CVE-2022-49287 Information

Mar 01, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

tpm: fix reference counting for struct tpm_chip

The following sequence of operations results in a refcount warning:

  1. Open device /dev/tpmrm.
  2. Remove module tpm_tis_spi.
  3. Write a TPM command to the file descriptor opened at step 1.

————[ cut here ]———— WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4 refcount_t: addition on 0; use-after-free. Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4 brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835] CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty 2 Hardware name: BCM2711 [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0xc4/0xd8) [] (dump_stack) from [] (__warn+0x104/0x108) [] (__warn) from [] (warn_slowpath_fmt+0x74/0xb8) [] (warn_slowpath_fmt) from [] (kobject_get+0xa0/0xa4) [] (kobject_get) from [] (tpm_try_get_ops+0x14/0x54 [tpm]) [] (tpm_try_get_ops [tpm]) from [] (tpm_common_write+0x38/0x60 [tpm]) [] (tpm_common_write [tpm]) from [] (vfs_write+0xc4/0x3c0) [] (vfs_write) from [] (ksys_write+0x58/0xcc) [] (ksys_write) from [] (ret_fast_syscall+0x0/0x4c) Exception stack(0xc226bfa8 to 0xc226bff0) bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000 bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684 bfe0: 0000006c beafe648 0001056c b6eb6944 —[ end trace d4b8409def9b8b1f ]—

The reason for this warning is the attempt to get the chip->dev reference in tpm_common_write() although the reference counter is already zero.

Since commit 8979b02aaf1d ( pm: Fix reference count to main device) the extra reference used to prevent a premature zero counter is never taken because the required TPM_CHIP_FLAG_TPM2 flag is never set.

Fix this by moving the TPM 2 character device handling from tpm_chip_alloc() to tpm_add_char_device() which is called at a later point in time when the flag has been set in case of TPM2.

Commit fdc915f7f719 ( pm: expose spaces via a device link /dev/tpmrm) already introduced function tpm_devs_release() to release the extra reference but did not implement the required put on chip->devs that results in the call of this function.

Fix this by putting chip->devs in tpm_chip_unregister().

Finally move the new implementation for the TPM 2 handling into a new function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the good case and error cases.

Reference

https://git.kernel.org/stable/c/290e05f346d1829e849662c97e42d5ad984f5258 https://git.kernel.org/stable/c/2f928c0d5c02dbab49e8c19d98725c822f6fc409 https://git.kernel.org/stable/c/473a66f99cb8173c14138c5a5c69bfad04e8f9ac https://git.kernel.org/stable/c/662893b4f6bd466ff9e1cd454c44c26d32d554fe https://git.kernel.org/stable/c/6e7baf84149fb43950631415de231b3a41915aa3 https://git.kernel.org/stable/c/7e0438f83dc769465ee663bb5dcf8cc154940712 https://git.kernel.org/stable/c/a27ed2f3695baf15f9b34d2d7a1f9fc105539a81 https://git.kernel.org/stable/c/cb64bd038beacb4331fe464a36c8b5481e8f51e2

Share on: