| From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001 |
| From: Peter Huewe <huewe.external.infineon@googlemail.com> |
| Date: Thu, 15 Sep 2011 14:47:42 -0300 |
| Subject: TPM: Zero buffer after copying to userspace |
| |
| From: Peter Huewe <huewe.external.infineon@googlemail.com> |
| |
| commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream. |
| |
| Since the buffer might contain security related data it might be a good idea to |
| zero the buffer after we have copied it to userspace. |
| |
| This got assigned CVE-2011-1162. |
| |
| Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> |
| Signed-off-by: James Morris <jmorris@namei.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/char/tpm/tpm.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/char/tpm/tpm.c |
| +++ b/drivers/char/tpm/tpm.c |
| @@ -1030,6 +1030,7 @@ ssize_t tpm_read(struct file *file, char |
| { |
| struct tpm_chip *chip = file->private_data; |
| ssize_t ret_size; |
| + int rc; |
| |
| del_singleshot_timer_sync(&chip->user_read_timer); |
| flush_scheduled_work(); |
| @@ -1040,8 +1041,11 @@ ssize_t tpm_read(struct file *file, char |
| ret_size = size; |
| |
| mutex_lock(&chip->buffer_mutex); |
| - if (copy_to_user(buf, chip->data_buffer, ret_size)) |
| + rc = copy_to_user(buf, chip->data_buffer, ret_size); |
| + memset(chip->data_buffer, 0, ret_size); |
| + if (rc) |
| ret_size = -EFAULT; |
| + |
| mutex_unlock(&chip->buffer_mutex); |
| } |
| |