cve/published/2022/CVE-2022-49287.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49287: tpm: fix reference counting for struct tpm_chip

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tpm: fix reference counting for struct tpm_chip

 The following sequence of operations results in a refcount warning:

 1. Open device /dev/tpmrm.
 2. Remove module tpm_tis_spi.
 3. Write a TPM command to the file descriptor opened at step 1.

 ------------[ cut here ]------------
 WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4
 refcount_t: addition on 0; use-after-free.
 Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac
 sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4
 brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes
 raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm
 snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]
 CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2
 Hardware name: BCM2711
 [<c0410c3c>] (unwind_backtrace) from [<c040b580>] (show_stack+0x10/0x14)
 [<c040b580>] (show_stack) from [<c1092174>] (dump_stack+0xc4/0xd8)
 [<c1092174>] (dump_stack) from [<c0445a30>] (__warn+0x104/0x108)
 [<c0445a30>] (__warn) from [<c0445aa8>] (warn_slowpath_fmt+0x74/0xb8)
 [<c0445aa8>] (warn_slowpath_fmt) from [<c08435d0>] (kobject_get+0xa0/0xa4)
 [<c08435d0>] (kobject_get) from [<bf0a715c>] (tpm_try_get_ops+0x14/0x54 [tpm])
 [<bf0a715c>] (tpm_try_get_ops [tpm]) from [<bf0a7d6c>] (tpm_common_write+0x38/0x60 [tpm])
 [<bf0a7d6c>] (tpm_common_write [tpm]) from [<c05a7ac0>] (vfs_write+0xc4/0x3c0)
 [<c05a7ac0>] (vfs_write) from [<c05a7ee4>] (ksys_write+0x58/0xcc)
 [<c05a7ee4>] (ksys_write) from [<c04001a0>] (ret_fast_syscall+0x0/0x4c)
 Exception stack(0xc226bfa8 to 0xc226bff0)
 bfa0:                   00000000 000105b4 00000003 beafe664 00000014 00000000
 bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684
 bfe0: 0000006c beafe648 0001056c b6eb6944
 ---[ end trace d4b8409def9b8b1f ]---

 The reason for this warning is the attempt to get the chip->dev reference
 in tpm_common_write() although the reference counter is already zero.

 Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the
 extra reference used to prevent a premature zero counter is never taken,
 because the required TPM_CHIP_FLAG_TPM2 flag is never set.

 Fix this by moving the TPM 2 character device handling from
 tpm_chip_alloc() to tpm_add_char_device() which is called at a later point
 in time when the flag has been set in case of TPM2.

 Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
 already introduced function tpm_devs_release() to release the extra
 reference but did not implement the required put on chip->devs that results
 in the call of this function.

 Fix this by putting chip->devs in tpm_chip_unregister().

 Finally move the new implementation for the TPM 2 handling into a new
 function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the
 good case and error cases.

 The Linux kernel CVE team has assigned CVE-2022-49287 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 4.14.276 with commit 473a66f99cb8173c14138c5a5c69bfad04e8f9ac
 	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 4.19.238 with commit cb64bd038beacb4331fe464a36c8b5481e8f51e2
 	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.4.189 with commit a27ed2f3695baf15f9b34d2d7a1f9fc105539a81
 	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.10.110 with commit 290e05f346d1829e849662c97e42d5ad984f5258
 	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.15.33 with commit 662893b4f6bd466ff9e1cd454c44c26d32d554fe
 	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.16.19 with commit 2f928c0d5c02dbab49e8c19d98725c822f6fc409
 	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.17.1 with commit 6e7baf84149fb43950631415de231b3a41915aa3
 	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.18 with commit 7e0438f83dc769465ee663bb5dcf8cc154940712

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49287
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/char/tpm/tpm-chip.c
 	drivers/char/tpm/tpm.h
 	drivers/char/tpm/tpm2-space.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/473a66f99cb8173c14138c5a5c69bfad04e8f9ac
 	https://git.kernel.org/stable/c/cb64bd038beacb4331fe464a36c8b5481e8f51e2
 	https://git.kernel.org/stable/c/a27ed2f3695baf15f9b34d2d7a1f9fc105539a81
 	https://git.kernel.org/stable/c/290e05f346d1829e849662c97e42d5ad984f5258
 	https://git.kernel.org/stable/c/662893b4f6bd466ff9e1cd454c44c26d32d554fe
 	https://git.kernel.org/stable/c/2f928c0d5c02dbab49e8c19d98725c822f6fc409
 	https://git.kernel.org/stable/c/6e7baf84149fb43950631415de231b3a41915aa3
 	https://git.kernel.org/stable/c/7e0438f83dc769465ee663bb5dcf8cc154940712
	From bippy-7c5fe7eed585 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49287: tpm: fix reference counting for struct tpm_chip

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tpm: fix reference counting for struct tpm_chip

	The following sequence of operations results in a refcount warning:

	1. Open device /dev/tpmrm.
	2. Remove module tpm_tis_spi.
	3. Write a TPM command to the file descriptor opened at step 1.

