Linux Kernel up to 5.17.0 lib/refcount.c tpm_common_write reference count

Summaryinfo

A vulnerability identified as critical has been detected in Linux Kernel up to 5.17.0. This issue affects the function tpm_common_write in the library lib/refcount.c. This manipulation causes reference count. This vulnerability is registered as CVE-2022-49287. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Linux Kernel up to 5.17.0. It has been declared as critical. Affected by this vulnerability is the function tpm_common_write in the library lib/refcount.c. The manipulation with an unknown input leads to a reference count vulnerability. The CWE definition for the vulnerability is CWE-911. The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count. As an impact it is known to affect availability. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: tpm: fix reference counting for struct tpm_chip The following sequence of operations results in a refcount warning: 1. Open device /dev/tpmrm. 2. Remove module tpm_tis_spi. 3. Write a TPM command to the file descriptor opened at step 1. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4 refcount_t: addition on 0; use-after-free. Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_unimac brcmfmac sha256_generic libsha256 sha256_arm hci_uart btbcm bluetooth cfg80211 vc4 brcmutil ecdh_generic ecc snd_soc_core crc32_arm_ce libaes raspberrypi_hwmon ac97_bus snd_pcm_dmaengine bcm2711_thermal snd_pcm snd_timer genet snd phy_generic soundcore [last unloaded: spi_bcm2835] CPU: 3 PID: 1161 Comm: hold_open Not tainted 5.10.0ls-main-dirty #2 Hardware name: BCM2711 [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0xc4/0xd8) [] (dump_stack) from [] (__warn+0x104/0x108) [] (__warn) from [] (warn_slowpath_fmt+0x74/0xb8) [] (warn_slowpath_fmt) from [] (kobject_get+0xa0/0xa4) [] (kobject_get) from [] (tpm_try_get_ops+0x14/0x54 [tpm]) [] (tpm_try_get_ops [tpm]) from [] (tpm_common_write+0x38/0x60 [tpm]) [] (tpm_common_write [tpm]) from [] (vfs_write+0xc4/0x3c0) [] (vfs_write) from [] (ksys_write+0x58/0xcc) [] (ksys_write) from [] (ret_fast_syscall+0x0/0x4c) Exception stack(0xc226bfa8 to 0xc226bff0) bfa0: 00000000 000105b4 00000003 beafe664 00000014 00000000 bfc0: 00000000 000105b4 000103f8 00000004 00000000 00000000 b6f9c000 beafe684 bfe0: 0000006c beafe648 0001056c b6eb6944 ---[ end trace d4b8409def9b8b1f ]--- The reason for this warning is the attempt to get the chip->dev reference in tpm_common_write() although the reference counter is already zero. Since commit 8979b02aaf1d ("tpm: Fix reference count to main device") the extra reference used to prevent a premature zero counter is never taken, because the required TPM_CHIP_FLAG_TPM2 flag is never set. Fix this by moving the TPM 2 character device handling from tpm_chip_alloc() to tpm_add_char_device() which is called at a later point in time when the flag has been set in case of TPM2. Commit fdc915f7f719 ("tpm: expose spaces via a device link /dev/tpmrm") already introduced function tpm_devs_release() to release the extra reference but did not implement the required put on chip->devs that results in the call of this function. Fix this by putting chip->devs in tpm_chip_unregister(). Finally move the new implementation for the TPM 2 handling into a new function to avoid multiple checks for the TPM_CHIP_FLAG_TPM2 flag in the good case and error cases.

The advisory is shared at git.kernel.org. This vulnerability is known as CVE-2022-49287 since 02/26/2025. The exploitation appears to be difficult. Technical details are known, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 225785 (Linux Distros Unpatched Vulnerability : CVE-2022-49287), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 4.14.276, 4.19.238, 5.4.189, 5.10.110, 5.15.33, 5.16.19 or 5.17.1 eliminates this vulnerability. Applying the patch 473a66f99cb8173c14138c5a5c69bfad04e8f9ac/cb64bd038beacb4331fe464a36c8b5481e8f51e2/a27ed2f3695baf15f9b34d2d7a1f9fc105539a81/290e05f346d1829e849662c97e42d5ad984f5258/662893b4f6bd466ff9e1cd454c44c26d32d554fe/2f928c0d5c02dbab49e8c19d98725c822f6fc409/6e7baf84149fb43950631415de231b3a41915aa3/7e0438f83dc769465ee663bb5dcf8cc154940712 is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at Tenable (225785). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 4.14.275
• 4.19.237
• 5.0
• 5.1
• 5.2
• 5.3
• 5.4
• 5.4.188
• 5.5
• 5.6
• 5.7
• 5.8
• 5.9
• 5.10
• 5.10.109
• 5.11
• 5.12
• 5.13
• 5.14
• 5.15
• 5.15.0
• 5.15.1
• 5.15.2
• 5.15.3
• 5.15.4
• 5.15.5
• 5.15.6
• 5.15.7
• 5.15.8
• 5.15.9
• 5.15.10
• 5.15.11
• 5.15.12
• 5.15.13
• 5.15.14
• 5.15.15
• 5.15.16
• 5.15.17
• 5.15.18
• 5.15.19
• 5.15.20
• 5.15.21
• 5.15.22
• 5.15.23
• 5.15.24
• 5.15.25
• 5.15.26
• 5.15.27
• 5.15.28
• 5.15.29
• 5.15.30
• 5.15.31
• 5.15.32
• 5.16
• 5.16.0
• 5.16.1
• 5.16.2
• 5.16.3
• 5.16.4
• 5.16.5
• 5.16.6
• 5.16.7
• 5.16.8
• 5.16.9
• 5.16.10
• 5.16.11
• 5.16.12
• 5.16.13
• 5.16.14
• 5.16.15
• 5.16.16
• 5.16.17
• 5.16.18
• 5.17.0

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion