diff options
author | Peter Huewe <huewe.external.infineon@googlemail.com> | 2011-09-15 14:47:42 -0300 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2012-02-11 15:37:43 +0100 |
commit | 44e10df607da3c5d68116ddcbbe3cb56bba13945 (patch) | |
tree | 6d2c98d34a34e6e89b8db421a7b8f4464d856836 /drivers | |
parent | b7927ee3da57b29c3819fc25aec8ea522df58930 (diff) |
TPM: Zero buffer after copying to userspace
commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream.
Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.
This got assigned CVE-2011-1162.
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/char/tpm/tpm.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c index 4569d24e76c0..d97bffd80d5f 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -1069,6 +1069,7 @@ ssize_t tpm_read(struct file *file, char __user *buf, { struct tpm_chip *chip = file->private_data; ssize_t ret_size; + int rc; del_singleshot_timer_sync(&chip->user_read_timer); flush_scheduled_work(); @@ -1079,8 +1080,11 @@ ssize_t tpm_read(struct file *file, char __user *buf, ret_size = size; mutex_lock(&chip->buffer_mutex); - if (copy_to_user(buf, chip->data_buffer, ret_size)) + rc = copy_to_user(buf, chip->data_buffer, ret_size); + memset(chip->data_buffer, 0, ret_size); + if (rc) ret_size = -EFAULT; + mutex_unlock(&chip->buffer_mutex); } |