In the Linux kernel, the following vulnerability has been resolved: tpm: fixed reference counting for struct tpm_chip The following sequence of operations results in a refcount warning: 1. Open the device /dev/tpmrm. 2. Remove the module tpm_tis_spi. 3. Write a TPM command to the file descriptor opened in step 1. ------------[ Cut here ]------------ WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4 refcount_t: addition on 0; use-after-free. Linked modules: tpm_tis_spi, tpm_tis_core, tpm, mdio_bcm_unimac brcmfmac, sha256_generic, lisha256 sha256_arm, hci_uart, btbcm, bluetooth, cfg80211, vc4, brcmutil, ecc_generic, snd_soc_core, crc32_arm_ce, libaes, raspberrypiHWmon, ac97_bus, snd_pcm_DMAengine, bcm2711_thermal, snd, genet, snd Phy generic, soundcore. [Last unloaded: spi_bcm2835] CPU: 3 PID: 1161, Comm: hold_open, Not tainted, 5.10.0ls-main-dirty #2 Hardware name: BCM2711 [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0xc4/0xd8) [] (dump_stack) from [] (__warn+0x104/0x108) [] (__warn) from [] (warn_slowpath_fmt+0x74/0xb8) [] (warn_slowpath_fmt) from [] (kobject_get+0xa0/0xa4) [] (kobject_get) from [] (tpm_try_get_ops+0x14/0x54 [tpm]) [] (tpm_try_get_ops [tpm]) from [] (tpm_common_write+0x38/0x60 [tpm]) [] (tpm_common_write [tpm]) from [] (vfs_write+0xc4/0x3c0) [c05a7ac0] (vfs_write) from [c05a7ee4] (ksys_write+0x58/0xcc) [c05a7ee4] (ksys_write) from [c04001a0] (ret_fast_syscall+0x0/0x4c) Exception stack (0xc226bfa8 to 0xc226bff0) bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000 bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684 bfe0: 0000006c beafe648 0001056c b6eb6944 ---[ End Trace: d4b8409def9b8b1f ]— The reason for this warning is the attempt to access the chip->dev reference in tpm_common_write(), even though the reference counter is already zero. Since commit 8979b02aaf1d (“tpm: Fix reference count to main device”), the additional references used to prevent the counter from being set to zero are no longer used, because the required TPM_CHIP_FLAG_TPM2 flag is never set. This issue can be fixed by moving the handling of the TPM 2 character device from tpm_chip_alloc() to tpm_add_char_device(). This function is called later in time, after the flag has been set, in case TPM2 is used. The commit fdc915f7f719 (“tpm: expose spaces via a device link /dev/tpmrm”) already introduced the function tpm_devs_release() to release the additional references. However, the required operation to set chip->devs was not implemented, resulting in calls to this function. This issue can be fixed by including the setting of chip->devs in tpm_chip_unregister(). Finally, the new implementation for TPM 2 handling should be moved to a separate function, to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in both good and error cases.

Query Builder