[kernel/f14] Fix CVE-2011-1161 CVE-2011-1162

Josh Boyer jwboyer at fedoraproject.org
Fri Sep 23 16:24:05 UTC 2011 

commit 646ec8280003a7ad22f35edef0ca89b369cb352c
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Fri Sep 23 10:34:03 2011 -0400

    Fix CVE-2011-1161 CVE-2011-1162

 TPM-Call-tpm_transmit-with-correct-size.patch    |   43 +++++++++++++++++++++
 TPM-Zero-buffer-after-copying-to-userspace.patch |   45 ++++++++++++++++++++++
 kernel.spec                                      |   11 +++++
 3 files changed, 99 insertions(+), 0 deletions(-)
---
diff --git a/TPM-Call-tpm_transmit-with-correct-size.patch b/TPM-Call-tpm_transmit-with-correct-size.patch
new file mode 100644
index 0000000..64f776f
--- /dev/null
+++ b/TPM-Call-tpm_transmit-with-correct-size.patch
@@ -0,0 +1,43 @@
+From 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 Mon Sep 17 00:00:00 2001
+From: Peter Huewe <huewe.external.infineon at googlemail.com>
+Date: Thu, 15 Sep 2011 14:37:43 -0300
+Subject: [PATCH] TPM: Call tpm_transmit with correct size
+
+This patch changes the call of tpm_transmit by supplying the size of the
+userspace buffer instead of TPM_BUFSIZE.
+
+This got assigned CVE-2011-1161.
+
+[The first hunk didn't make sense given one could expect
+ way less data than TPM_BUFSIZE, so added tpm_transmit boundary
+ check over bufsiz instead
+ The last parameter of tpm_transmit() reflects the amount
+ of data expected from the device, and not the buffer size
+ being supplied to it. It isn't ideal to parse it directly,
+ so we just set it to the maximum the input buffer can handle
+ and let the userspace API to do such job.]
+
+Signed-off-by: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
+Cc: Stable Kernel <stable at kernel.org>
+Signed-off-by: James Morris <jmorris at namei.org>
+---
+ drivers/char/tpm/tpm.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
+index caf8012..1fe9793 100644
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
+ 	u32 count, ordinal;
+ 	unsigned long stop;
+ 
++	if (bufsiz > TPM_BUFSIZE)
++		bufsiz = TPM_BUFSIZE;
++
+ 	count = be32_to_cpu(*((__be32 *) (buf + 2)));
+ 	ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
+ 	if (count == 0)
+-- 
+1.7.6
+
diff --git a/TPM-Zero-buffer-after-copying-to-userspace.patch b/TPM-Zero-buffer-after-copying-to-userspace.patch
new file mode 100644
index 0000000..1b3d9ac
--- /dev/null
+++ b/TPM-Zero-buffer-after-copying-to-userspace.patch
@@ -0,0 +1,45 @@
+From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
+From: Peter Huewe <huewe.external.infineon at googlemail.com>
+Date: Thu, 15 Sep 2011 14:47:42 -0300
+Subject: [PATCH] TPM: Zero buffer after copying to userspace
+
+Since the buffer might contain security related data it might be a good idea to
+zero the buffer after we have copied it to userspace.
+
+This got assigned CVE-2011-1162.
+
+Signed-off-by: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
+Cc: Stable Kernel <stable at kernel.org>
+Signed-off-by: James Morris <jmorris at namei.org>
+---
+ drivers/char/tpm/tpm.c |    6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
+index 1fe9793..9ca5c02 100644
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
+ {
+ 	struct tpm_chip *chip = file->private_data;
+ 	ssize_t ret_size;
++	int rc;
+ 
+ 	del_singleshot_timer_sync(&chip->user_read_timer);
+ 	flush_work_sync(&chip->work);
+@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
+ 			ret_size = size;
+ 
+ 		mutex_lock(&chip->buffer_mutex);
+-		if (copy_to_user(buf, chip->data_buffer, ret_size))
++		rc = copy_to_user(buf, chip->data_buffer, ret_size);
++		memset(chip->data_buffer, 0, ret_size);
++		if (rc)
+ 			ret_size = -EFAULT;
++
+ 		mutex_unlock(&chip->buffer_mutex);
+ 	}
+ 
+-- 
+1.7.6
+
diff --git a/kernel.spec b/kernel.spec
index 51ad361..b709489 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -886,6 +886,10 @@ Patch14058: net-Compute-protocol-sequence-numbers-and-fragment-I.patch
 # CVE-2011-3353
 Patch14059: fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
 
+# CVE-2011-1161 CVE-2011-1162
+Patch14060: TPM-Call-tpm_transmit-with-correct-size.patch
+Patch14061: TPM-Zero-buffer-after-copying-to-userspace.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1671,6 +1675,10 @@ ApplyPatch net-Compute-protocol-sequence-numbers-and-fragment-I.patch
 # CVE-2011-3353
 ApplyPatch fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
 
+# CVE-2011-1161 CVE-2011-1162
+ApplyPatch TPM-Call-tpm_transmit-with-correct-size.patch
+ApplyPatch TPM-Zero-buffer-after-copying-to-userspace.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -2257,6 +2265,9 @@ fi
 # and build.
 
 %changelog
+* Fri Sep 23 2011 Josh Boyer <jwboyer at redhat.com> 2.6.35.14-98
+- CVE-2011-1161 CVE-2011-1161: tpm: infoleaks
+
 * Tue Sep 20 2011 Josh Boyer <jwboyer at redhat.com>
 - CVE-2011-3353: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message

More information about the scm-commits mailing list