Linux Kernel TPM Reference Counting Vulnerability

A vulnerability in the Linux kernel's TPM (Trusted Platform Module) handling has been identified, specifically related to reference counting for the TPM chip structure. This issue can lead to a use-after-free condition. The vulnerability arises when the TPM device is accessed through the TPM 2 character device interface while the reference count is already zero, causing a warning about an invalid reference count operation. The problem is linked to the timing of when the TPM 2 device is registered and how the reference count is managed, particularly after certain TPM commands are sent.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, where a program continues to use a memory reference after it has been freed, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

To reproduce this vulnerability, open the TPM 2.0 device through the /dev/tpmrm interface. Then, remove the tpm_tis_spi module. Afterward, write a TPM command to the open file descriptor. This sequence of operations will trigger a refcount warning, indicating the presence of the vulnerability.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the official documentation for the specific Linux distribution in use.