PT-2026-51932 · Linux · Linux

Publicado

2026-06-24

·

Atualizado

2026-06-24

·

CVE-2026-53038

Nenhuma

Não há classificações de severidade ou métricas disponíveis. Quando houver, atualizaremos as informações correspondentes na página.
In the Linux kernel, the following vulnerability has been resolved:
ima fs: Correctly create securityfs files for unsupported hash algos
ima tpm chip->allocated banks[i].crypto id is initialized to HASH ALGO LAST if the TPM algorithm is not supported. However there are places relying on the algorithm to be valid because it is accessed by hash algo name[].

On 6.12.40 I observe the following read out-of-bounds in hash algo name:

BUG: KASAN: global-out-of-bounds in create securityfs measurement lists+0x396/0x440 Read of size 8 at addr ffffffff83e18138 by task swapper/0/1
CPU: 4 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.40 #3 Call Trace: dump stack lvl+0x61/0x90 print report+0xc4/0x580 ? kasan addr to slab+0x26/0x80 ? create securityfs measurement lists+0x396/0x440 kasan report+0xc2/0x100 ? create securityfs measurement lists+0x396/0x440 create securityfs measurement lists+0x396/0x440 ima fs init+0xa3/0x300 ima init+0x7d/0xd0 init ima+0x28/0x100 do one initcall+0xa6/0x3e0 kernel init freeable+0x455/0x740 kernel init+0x24/0x1d0 ret from fork+0x38/0x80 ret from fork asm+0x11/0x20
The buggy address belongs to the variable: hash algo name+0xb8/0x420
Memory state around the buggy address: ffffffff83e18000: 00 01 f9 f9 f9 f9 f9 f9 00 01 f9 f9 f9 f9 f9 f9 ffffffff83e18080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffff83e18100: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 05 f9 f9 ^ ffffffff83e18180: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9 ffffffff83e18200: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 ==================================================================
Seems like the TPM chip supports sha3 256, which isn't yet in tpm algorithms: tpm tpm0: TPM with unsupported bank algorithm 0x0027
That's TPM ALG SHA3 256 == 0x0027 from "Trusted Platform Module 2.0 Library Part 2: Structures", page 51 [1]. See also the related U-Boot algorithms update [2].
Thus solve the problem by creating a file name with " tpm alg " postfix if the crypto algorithm isn't initialized.
This is how it looks on the test machine (patch ported to v6.12 release):

ls -1 /sys/kernel/security/ima/

ascii runtime measurements ascii runtime measurements tpm alg 27 ascii runtime measurements sha1 ascii runtime measurements sha256 binary runtime measurements binary runtime measurements tpm alg 27 binary runtime measurements sha1 binary runtime measurements sha256 policy runtime measurements count violations
[1]: https://trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-2.0-Library-Part-2-Version-184 pub.pdf [2]: https://lists.denx.de/pipermail/u-boot/2024-July/558835.html
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Identificadores relacionados

CVE-2026-53038

Produtos afetados

Linux