	------------[ cut here ]------------
	WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4
	refcount_t: addition on 0; use-after-free.
	Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac
	sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4
	brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes
	raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm
	snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]
	CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2
	Hardware name: BCM2711
	[<c0410c3c>] (unwind_backtrace) from [<c040b580>] (show_stack+0x10/0x14)
	[<c040b580>] (show_stack) from [<c1092174>] (dump_stack+0xc4/0xd8)
	[<c1092174>] (dump_stack) from [<c0445a30>] (__warn+0x104/0x108)
	[<c0445a30>] (__warn) from [<c0445aa8>] (warn_slowpath_fmt+0x74/0xb8)
	[<c0445aa8>] (warn_slowpath_fmt) from [<c08435d0>] (kobject_get+0xa0/0xa4)
	[<c08435d0>] (kobject_get) from [<bf0a715c>] (tpm_try_get_ops+0x14/0x54 [tpm])
	[<bf0a715c>] (tpm_try_get_ops [tpm]) from [<bf0a7d6c>] (tpm_common_write+0x38/0x60 [tpm])
	[<bf0a7d6c>] (tpm_common_write [tpm]) from [<c05a7ac0>] (vfs_write+0xc4/0x3c0)
	[<c05a7ac0>] (vfs_write) from [<c05a7ee4>] (ksys_write+0x58/0xcc)
	[<c05a7ee4>] (ksys_write) from [<c04001a0>] (ret_fast_syscall+0x0/0x4c)
	Exception stack(0xc226bfa8 to 0xc226bff0)
	bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000
	bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684
	bfe0: 0000006c beafe648 0001056c b6eb6944
	---[ end trace d4b8409def9b8b1f ]---

	The reason for this warning is the attempt to get the chip->dev reference
	in tpm_common_write() although the reference counter is already zero.

	Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the
	extra reference used to prevent a premature zero counter is never taken,
	because the required TPM_CHIP_FLAG_TPM2 flag is never set.

	Fix this by moving the TPM 2 character device handling from
	tpm_chip_alloc() to tpm_add_char_device() which is called at a later point
	in time when the flag has been set in case of TPM2.

	Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>")
	already introduced function tpm_devs_release() to release the extra
	reference but did not implement the required put on chip->devs that results
	in the call of this function.

	Fix this by putting chip->devs in tpm_chip_unregister().

	Finally move the new implementation for the TPM 2 handling into a new
	function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the
	good case and error cases.

	The Linux kernel CVE team has assigned CVE-2022-49287 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 4.14.276 with commit 473a66f99cb8173c14138c5a5c69bfad04e8f9ac
	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 4.19.238 with commit cb64bd038beacb4331fe464a36c8b5481e8f51e2
	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.4.189 with commit a27ed2f3695baf15f9b34d2d7a1f9fc105539a81
	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.10.110 with commit 290e05f346d1829e849662c97e42d5ad984f5258
	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.15.33 with commit 662893b4f6bd466ff9e1cd454c44c26d32d554fe
	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.16.19 with commit 2f928c0d5c02dbab49e8c19d98725c822f6fc409
	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.17.1 with commit 6e7baf84149fb43950631415de231b3a41915aa3
	Issue introduced in 4.12 with commit fdc915f7f71939ad5a3dda3389b8d2d7a7c5ee66 and fixed in 5.18 with commit 7e0438f83dc769465ee663bb5dcf8cc154940712

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49287
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/char/tpm/tpm-chip.c
	drivers/char/tpm/tpm.h
	drivers/char/tpm/tpm2-space.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/473a66f99cb8173c14138c5a5c69bfad04e8f9ac
	https://git.kernel.org/stable/c/cb64bd038beacb4331fe464a36c8b5481e8f51e2
	https://git.kernel.org/stable/c/a27ed2f3695baf15f9b34d2d7a1f9fc105539a81
	https://git.kernel.org/stable/c/290e05f346d1829e849662c97e42d5ad984f5258
	https://git.kernel.org/stable/c/662893b4f6bd466ff9e1cd454c44c26d32d554fe
	https://git.kernel.org/stable/c/2f928c0d5c02dbab49e8c19d98725c822f6fc409
	https://git.kernel.org/stable/c/6e7baf84149fb43950631415de231b3a41915aa3
	https://git.kernel.org/stable/c/7e0438f83dc769465ee663bb5dcf8cc154940712