CVE-2022-49287

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49287
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49287.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-49287
Related
Published
2025-02-26T07:01:05Z
Modified
2025-02-27T20:50:41.505121Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

tpm: fix reference counting for struct tpm_chip

The following sequence of operations results in a refcount warning:

  1. Open device /dev/tpmrm.
  2. Remove module tpmtisspi.
  3. Write a TPM command to the file descriptor opened at step 1.

------------[ cut here ]------------ WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobjectget+0xa0/0xa4 refcountt: addition on 0; use-after-free. Modules linked in: tpmtisspi tpmtiscore tpm mdiobcmunimac brcmfmac sha256generic libsha256 sha256arm hciuart btbcm bluetooth cfg80211 vc4 brcmutil ecdhgeneric ecc sndsoccore crc32armce libaes raspberrypihwmon ac97bus sndpcmdmaengine bcm2711thermal sndpcm sndtimer genet snd phygeneric soundcore [last unloaded: spibcm2835] CPU: 3 PID: 1161 Comm: holdopen Not tainted 5.10.0ls-main-dirty #2 Hardware name: BCM2711 [<c0410c3c>] (unwindbacktrace) from [<c040b580>] (showstack+0x10/0x14) [<c040b580>] (showstack) from [<c1092174>] (dumpstack+0xc4/0xd8) [<c1092174>] (dumpstack) from [<c0445a30>] (warn+0x104/0x108) [<c0445a30>] (warn) from [<c0445aa8>] (warnslowpathfmt+0x74/0xb8) [<c0445aa8>] (warnslowpathfmt) from [<c08435d0>] (kobjectget+0xa0/0xa4) [<c08435d0>] (kobjectget) from [<bf0a715c>] (tpmtrygetops+0x14/0x54 [tpm]) [<bf0a715c>] (tpmtrygetops [tpm]) from [<bf0a7d6c>] (tpmcommonwrite+0x38/0x60 [tpm]) [<bf0a7d6c>] (tpmcommonwrite [tpm]) from [<c05a7ac0>] (vfswrite+0xc4/0x3c0) [<c05a7ac0>] (vfswrite) from [<c05a7ee4>] (ksyswrite+0x58/0xcc) [<c05a7ee4>] (ksyswrite) from [<c04001a0>] (retfast_syscall+0x0/0x4c) Exception stack(0xc226bfa8 to 0xc226bff0) bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000 bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684 bfe0: 0000006c beafe648 0001056c b6eb6944 ---[ end trace d4b8409def9b8b1f ]---

The reason for this warning is the attempt to get the chip->dev reference in tpmcommonwrite() although the reference counter is already zero.

Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the extra reference used to prevent a premature zero counter is never taken, because the required TPMCHIPFLAG_TPM2 flag is never set.

Fix this by moving the TPM 2 character device handling from tpmchipalloc() to tpmaddchar_device() which is called at a later point in time when the flag has been set in case of TPM2.

Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm<n>") already introduced function tpmdevsrelease() to release the extra reference but did not implement the required put on chip->devs that results in the call of this function.

Fix this by putting chip->devs in tpmchipunregister().

Finally move the new implementation for the TPM 2 handling into a new function to avoid multiple checks for the TPMCHIPFLAG_TPM2 flag in the good case and error cases.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.113-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}