Bug 2347958 (CVE-2022-49286) - CVE-2022-49286 kernel: tpm: use try_get_ops() in tpm-space.c
Summary: CVE-2022-49286 kernel: tpm: use try_get_ops() in tpm-space.c
Keywords:
Status: NEW
Alias: CVE-2022-49286
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-26 03:12 UTC by OSIDB Bzimport
Modified: 2025-02-26 17:51 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-26 03:12:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

tpm: use try_get_ops() in tpm-space.c

As part of the series conversion to remove nested TPM operations:

https://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/

exposure of the chip->tpm_mutex was removed from much of the upper
level code.  In this conversion, tpm2_del_space() was missed.  This
didn't matter much because it's usually called closely after a
converted operation, so there's only a very tiny race window where the
chip can be removed before the space flushing is done which causes a
NULL deref on the mutex.  However, there are reports of this window
being hit in practice, so fix this by converting tpm2_del_space() to
use tpm_try_get_ops(), which performs all the teardown checks before
acquring the mutex.
Comment 1 Avinash Hanwate 2025-02-26 13:30:58 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022632-CVE-2022-49286-a585@gregkh/T
Comment 4 Avinash Hanwate 2025-02-26 17:50:25 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022632-CVE-2022-49286-a585@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.