From patchwork Mon Dec  5 16:18:42 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [natty, natty/ti-omap4, CVE,
 1/1] TPM: Zero buffer after copying to userspace
Date: Mon, 05 Dec 2011 06:18:42 -0000
From: Andy Whitcroft <apw@canonical.com>
X-Patchwork-Id: 129348
Message-Id: <1323101922-9653-4-git-send-email-apw@canonical.com>
To: kernel-team@lists.ubuntu.com
Cc: Andy Whitcroft <apw@canonical.com>

From: Peter Huewe <huewe.external.infineon@googlemail.com>

Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.

This got assigned CVE-2011-1162.

Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: James Morris <jmorris@namei.org>

(cherry picked from commit 3321c07ae5068568cd61ac9f4ba749006a7185c9)
CVE-2011-1162
BugLink: http://bugs.launchpad.net/bugs/899463
Signed-off-by: Andy Whitcroft <apw@canonical.com>

---
drivers/char/tpm/tpm.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 7beb0e2..f59dc23 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -1052,6 +1052,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 {
 	struct tpm_chip *chip = file->private_data;
 	ssize_t ret_size;
+	int rc;
 
 	del_singleshot_timer_sync(&chip->user_read_timer);
 	flush_work_sync(&chip->work);
@@ -1062,8 +1063,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
 			ret_size = size;
 
 		mutex_lock(&chip->buffer_mutex);
-		if (copy_to_user(buf, chip->data_buffer, ret_size))
+		rc = copy_to_user(buf, chip->data_buffer, ret_size);
+		memset(chip->data_buffer, 0, ret_size);
+		if (rc)
 			ret_size = -EFAULT;
+
 		mutex_unlock(&chip->buffer_mutex);
 	}