CVE-2021-46922 - Linux Kernel Vulnerability: KEYS Trusted TPM Reservation for Seal/Unseal Fixed

A recent vulnerability identified in the Linux kernel has caught the attention of the cybersecurity community. The vulnerability, known as CVE-2021-46922, revolves around the handling of TPM (Trusted Platform Module) reservations when dealing with sealing and unsealing. This issue results in imbalanced operations, leading to potential crashes on TIS (Trusted Information Systems) based hardware.

In this post, we will explore the vulnerability as well as its impact, the released patch and a code snippet to provide more insight.

Vulnerability Overview

The root cause of CVE-2021-46922 is a discrepancy in the Linux kernel's handling of TPM reservations, specifically when performing seal and unseal operations. The original patch, 8c657a059de, was supposed to address this issue, but it was altered during the rebasing process. This alteration mistakenly removed the essential function, tpm_try_get_ops(), used in tpm2_seal_trusted().

Original Patch & References

The original patch can be found on the Linux kernel mailing list with the full discussion and contribution from Jarkko Sakkinen:

https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/

Further information on the specifics of TPM 2. and its implementation in the Linux kernel can be found in the Linux kernel documentation:

https://www.kernel.org/doc/html/latest/security/keys/trusted-encrypted-keys.html

Code Snippet

The following code snippet outlines the correct implementation of the patch that fixes the vulnerability.

 static int tpm2_seal_trusted(struct tpm_chip *chip,
			      struct trusted_key_payload *payload,
			      struct trusted_key_options *options)
{
	int rc;

	rc = tpm_try_get_ops(chip); // This function call was the missing piece in the rebasing process
	if (rc)
		return rc;

	rc = __tpm2_seal_trusted(chip, payload, options);

	tpm_put_ops(chip); // This call was left imbalanced in the original patch due to the missing get_ops call

	return rc;
}

Exploit Details

Without the missing tpm_try_get_ops() call in the tpm2_seal_trusted() function, the imbalance in the get and put operations for the TPM results in potential crashes or unexpected behavior on TIS based hardware.

Release & Patching

The fix for CVE-2021-46922 has been released and integrated into affected Linux kernel versions. To ensure your system is protected, it is crucial to apply the latest kernel updates and patches available for your distribution.

Conclusion

CVE-2021-46922 highlights the importance of proper patch implementation and thorough review processes when addressing vulnerabilities in critical systems like the Linux kernel. It's essential to stay informed about the latest vulnerabilities and ensure your systems are updated with the appropriate patches and software versions.

Timeline

Published on: 02/27/2024 10:15:07 UTC
Last modified on: 04/10/2024 15:31:51 UTC