Linux Kernel TPM2 Sessions Out-of-Range Indexing Vulnerability in Name Size Handling

A vulnerability in the Linux kernel's TPM2 session management has been addressed. The issue stemmed from the 'name_size' function, which lacked proper range checks and could lead to memory corruption. The vulnerability allowed for out-of-range indexing by directly using TPM_ALG_ID without validation. The fix involves processing only recognized values, returning an error for unrecognized ones, and making the functions 'tpm_buf_append_name' and 'tpm_buf_fill_hmac_session' capable of reporting errors. Additionally, the authorization session is now properly ended on failure to prevent corruption of the session state.

Impact

Exploitation of this vulnerability could lead to memory corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel to address this vulnerability.