diff options
| author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2012-08-17 14:18:11 -0400 |
|---|---|---|
| committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2012-08-17 14:18:11 -0400 |
| commit | ddc948f77adf2997c263ac3fff56b40d641be7d2 (patch) | |
| tree | fd5ee598f7213aa38d3376b59a107abf3cc4d65f | |
| parent | 0b9c58384fb92389f0fb2e955a2e950295591950 (diff) | |
| download | longterm-queue-2.6.34-ddc948f77adf2997c263ac3fff56b40d641be7d2.tar.gz | |
TPM: really zero the whole buffer.
Herton notes:
------
> commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream.
>
> Since the buffer might contain security related data it might be a good idea to
> zero the buffer after we have copied it to userspace.
>
> This got assigned CVE-2011-1162.
>
> Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
> Signed-off-by: James Morris <jmorris@namei.org>
> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
[...]
commit 3ab1aff89477dafb1aaeafe8c8669114a02b7226 ("TPM: Zero buffer whole
after copying to userspace") is something to consider to be applied
after this, either with this update or later 2.6.34 update. It
complements this change, just fyi.
------
Reported-by: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
| -rw-r--r-- | queue/TPM-Zero-buffer-whole-after-copying-to-userspace.patch | 43 | ||||
| -rw-r--r-- | queue/series | 2 |
2 files changed, 45 insertions, 0 deletions
diff --git a/queue/TPM-Zero-buffer-whole-after-copying-to-userspace.patch b/queue/TPM-Zero-buffer-whole-after-copying-to-userspace.patch new file mode 100644 index 0000000..f2809ad --- /dev/null +++ b/queue/TPM-Zero-buffer-whole-after-copying-to-userspace.patch @@ -0,0 +1,43 @@ +From 0a4ee0e848c0296f03dc20478a5f469b5cb6ae65 Mon Sep 17 00:00:00 2001 +From: Tim Gardner <tim.gardner@canonical.com> +Date: Tue, 6 Dec 2011 11:29:20 -0700 +Subject: [PATCH] TPM: Zero buffer whole after copying to userspace + +commit 3ab1aff89477dafb1aaeafe8c8669114a02b7226 upstream. + +Commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 correctly clears the TPM +buffer if the user specified read length is >= the TPM buffer length. However, +if the user specified read length is < the TPM buffer length, then part of the +TPM buffer is left uncleared. + +Reported-by: Seth Forshee <seth.forshee@canonical.com> +Cc: Debora Velarde <debora@linux.vnet.ibm.com> +Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com> +Cc: Marcel Selhorst <m.selhorst@sirrix.com> +Cc: tpmdd-devel@lists.sourceforge.net +Signed-off-by: Tim Gardner <tim.gardner@canonical.com> +Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c +index 9fe4683..2ecf34a 100644 +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -1038,12 +1038,13 @@ ssize_t tpm_read(struct file *file, char __user *buf, + ret_size = atomic_read(&chip->data_pending); + atomic_set(&chip->data_pending, 0); + if (ret_size > 0) { /* relay data */ ++ ssize_t orig_ret_size = ret_size; + if (size < ret_size) + ret_size = size; + + mutex_lock(&chip->buffer_mutex); + rc = copy_to_user(buf, chip->data_buffer, ret_size); +- memset(chip->data_buffer, 0, ret_size); ++ memset(chip->data_buffer, 0, orig_ret_size); + if (rc) + ret_size = -EFAULT; + +-- +1.7.12.rc2 + diff --git a/queue/series b/queue/series index 9b07bf1..c4b2ce1 100644 --- a/queue/series +++ b/queue/series @@ -49,6 +49,8 @@ ASIX-Add-AX88772B-USB-ID.patch hvc_console-Improve-tty-console-put_chars-handling.patch TPM-Call-tpm_transmit-with-correct-size.patch TPM-Zero-buffer-after-copying-to-userspace.patch +# below needed to really fix the above. +TPM-Zero-buffer-whole-after-copying-to-userspace.patch libiscsi_tcp-fix-LLD-data-allocation.patch cnic-Improve-NETDEV_UP-event-handling.patch ALSA-hda-realtek-Avoid-bogus-HP-pin-assignment.patch |