cve/published/2025/CVE-2025-23149.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-23149: tpm: do not start chip while suspended

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tpm: do not start chip while suspended

 Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can
 lead to a spurious tpm_chip_start() call:

 [35985.503771] i2c i2c-1: Transfer while suspended
 [35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810
 [35985.503802] Modules linked in:
 [35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G        W          6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f
 [35985.503814] Tainted: [W]=WARN
 [35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023
 [35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810
 [35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5
 [35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246
 [35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000
 [35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001
 [35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
 [35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820
 [35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120
 [35985.503846] FS:  0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000
 [35985.503849] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0
 [35985.503855] Call Trace:
 [35985.503859]  <TASK>
 [35985.503863]  ? __warn+0xd4/0x260
 [35985.503868]  ? __i2c_transfer+0xbe/0x810
 [35985.503874]  ? report_bug+0xf3/0x210
 [35985.503882]  ? handle_bug+0x63/0xb0
 [35985.503887]  ? exc_invalid_op+0x16/0x50
 [35985.503892]  ? asm_exc_invalid_op+0x16/0x20
 [35985.503904]  ? __i2c_transfer+0xbe/0x810
 [35985.503913]  tpm_cr50_i2c_transfer_message+0x24/0xf0
 [35985.503920]  tpm_cr50_i2c_read+0x8e/0x120
 [35985.503928]  tpm_cr50_request_locality+0x75/0x170
 [35985.503935]  tpm_chip_start+0x116/0x160
 [35985.503942]  tpm_try_get_ops+0x57/0x90
 [35985.503948]  tpm_find_get_ops+0x26/0xd0
 [35985.503955]  tpm_get_random+0x2d/0x80

 Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless
 TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in
 such a failure case.

 The Linux kernel CVE team has assigned CVE-2025-23149 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6.64 with commit cfaf83501a0cbb104499c5b0892ee5ebde4e967f and fixed in 6.6.88 with commit 1404dff1e11bf927b70ac25e1de97bed9742ede4
 	Issue introduced in 6.12 with commit 9265fed6db601ee2ec47577815387458ef4f047a and fixed in 6.12.24 with commit f3cb81cb96d587f9f235a11789d1ec0992643078
 	Issue introduced in 6.12 with commit 9265fed6db601ee2ec47577815387458ef4f047a and fixed in 6.13.12 with commit e74e2394eed90aff5c3a08c1f51f476d4de71d02
 	Issue introduced in 6.12 with commit 9265fed6db601ee2ec47577815387458ef4f047a and fixed in 6.14.3 with commit f1044e995b64d70ef90ef6f2b89955b127497702
 	Issue introduced in 6.12 with commit 9265fed6db601ee2ec47577815387458ef4f047a and fixed in 6.15 with commit 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd
 	Issue introduced in 6.11.8 with commit bc203fe416abdd1c29da594565a7c3c4e979488e

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-23149
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/char/tpm/tpm-chip.c
 	drivers/char/tpm/tpm-interface.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/1404dff1e11bf927b70ac25e1de97bed9742ede4
 	https://git.kernel.org/stable/c/f3cb81cb96d587f9f235a11789d1ec0992643078
 	https://git.kernel.org/stable/c/e74e2394eed90aff5c3a08c1f51f476d4de71d02
 	https://git.kernel.org/stable/c/f1044e995b64d70ef90ef6f2b89955b127497702
 	https://git.kernel.org/stable/c/17d253af4c2c8a2acf84bb55a0c2045f150b7dfd
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-23149: tpm: do not start chip while suspended

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tpm: do not start chip while suspended

	Checking TPM_CHIP_FLAG_SUSPENDED after the call to tpm_find_get_ops() can
	lead to a spurious tpm_chip_start() call:

