TPM: Zero buffer after copying to userspace

commit 3321c07a upstream. Since the buffer might contain security related data it might be a good idea to zero the buffer after we have copied it to userspace. This got assigned CVE-2011-1162. Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

TPM: Zero buffer after copying to userspace
commit 3321c07a upstream. Since the buffer might contain security related data it might be a good idea to zero the buffer after we have copied it to userspace. This got assigned CVE-2011-1162. Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
8cef0aa0 · Peter Huewe · Greg Kroah-Hartman · f891a7b0 · 8cef0aa0
Commit 8cef0aa0 authored Sep 15, 2011 by Peter Huewe Committed by Greg Kroah-Hartman Nov 07, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

drivers/char/tpm/tpm.c drivers/char/tpm/tpm.c +5 -1

No files found.
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -1044,6 +1044,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 {
 	struct tpm_chip *chip = file->private_data;
 	ssize_t ret_size;
+	int rc;

 	del_singleshot_timer_sync(&chip->user_read_timer);
 	flush_scheduled_work();
@@ -1054,8 +1055,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 			ret_size = size;

 		mutex_lock(&chip->buffer_mutex);
-		if (copy_to_user(buf, chip->data_buffer, ret_size))
+		rc = copy_to_user(buf, chip->data_buffer, ret_size);
+		memset(chip->data_buffer, 0, ret_size);
+		if (rc)
 			ret_size = -EFAULT;
+
 		mutex_unlock(&chip->buffer_mutex);
 	}