Linux Kernel TPM RNG Defect Handling Vulnerability Unregistration Crash

A vulnerability in the Linux kernel's TPM (Trusted Platform Module) handling has been identified, specifically related to the hardware random number generator (hwrng) unregistration process. This issue arises on certain AMD designs where the fTPM (firmware TPM) is used. The problem was triggered by a missing invariant check, which led to a list corruption error during the unregistration of the hwrng, causing a kernel crash. The vulnerability affects several versions of the Linux kernel, including 6.2.8.

Impact

The vulnerability causes a kernel crash due to list corruption, where a list deletion operation encounters a NULL pointer, leading to a 'kernel BUG' and an invalid opcode error. This type of corruption can disrupt normal kernel operations and potentially be exploited to cause a denial of service.

Reproduction

The vulnerability can be reproduced by unregistering the hardware random number generator for a TPM chip on an affected AMD system design. This can be done by loading a module that interacts with the TPM, which will trigger the unregistration process. The missing invariant check will allow the unregistration to proceed incorrectly, causing the list corruption and subsequent crash.

Remediation

Users can upgrade to a patched version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.