	[35985.503771] i2c i2c-1: Transfer while suspended
	[35985.503796] WARNING: CPU: 0 PID: 74 at drivers/i2c/i2c-core.h:56 __i2c_transfer+0xbe/0x810
	[35985.503802] Modules linked in:
	[35985.503808] CPU: 0 UID: 0 PID: 74 Comm: hwrng Tainted: G W 6.13.0-next-20250203-00005-gfa0cb5642941 #19 9c3d7f78192f2d38e32010ac9c90fdc71109ef6f
	[35985.503814] Tainted: [W]=WARN
	[35985.503817] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023
	[35985.503819] RIP: 0010:__i2c_transfer+0xbe/0x810
	[35985.503825] Code: 30 01 00 00 4c 89 f7 e8 40 fe d8 ff 48 8b 93 80 01 00 00 48 85 d2 75 03 49 8b 16 48 c7 c7 0a fb 7c a7 48 89 c6 e8 32 ad b0 fe <0f> 0b b8 94 ff ff ff e9 33 04 00 00 be 02 00 00 00 83 fd 02 0f 5
	[35985.503828] RSP: 0018:ffffa106c0333d30 EFLAGS: 00010246
	[35985.503833] RAX: 074ba64aa20f7000 RBX: ffff8aa4c1167120 RCX: 0000000000000000
	[35985.503836] RDX: 0000000000000000 RSI: ffffffffa77ab0e4 RDI: 0000000000000001
	[35985.503838] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000
	[35985.503841] R10: 0000000000000004 R11: 00000001000313d5 R12: ffff8aa4c10f1820
	[35985.503843] R13: ffff8aa4c0e243c0 R14: ffff8aa4c1167250 R15: ffff8aa4c1167120
	[35985.503846] FS: 0000000000000000(0000) GS:ffff8aa4eae00000(0000) knlGS:0000000000000000
	[35985.503849] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[35985.503852] CR2: 00007fab0aaf1000 CR3: 0000000105328000 CR4: 00000000003506f0
	[35985.503855] Call Trace:
	[35985.503859] <TASK>
	[35985.503863] ? __warn+0xd4/0x260
	[35985.503868] ? __i2c_transfer+0xbe/0x810
	[35985.503874] ? report_bug+0xf3/0x210
	[35985.503882] ? handle_bug+0x63/0xb0
	[35985.503887] ? exc_invalid_op+0x16/0x50
	[35985.503892] ? asm_exc_invalid_op+0x16/0x20
	[35985.503904] ? __i2c_transfer+0xbe/0x810
	[35985.503913] tpm_cr50_i2c_transfer_message+0x24/0xf0
	[35985.503920] tpm_cr50_i2c_read+0x8e/0x120
	[35985.503928] tpm_cr50_request_locality+0x75/0x170
	[35985.503935] tpm_chip_start+0x116/0x160
	[35985.503942] tpm_try_get_ops+0x57/0x90
	[35985.503948] tpm_find_get_ops+0x26/0xd0
	[35985.503955] tpm_get_random+0x2d/0x80

	Don't move forward with tpm_chip_start() inside tpm_try_get_ops(), unless
	TPM_CHIP_FLAG_SUSPENDED is not set. tpm_find_get_ops() will return NULL in
	such a failure case.

	The Linux kernel CVE team has assigned CVE-2025-23149 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6.64 with commit cfaf83501a0cbb104499c5b0892ee5ebde4e967f and fixed in 6.6.88 with commit 1404dff1e11bf927b70ac25e1de97bed9742ede4
	Issue introduced in 6.12 with commit 9265fed6db601ee2ec47577815387458ef4f047a and fixed in 6.12.24 with commit f3cb81cb96d587f9f235a11789d1ec0992643078
	Issue introduced in 6.12 with commit 9265fed6db601ee2ec47577815387458ef4f047a and fixed in 6.13.12 with commit e74e2394eed90aff5c3a08c1f51f476d4de71d02
	Issue introduced in 6.12 with commit 9265fed6db601ee2ec47577815387458ef4f047a and fixed in 6.14.3 with commit f1044e995b64d70ef90ef6f2b89955b127497702
	Issue introduced in 6.12 with commit 9265fed6db601ee2ec47577815387458ef4f047a and fixed in 6.15 with commit 17d253af4c2c8a2acf84bb55a0c2045f150b7dfd
	Issue introduced in 6.11.8 with commit bc203fe416abdd1c29da594565a7c3c4e979488e

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-23149
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/char/tpm/tpm-chip.c
	drivers/char/tpm/tpm-interface.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/1404dff1e11bf927b70ac25e1de97bed9742ede4
	https://git.kernel.org/stable/c/f3cb81cb96d587f9f235a11789d1ec0992643078
	https://git.kernel.org/stable/c/e74e2394eed90aff5c3a08c1f51f476d4de71d02
	https://git.kernel.org/stable/c/f1044e995b64d70ef90ef6f2b89955b127497702
	https://git.kernel.org/stable/c/17d253af4c2c8a2acf84bb55a0c2045f150b7dfd