In the Linux kernel, the following vulnerability has been resolved: tee:
amdtee: fix use-after-free vulnerability in amdtee_close_session There is a
potential race condition in amdtee_close_session that may cause
use-after-free in amdtee_open_session. For instance, if a session has
refcount == 1, and one thread tries to free this session via:
kref_put(&sess->refcount, destroy_session); the reference count will get
decremented, and the next step would be to call destroy_session(). However,
if in another thread, amdtee_open_session() is called before
destroy_session() has completed execution, alloc_session() may return
‘sess’ that will be freed up later in destroy_session() leading to
use-after-free in amdtee_open_session. To fix this issue, treat decrement
of sess->refcount and removal of ‘sess’ from session list in
destroy_session() as a critical section, so that it is executed atomically.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |