From patchwork Wed Jul 27 15:20:24 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [lucid/fsl-imx51, maverick/ti-omap4, CVE,
 1/1] char/tpm: Fix unitialized usage of data buffer
From: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 107104
Message-Id: <1311780024-21737-3-git-send-email-apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Date: Wed, 27 Jul 2011 16:20:24 +0100

From: Peter Huewe <huewe.external.infineon@googlemail.com>

This patch fixes information leakage to the userspace by initializing
the data buffer to zero.

Reported-by: Peter Huewe <huewe.external@infineon.com>
Signed-off-by: Peter Huewe <huewe.external@infineon.com>
Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com>
[ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
  deeper problems than a simple multiplication can fix.   - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit 1309d7afbed112f0e8e90be9af975550caa0076b)
CVE-2011-1160
BugLink: http://bugs.launchpad.net/bugs/816546
Signed-off-by: Andy Whitcroft <apw@canonical.com>

---
drivers/char/tpm/tpm.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 47c2d27..896fc94 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -953,7 +953,7 @@ int tpm_open(struct inode *inode, struct file *file)
 		return -EBUSY;
 	}
 
-	chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
+	chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
 	if (chip->data_buffer == NULL) {
 		clear_bit(0, &chip->is_open);
 		put_device(chip->dev);