TPM: Zero buffer after copying to userspace

Since the buffer might contain security related data it might be a good idea to zero the buffer after we have copied it to userspace. This got assigned CVE-2011-1162. Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Cc: Stable Kernel <stable@kernel.org> Signed-off-by: James Morris <jmorris@namei.org>
author: Peter Huewe <huewe.external.infineon@googlemail.com> 2011-09-15 14:47:42 -0300
committer: James Morris <jmorris@namei.org> 2011-09-23 09:46:41 +1000
commit: 3321c07ae5068568cd61ac9f4ba749006a7185c9 (patch)
tree: bcd169e21c2f71651ab840ee77152094db0c3deb /drivers/char
parent: 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 1fe979335835..9ca5c021d0b6 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 {
 	struct tpm_chip *chip = file->private_data;
 	ssize_t ret_size;
+	int rc;
 
 	del_singleshot_timer_sync(&chip->user_read_timer);
 	flush_work_sync(&chip->work);
@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 			ret_size = size;
 
 		mutex_lock(&chip->buffer_mutex);
-		if (copy_to_user(buf, chip->data_buffer, ret_size))
+		rc = copy_to_user(buf, chip->data_buffer, ret_size);
+		memset(chip->data_buffer, 0, ret_size);
+		if (rc)
 			ret_size = -EFAULT;
+
 		mutex_unlock(&chip->buffer_mutex);
 	}
author	Peter Huewe <huewe.external.infineon@googlemail.com>	2011-09-15 14:47:42 -0300
committer	James Morris <jmorris@namei.org>	2011-09-23 09:46:41 +1000
commit	3321c07ae5068568cd61ac9f4ba749006a7185c9 (patch)
tree	bcd169e21c2f71651ab840ee77152094db0c3deb /drivers/char
parent	6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 (diff)