| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2023-53047: tee: amdtee: fix race condition in amdtee_open_session |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| tee: amdtee: fix race condition in amdtee_open_session |
| |
| There is a potential race condition in amdtee_open_session that may |
| lead to use-after-free. For instance, in amdtee_open_session() after |
| sess->sess_mask is set, and before setting: |
| |
| sess->session_info[i] = session_info; |
| |
| if amdtee_close_session() closes this same session, then 'sess' data |
| structure will be released, causing kernel panic when 'sess' is |
| accessed within amdtee_open_session(). |
| |
| The solution is to set the bit sess->sess_mask as the last step in |
| amdtee_open_session(). |
| |
| The Linux kernel CVE team has assigned CVE-2023-53047 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 5.10.177 with commit f632a90f8e39db39b322107b9a8d438b826a7f4f |
| Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 5.15.105 with commit 02b296978a2137d7128151c542e84dc96400bc00 |
| Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.1.22 with commit a63cce9393e4e7dbc5af82dc87e68cb321cb1a78 |
| Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.2.9 with commit b3ef9e6fe09f1a132af28c623edcf4d4f39d9f35 |
| Issue introduced in 5.6 with commit 757cc3e9ff1d72d014096399d6e2bf03974d9da1 and fixed in 6.3 with commit f8502fba45bd30e1a6a354d9d898bc99d1a11e6d |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2023-53047 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/tee/amdtee/core.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/f632a90f8e39db39b322107b9a8d438b826a7f4f |
| https://git.kernel.org/stable/c/02b296978a2137d7128151c542e84dc96400bc00 |
| https://git.kernel.org/stable/c/a63cce9393e4e7dbc5af82dc87e68cb321cb1a78 |
| https://git.kernel.org/stable/c/b3ef9e6fe09f1a132af28c623edcf4d4f39d9f35 |
| https://git.kernel.org/stable/c/f8502fba45bd30e1a6a354d9d898bc99d1a11e6d |
