sharkcz / rpms / kernel

Forked from rpms/kernel 6 years ago
Clone
Source Code
GIT

Files

26 Label_NFS configs f10 f11 f12 f12-user-myoung-xendom0 f13 f13-2.6.33-master f13-user-steved-pnfs-13 f14 f14-user-kyle-bz664206 f14-user-kyle-f14-2.6.37 f14-user-lkundrak-vaio-brightness-645937 f14-user-steved-pnfs-f14 f15 f15-2.6.39 f15-30-going-on-40 f15-user-steved-pnfs-f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f25-pf f26 f27 f28 f7 f8 f9 master ppc private-jcm-arm-nosmp-kallsyms private-jcm-arm-nosmp-kallsyms-f17 rawhide/user/hadess/surface3 rawhide/user/kyle/kernel-36 rawhide/user/kyle/kernel-git rawhide/user/lkundrak/lguest rawhide/user/myoung/xendom0 rawhide/user/steved/pnfs-rawhide rhbz_1205083 stabilization talos user/steved/f19-lnfs-v3.8 user/steved/f19-lnfs-v3.8-rc7
  1.   f14
  2.   TPM-Zero-buffer-after-copying-to-userspace.patch
Blob Blame History Raw 
From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
From: Peter Huewe <huewe.external.infineon@googlemail.com>
Date: Thu, 15 Sep 2011 14:47:42 -0300
Subject: [PATCH] TPM: Zero buffer after copying to userspace

Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.

This got assigned CVE-2011-1162.

Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>
---
 drivers/char/tpm/tpm.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 1fe9793..9ca5c02 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 {
 	struct tpm_chip *chip = file->private_data;
 	ssize_t ret_size;
+	int rc;
 
 	del_singleshot_timer_sync(&chip->user_read_timer);
 	flush_work_sync(&chip->work);
@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 			ret_size = size;
 
 		mutex_lock(&chip->buffer_mutex);
-		if (copy_to_user(buf, chip->data_buffer, ret_size))
+		rc = copy_to_user(buf, chip->data_buffer, ret_size);
+		memset(chip->data_buffer, 0, ret_size);
+		if (rc)
 			ret_size = -EFAULT;
+
 		mutex_unlock(&chip->buffer_mutex);
 	}
 
-- 
1.7.6
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.