CVE-2022-49287

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tpm: fix reference counting for struct tpm_chip<br /> <br /> The following sequence of operations results in a refcount warning:<br /> <br /> 1. Open device /dev/tpmrm.<br /> 2. Remove module tpm_tis_spi.<br /> 3. Write a TPM command to the file descriptor opened at step 1.<br /> <br /> ------------[ cut here ]------------<br /> WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4<br /> refcount_t: addition on 0; use-after-free.<br /> Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac<br /> sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4<br /> brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes<br /> raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm<br /> snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835]<br /> CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2<br /> Hardware name: BCM2711<br /> [] (unwind_backtrace) from [] (show_stack+0x10/0x14)<br /> [] (show_stack) from [] (dump_stack+0xc4/0xd8)<br /> [] (dump_stack) from [] (__warn+0x104/0x108)<br /> [] (__warn) from [] (warn_slowpath_fmt+0x74/0xb8)<br /> [] (warn_slowpath_fmt) from [] (kobject_get+0xa0/0xa4)<br /> [] (kobject_get) from [] (tpm_try_get_ops+0x14/0x54 [tpm])<br /> [] (tpm_try_get_ops [tpm]) from [] (tpm_common_write+0x38/0x60 [tpm])<br /> [] (tpm_common_write [tpm]) from [] (vfs_write+0xc4/0x3c0)<br /> [] (vfs_write) from [] (ksys_write+0x58/0xcc)<br /> [] (ksys_write) from [] (ret_fast_syscall+0x0/0x4c)<br /> Exception stack(0xc226bfa8 to 0xc226bff0)<br /> bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000<br /> bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684<br /> bfe0: 0000006c beafe648 0001056c b6eb6944<br /> ---[ end trace d4b8409def9b8b1f ]---<br /> <br /> The reason for this warning is the attempt to get the chip-&gt;dev reference<br /> in tpm_common_write() although the reference counter is already zero.<br /> <br /> Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the<br /> extra reference used to prevent a premature zero counter is never taken,<br /> because the required TPM_CHIP_FLAG_TPM2 flag is never set.<br /> <br /> Fix this by moving the TPM 2 character device handling from<br /> tpm_chip_alloc() to tpm_add_char_device() which is called at a later point<br /> in time when the flag has been set in case of TPM2.<br /> <br /> Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm")<br /> already introduced function tpm_devs_release() to release the extra<br /> reference but did not implement the required put on chip-&gt;devs that results<br /> in the call of this function.<br /> <br /> Fix this by putting chip-&gt;devs in tpm_chip_unregister().<br /> <br /> Finally move the new implementation for the TPM 2 handling into a new<br /> function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the<br /> good case and error cases.