From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-Id: <20120205220951.334100926@pcw.home.local> Date: Sun, 05 Feb 2012 23:10:33 +0100 From: Willy Tarreau To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Rajiv Andrade , James Morris , Greg KH Subject: [PATCH 44/91] TPM: Zero buffer after copying to userspace In-Reply-To: <0635750f5f06ed2ca212b91fcb5c4483@local> Sender: linux-kernel-owner@vger.kernel.org List-ID: 2.6.27-longterm review patch. If anyone has any objections, please let us know. ------------------ commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream. Since the buffer might contain security related data it might be a good idea to zero the buffer after we have copied it to userspace. This got assigned CVE-2011-1162. Signed-off-by: Rajiv Andrade Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman --- drivers/char/tpm/tpm.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) Index: longterm-2.6.27/drivers/char/tpm/tpm.c =================================================================== --- longterm-2.6.27.orig/drivers/char/tpm/tpm.c 2012-02-05 22:34:40.951915689 +0100 +++ longterm-2.6.27/drivers/char/tpm/tpm.c 2012-02-05 22:34:41.090914667 +0100 @@ -1069,6 +1069,7 @@ { struct tpm_chip *chip = file->private_data; ssize_t ret_size; + int rc; del_singleshot_timer_sync(&chip->user_read_timer); flush_scheduled_work(); @@ -1079,8 +1080,11 @@ ret_size = size; mutex_lock(&chip->buffer_mutex); - if (copy_to_user(buf, chip->data_buffer, ret_size)) + rc = copy_to_user(buf, chip->data_buffer, ret_size); + memset(chip->data_buffer, 0, ret_size); + if (rc) ret_size = -EFAULT; + mutex_unlock(&chip->buffer_mutex); }