TPM: Zero buffer after copying to userspace
On Mon, Dec 05, 2011 at 04:18:42PM +0000, Andy Whitcroft wrote:
> From: Peter Huewe <firstname.lastname@example.org>
> Since the buffer might contain security related data it might be a good idea to
> zero the buffer after we have copied it to userspace.
> This got assigned CVE-2011-1162.
> Signed-off-by: Rajiv Andrade <email@example.com>
> Cc: Stable Kernel <firstname.lastname@example.org>
> Signed-off-by: James Morris <email@example.com>
> (cherry picked from commit 3321c07ae5068568cd61ac9f4ba749006a7185c9)
> BugLink: http://bugs.launchpad.net/bugs/899463
> Signed-off-by: Andy Whitcroft <firstname.lastname@example.org>
> drivers/char/tpm/tpm.c | 6 +++++-
> 1 files changed, 5 insertions(+), 1 deletions(-)
> diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
> index 7beb0e2..f59dc23 100644
> --- a/drivers/char/tpm/tpm.c
> +++ b/drivers/char/tpm/tpm.c
> @@ -1052,6 +1052,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
> struct tpm_chip *chip = file->private_data;
> ssize_t ret_size;
> + int rc;
> @@ -1062,8 +1063,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
> ret_size = size;
> - if (copy_to_user(buf, chip->data_buffer, ret_size))
> + rc = copy_to_user(buf, chip->data_buffer, ret_size);
> + memset(chip->data_buffer, 0, ret_size);
I realize this is the same as in the upstream commit. But ...
Just before the context qouted here, tpm_read gets the amount of data in
chip->data_buffer and stores it in ret_size, but then limits ret_size
based off of the size of the user buffer. So potentially there could be
data in the buffer that isn't getting zeroed out. Seems like an
incomplete fix to me.
Unrelated to this patch, I also think tpm_read and tpm_write race on the
data buffer. I think tpm_read ought not set chip->data_pending to 0
until it has finished pulling the data out of the buffer and zeroing it
> + if (rc)
> ret_size = -EFAULT;
> kernel-team mailing list
kernel-team mailing list
|All times are GMT. The time now is 02:47 AM.|
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.