CVE-2022-49287

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the version containing the fix for the reference counting issue in the tpm module

Description A reference counting issue in the Linux kernel's tpm module can lead to a use-after-free warning. This occurs when a specific sequence of operations is performed, including opening the /dev/tpmrm device, removing the tpm tis spi module, and writing a TPM command to the file descriptor. The issue arises from the attempt to get the chip->dev reference in tpm common write() when the reference counter is already zero. This is due to the extra reference used to prevent a premature zero counter never being taken because the required TPM CHIP FLAG TPM2 flag is never set.

Recommendations To resolve this issue, update the Linux kernel to a version that includes the fix for the reference counting issue in the tpm module. Specifically, the fix involves moving the TPM 2 character device handling from tpm chip alloc() to tpm add char device(), releasing the extra reference in tpm devs release(), and putting chip->devs in tpm chip unregister(). As a temporary workaround, consider avoiding the sequence of operations that triggers the warning, such as not removing the tpm tis spi module while the /dev/tpmrm device is open.