releases/2.6.33.20/tpm-zero-buffer-after-copying-to-userspace.patch - pub/scm/linux/kernel/git/longterm/longterm-queue-2.6.33 - Git at Google

 From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
 From: Peter Huewe <huewe.external.infineon@googlemail.com>
 Date: Thu, 15 Sep 2011 14:47:42 -0300
 Subject: TPM: Zero buffer after copying to userspace

 From: Peter Huewe <huewe.external.infineon@googlemail.com>

 commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream.

 Since the buffer might contain security related data it might be a good idea to
 zero the buffer after we have copied it to userspace.

 This got assigned CVE-2011-1162.

 Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
 Signed-off-by: James Morris <jmorris@namei.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

 ---
  drivers/char/tpm/tpm.c |    6 +++++-
  1 file changed, 5 insertions(+), 1 deletion(-)

 --- a/drivers/char/tpm/tpm.c
 +++ b/drivers/char/tpm/tpm.c
 @@ -1030,6 +1030,7 @@ ssize_t tpm_read(struct file *file, char
  {
  	struct tpm_chip *chip = file->private_data;
  	ssize_t ret_size;
 +	int rc;

  	del_singleshot_timer_sync(&chip->user_read_timer);
  	flush_scheduled_work();
 @@ -1040,8 +1041,11 @@ ssize_t tpm_read(struct file *file, char
  			ret_size = size;

  		mutex_lock(&chip->buffer_mutex);
 -		if (copy_to_user(buf, chip->data_buffer, ret_size))
 +		rc = copy_to_user(buf, chip->data_buffer, ret_size);
 +		memset(chip->data_buffer, 0, ret_size);
 +		if (rc)
  			ret_size = -EFAULT;
 +
  		mutex_unlock(&chip->buffer_mutex);
  	}
	From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
	From: Peter Huewe <huewe.external.infineon@googlemail.com>
	Date: Thu, 15 Sep 2011 14:47:42 -0300
	Subject: TPM: Zero buffer after copying to userspace

	From: Peter Huewe <huewe.external.infineon@googlemail.com>

	commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream.

	Since the buffer might contain security related data it might be a good idea to
	zero the buffer after we have copied it to userspace.

	This got assigned CVE-2011-1162.

	Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
	Signed-off-by: James Morris <jmorris@namei.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

	---
	drivers/char/tpm/tpm.c \| 6 +++++-
	1 file changed, 5 insertions(+), 1 deletion(-)

	--- a/drivers/char/tpm/tpm.c
	+++ b/drivers/char/tpm/tpm.c
	@@ -1030,6 +1030,7 @@ ssize_t tpm_read(struct file *file, char
	{
	struct tpm_chip *chip = file->private_data;
	ssize_t ret_size;
	+ int rc;

	del_singleshot_timer_sync(&chip->user_read_timer);
	flush_scheduled_work();
	@@ -1040,8 +1041,11 @@ ssize_t tpm_read(struct file *file, char
	ret_size = size;

	mutex_lock(&chip->buffer_mutex);
	- if (copy_to_user(buf, chip->data_buffer, ret_size))
	+ rc = copy_to_user(buf, chip->data_buffer, ret_size);
	+ memset(chip->data_buffer, 0, ret_size);
	+ if (rc)
	ret_size = -EFAULT;
	+
	mutex_unlock(&chip->buffer_mutex);
	}