TPM: Zero buffer after copying to userspace commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream. Since the buffer might contain security related data it might be a good idea to zero the buffer after we have copied it to userspace. This got assigned CVE-2011-1162. Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

commit: 1d43a87614596faf4b9cae2d0c894aa67a7c5121 [log] [tgz]
author: Peter Huewe <huewe.external.infineon@googlemail.com> Thu Sep 15 14:47:42 2011 -0300
committer: Greg Kroah-Hartman <gregkh@suse.de> Mon Oct 03 11:40:58 2011 -0700
tree: 95dacb9911e577b4a4284f0951fc646eb8a48ee0
parent: 108885cc2856128a266423d45f617e65961048f7 [diff] [blame]
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 9267629..b85ee76 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c

@@ -1055,6 +1055,7 @@
 {
 	struct tpm_chip *chip = file->private_data;
 	ssize_t ret_size;
+	int rc;
 
 	del_singleshot_timer_sync(&chip->user_read_timer);
 	flush_work_sync(&chip->work);
@@ -1065,8 +1066,11 @@
 			ret_size = size;
 
 		mutex_lock(&chip->buffer_mutex);
-		if (copy_to_user(buf, chip->data_buffer, ret_size))
+		rc = copy_to_user(buf, chip->data_buffer, ret_size);
+		memset(chip->data_buffer, 0, ret_size);
+		if (rc)
 			ret_size = -EFAULT;
+
 		mutex_unlock(&chip->buffer_mutex);
 	}
commit	1d43a87614596faf4b9cae2d0c894aa67a7c5121	[log] [tgz]
author	Peter Huewe <huewe.external.infineon@googlemail.com>	Thu Sep 15 14:47:42 2011 -0300
committer	Greg Kroah-Hartman <gregkh@suse.de>	Mon Oct 03 11:40:58 2011 -0700
tree	95dacb9911e577b4a4284f0951fc646eb8a48ee0
parent	108885cc2856128a266423d45f617e65961048f7 [diff] [blame]