[hardy CVE 1/1] TPM: Zero buffer after copying to userspace
Andy Whitcroft
apw at canonical.com
Mon Dec 5 16:18:40 UTC 2011
From: Peter Huewe <huewe.external.infineon at googlemail.com>
Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.
This got assigned CVE-2011-1162.
Signed-off-by: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
Cc: Stable Kernel <stable at kernel.org>
Signed-off-by: James Morris <jmorris at namei.org>
(backported from commit 3321c07ae5068568cd61ac9f4ba749006a7185c9)
CVE-2011-1162
BugLink: http://bugs.launchpad.net/bugs/899463
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
drivers/char/tpm/tpm.c | 6 +++++-
1 files changed, 5 insertions(+), 1 deletions(-)
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 14ad745..27dd72d 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -997,6 +997,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
{
struct tpm_chip *chip = file->private_data;
int ret_size;
+ int rc;
del_singleshot_timer_sync(&chip->user_read_timer);
flush_scheduled_work();
@@ -1007,8 +1008,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
ret_size = size;
mutex_lock(&chip->buffer_mutex);
- if (copy_to_user(buf, chip->data_buffer, ret_size))
+ rc = copy_to_user(buf, chip->data_buffer, ret_size);
+ memset(chip->data_buffer, 0, ret_size);
+ if (rc)
ret_size = -EFAULT;
+
mutex_unlock(&chip->buffer_mutex);
}
--
1.7.5.4
More information about the kernel-team
mailing list