Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3321c07a authored by Peter Huewe's avatar Peter Huewe Committed by James Morris
Browse files

TPM: Zero buffer after copying to userspace 



Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.

This got assigned CVE-2011-1162.

Signed-off-by: default avatarRajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 6b07d30a

drivers/char/tpm/tpm.c

+5 −1
Original line number Diff line number Diff line
@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf, 
{

	struct tpm_chip *chip = file->private_data;

	ssize_t ret_size;

	int rc;



	del_singleshot_timer_sync(&chip->user_read_timer);

	flush_work_sync(&chip->work);
@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf, 
			ret_size = size;



		mutex_lock(&chip->buffer_mutex);

		if (copy_to_user(buf, chip->data_buffer, ret_size))

		rc = copy_to_user(buf, chip->data_buffer, ret_size);

		memset(chip->data_buffer, 0, ret_size);

		if (rc)

			ret_size = -EFAULT;



		mutex_unlock(&chip->buffer_mutex);

	}