]> git.karo-electronics.de Git - karo-tx-linux.git/commitdiff
projects / karo-tx-linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5fde0bd)
TPM: Zero buffer after copying to userspace
authorPeter Huewe <huewe.external.infineon@googlemail.com>
Thu, 15 Sep 2011 17:47:42 +0000 (14:47 -0300)
committerPaul Gortmaker <paul.gortmaker@windriver.com>
Fri, 17 Aug 2012 19:35:18 +0000 (15:35 -0400)
commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream.

Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.

This got assigned CVE-2011-1162.

Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
drivers/char/tpm/tpm.c patch | blob | history

diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index f39e5ee17d495944db687a87304f6be8a2a3c612..9fe4683ad94c64178d15a6a45d57eb32fbc9332f 100644 (file)
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -1031,6 +1031,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 {
        struct tpm_chip *chip = file->private_data;
        ssize_t ret_size;
+       int rc;
 
        del_singleshot_timer_sync(&chip->user_read_timer);
        flush_scheduled_work();
@@ -1041,8 +1042,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
                        ret_size = size;
 
                mutex_lock(&chip->buffer_mutex);
-               if (copy_to_user(buf, chip->data_buffer, ret_size))
+               rc = copy_to_user(buf, chip->data_buffer, ret_size);
+               memset(chip->data_buffer, 0, ret_size);
+               if (rc)
                        ret_size = -EFAULT;
+
                mutex_unlock(&chip->buffer_mutex);
        }
 
Linux kernel for KaRo TX COM modules