DL-Mirrors/kernel-tenderloin-3.0
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

TPM: Zero buffer after copying to userspace

Browse Source 
commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream.

Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.

This got assigned CVE-2011-1162.

Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
Peter Huewe
2011-09-15 14:47:42 -03:00
committed by Greg Kroah-Hartman
parent 108885cc28
commit 1d43a87614
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/char/tpm/tpm.c
View File

@@ -1055,6 +1055,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
{ {
struct tpm_chip *chip = file->private_data; struct tpm_chip *chip = file->private_data;
ssize_t ret_size; ssize_t ret_size;
int rc;
del_singleshot_timer_sync(&chip->user_read_timer); del_singleshot_timer_sync(&chip->user_read_timer);
flush_work_sync(&chip->work); flush_work_sync(&chip->work);
@@ -1065,8 +1066,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
ret_size = size; ret_size = size;
mutex_lock(&chip->buffer_mutex); mutex_lock(&chip->buffer_mutex);
if (copy_to_user(buf, chip->data_buffer, ret_size)) rc = copy_to_user(buf, chip->data_buffer, ret_size);
memset(chip->data_buffer, 0, ret_size);
if (rc)
ret_size = -EFAULT; ret_size = -EFAULT;
mutex_unlock(&chip->buffer_mutex); mutex_unlock(&chip->buffer_mutex);
} }