summaryrefslogtreecommitdiffstats
path: root/drivers
diff options
context:
space:
mode:
authorPeter Huewe <huewe.external.infineon@googlemail.com>2011-09-15 19:47:42 +0200
committerJames Morris <jmorris@namei.org>2011-09-23 01:46:41 +0200
commit3321c07ae5068568cd61ac9f4ba749006a7185c9 (patch)
treebcd169e21c2f71651ab840ee77152094db0c3deb /drivers
parentTPM: Call tpm_transmit with correct size (diff)
downloadlinux-3321c07ae5068568cd61ac9f4ba749006a7185c9.tar.xz
linux-3321c07ae5068568cd61ac9f4ba749006a7185c9.zip
TPM: Zero buffer after copying to userspace
Since the buffer might contain security related data it might be a good idea to zero the buffer after we have copied it to userspace. This got assigned CVE-2011-1162. Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> Cc: Stable Kernel <stable@kernel.org> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/char/tpm/tpm.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 1fe979335835..9ca5c021d0b6 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
{
struct tpm_chip *chip = file->private_data;
ssize_t ret_size;
+ int rc;
del_singleshot_timer_sync(&chip->user_read_timer);
flush_work_sync(&chip->work);
@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
ret_size = size;
mutex_lock(&chip->buffer_mutex);
- if (copy_to_user(buf, chip->data_buffer, ret_size))
+ rc = copy_to_user(buf, chip->data_buffer, ret_size);
+ memset(chip->data_buffer, 0, ret_size);
+ if (rc)
ret_size = -EFAULT;
+
mutex_unlock(&chip->buffer_mutex);
}