Linux Kernel TPM Auth Session Memory Management Vulnerability

A vulnerability exists in the Linux kernel's handling of TPM (Trusted Platform Module) authentication session data. The issue arises in the 'tpm_dev_release()' function, which uses the standard 'kfree()' to deallocate memory containing sensitive cryptographic information, such as HMAC session keys, nonces, and passphrase data. This approach leaves critical data in freed memory until it is overwritten, creating a potential security risk. In contrast, other functions that manage this data correctly use 'kfree_sensitive()' to clear the information before freeing it. This vulnerability affects Linux kernel versions 6.10 and later.

Impact

Failing to properly clear sensitive cryptographic material before memory is released could lead to unauthorized access to HMAC session keys, nonces, and passphrase data, potentially allowing for exploitation of the TPM authentication mechanism.

Reproduction

The vulnerability can be reproduced by creating a TPM authentication session and then releasing it without using 'kfree_sensitive()' to clear the sensitive data. This can be done by modifying the 'tpm_dev_release()' function to use the standard 'kfree()' instead of 'kfree_sensitive()'. After the session is released, the sensitive data will remain in the freed memory until it is eventually overwritten.

Remediation

Users can upgrade to the latest version of the Linux kernel, where this vulnerability has been addressed by modifying the 'tpm_dev_release()' function to use 'kfree_sensitive()' instead of 'kfree()'.