm: Protect tpm_pm_suspend with locks

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 char: tpm: Protect tpm_pm_suspend with locks

 Currently tpm transactions are executed unconditionally in
 tpm_pm_suspend() function, which may lead to races with other tpm
 accessors in the system.

 Specifically, the hw_random tpm driver makes use of tpm_get_random(),
 and this function is called in a loop from a kthread, which means it's
 not frozen alongside userspace, and so can race with the work done
 during system suspend:

   tpm tpm0: tpm_transmit: tpm_recv: error -52
   tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
   CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135
   Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
   Call Trace:
    tpm_tis_status.cold+0x19/0x20
    tpm_transmit+0x13b/0x390
    tpm_transmit_cmd+0x20/0x80
    tpm1_pm_suspend+0xa6/0x110
    tpm_pm_suspend+0x53/0x80
    __pnp_bus_suspend+0x35/0xe0
    __device_suspend+0x10f/0x350

 Fix this by calling tpm_try_get_ops(), which itself is a wrapper around
 tpm_chip_start(), but takes the appropriate mutex.

 [Jason: reworked commit message, added metadata]

 The Linux kernel CVE team has assigned CVE-2022-48997 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 5.4.226 with commit d699373ac5f3545243d3c73a1ccab77fdef8cec6
 	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 5.10.158 with commit 4e0d6c687c925e27fd4bc78a2721d10acf5614d6
 	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 5.15.82 with commit 571b6bbbf54d835ea6120f65575cb55cd767e603
 	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 6.0.12 with commit 25b78bf98b07ff5aceb9b1e24f72ec0236c5c053
 	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 6.1 with commit 23393c6461422df5bf8084a086ada9a7e17dc2ba

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48997
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/char/tpm/tpm-interface.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/d699373ac5f3545243d3c73a1ccab77fdef8cec6
 	https://git.kernel.org/stable/c/4e0d6c687c925e27fd4bc78a2721d10acf5614d6
 	https://git.kernel.org/stable/c/571b6bbbf54d835ea6120f65575cb55cd767e603
 	https://git.kernel.org/stable/c/25b78bf98b07ff5aceb9b1e24f72ec0236c5c053
 	https://git.kernel.org/stable/c/23393c6461422df5bf8084a086ada9a7e17dc2ba
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48997: char: tpm: Protect tpm_pm_suspend with locks

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	char: tpm: Protect tpm_pm_suspend with locks

	Currently tpm transactions are executed unconditionally in
	tpm_pm_suspend() function, which may lead to races with other tpm
	accessors in the system.

	Specifically, the hw_random tpm driver makes use of tpm_get_random(),
	and this function is called in a loop from a kthread, which means it's
	not frozen alongside userspace, and so can race with the work done
	during system suspend:

	tpm tpm0: tpm_transmit: tpm_recv: error -52
	tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
	CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135
	Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/01/2014
	Call Trace:
	tpm_tis_status.cold+0x19/0x20
	tpm_transmit+0x13b/0x390
	tpm_transmit_cmd+0x20/0x80
	tpm1_pm_suspend+0xa6/0x110
	tpm_pm_suspend+0x53/0x80
	__pnp_bus_suspend+0x35/0xe0
	__device_suspend+0x10f/0x350

	Fix this by calling tpm_try_get_ops(), which itself is a wrapper around
	tpm_chip_start(), but takes the appropriate mutex.

	[Jason: reworked commit message, added metadata]

	The Linux kernel CVE team has assigned CVE-2022-48997 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 5.4.226 with commit d699373ac5f3545243d3c73a1ccab77fdef8cec6
	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 5.10.158 with commit 4e0d6c687c925e27fd4bc78a2721d10acf5614d6
	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 5.15.82 with commit 571b6bbbf54d835ea6120f65575cb55cd767e603
	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 6.0.12 with commit 25b78bf98b07ff5aceb9b1e24f72ec0236c5c053
	Issue introduced in 5.1 with commit e891db1a18bf11e02533ec2386b796cfd8d60666 and fixed in 6.1 with commit 23393c6461422df5bf8084a086ada9a7e17dc2ba

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48997
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/char/tpm/tpm-interface.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/d699373ac5f3545243d3c73a1ccab77fdef8cec6
	https://git.kernel.org/stable/c/4e0d6c687c925e27fd4bc78a2721d10acf5614d6
	https://git.kernel.org/stable/c/571b6bbbf54d835ea6120f65575cb55cd767e603
	https://git.kernel.org/stable/c/25b78bf98b07ff5aceb9b1e24f72ec0236c5c053
	https://git.kernel.org/stable/c/23393c6461422df5bf8084a086ada9a7e17dc2ba