[kernel/f15] Fix CVE-2011-1161 CVE-2011-1162

Josh Boyer jwboyer at fedoraproject.org
Fri Sep 23 16:24:10 UTC 2011 

commit bbc0f03b3029a3cb8eacdadc0a1d83d425e47769
Author: Josh Boyer <jwboyer at redhat.com>
Date:   Fri Sep 23 10:44:18 2011 -0400

    Fix CVE-2011-1161 CVE-2011-1162

 TPM-Call-tpm_transmit-with-correct-size.patch    |   43 +++++++++++++++++++++
 TPM-Zero-buffer-after-copying-to-userspace.patch |   45 ++++++++++++++++++++++
 kernel.spec                                      |   11 +++++
 3 files changed, 99 insertions(+), 0 deletions(-)
---
diff --git a/TPM-Call-tpm_transmit-with-correct-size.patch b/TPM-Call-tpm_transmit-with-correct-size.patch
new file mode 100644
index 0000000..64f776f
--- /dev/null
+++ b/TPM-Call-tpm_transmit-with-correct-size.patch
@@ -0,0 +1,43 @@
+From 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 Mon Sep 17 00:00:00 2001
+From: Peter Huewe <huewe.external.infineon at googlemail.com>
+Date: Thu, 15 Sep 2011 14:37:43 -0300
+Subject: [PATCH] TPM: Call tpm_transmit with correct size
+
+This patch changes the call of tpm_transmit by supplying the size of the
+userspace buffer instead of TPM_BUFSIZE.
+
+This got assigned CVE-2011-1161.
+
+[The first hunk didn't make sense given one could expect
+ way less data than TPM_BUFSIZE, so added tpm_transmit boundary
+ check over bufsiz instead
+ The last parameter of tpm_transmit() reflects the amount
+ of data expected from the device, and not the buffer size
+ being supplied to it. It isn't ideal to parse it directly,
+ so we just set it to the maximum the input buffer can handle
+ and let the userspace API to do such job.]
+
+Signed-off-by: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
+Cc: Stable Kernel <stable at kernel.org>
+Signed-off-by: James Morris <jmorris at namei.org>
+---
+ drivers/char/tpm/tpm.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
+index caf8012..1fe9793 100644
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
+ 	u32 count, ordinal;
+ 	unsigned long stop;
+ 
++	if (bufsiz > TPM_BUFSIZE)
++		bufsiz = TPM_BUFSIZE;
++
+ 	count = be32_to_cpu(*((__be32 *) (buf + 2)));
+ 	ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
+ 	if (count == 0)
+-- 
+1.7.6
+
diff --git a/TPM-Zero-buffer-after-copying-to-userspace.patch b/TPM-Zero-buffer-after-copying-to-userspace.patch
new file mode 100644
index 0000000..1b3d9ac
--- /dev/null
+++ b/TPM-Zero-buffer-after-copying-to-userspace.patch
@@ -0,0 +1,45 @@
+From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
+From: Peter Huewe <huewe.external.infineon at googlemail.com>
+Date: Thu, 15 Sep 2011 14:47:42 -0300
+Subject: [PATCH] TPM: Zero buffer after copying to userspace
+
+Since the buffer might contain security related data it might be a good idea to
+zero the buffer after we have copied it to userspace.
+
+This got assigned CVE-2011-1162.
+
+Signed-off-by: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
+Cc: Stable Kernel <stable at kernel.org>
+Signed-off-by: James Morris <jmorris at namei.org>
+---
+ drivers/char/tpm/tpm.c |    6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
+index 1fe9793..9ca5c02 100644
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
+ {
+ 	struct tpm_chip *chip = file->private_data;
+ 	ssize_t ret_size;
++	int rc;
+ 
+ 	del_singleshot_timer_sync(&chip->user_read_timer);
+ 	flush_work_sync(&chip->work);
+@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
+ 			ret_size = size;
+ 
+ 		mutex_lock(&chip->buffer_mutex);
+-		if (copy_to_user(buf, chip->data_buffer, ret_size))
++		rc = copy_to_user(buf, chip->data_buffer, ret_size);
++		memset(chip->data_buffer, 0, ret_size);
++		if (rc)
+ 			ret_size = -EFAULT;
++
+ 		mutex_unlock(&chip->buffer_mutex);
+ 	}
+ 
+-- 
+1.7.6
+
diff --git a/kernel.spec b/kernel.spec
index fb60811..df0b984 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -690,6 +690,10 @@ Patch21007: ucvideo-fix-crash-when-linking-entities.patch
 # CVE-2011-3192
 Patch21008: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
 
+# CVE-2011-1161 CVE-2011-1162
+Patch21009: TPM-Call-tpm_transmit-with-correct-size.patch
+Patch21010: TPM-Zero-buffer-after-copying-to-userspace.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1249,6 +1253,10 @@ ApplyPatch ucvideo-fix-crash-when-linking-entities.patch
 # CVE-2011-3191
 ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
 
+# CVE-2011-1161 CVE-2011-1162
+ApplyPatch TPM-Call-tpm_transmit-with-correct-size.patch
+ApplyPatch TPM-Zero-buffer-after-copying-to-userspace.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1869,6 +1877,9 @@ fi
 # and build.
 
 %changelog
+* Fri Sep 23 2011 Josh Boyer <jwboyer at redhat.com>
+- CVE-2011-1161 CVE-2011-1162: tpm: infoleaks
+
 * Thu Sep 22 2011 Dennis Gilmore <dennis at ausil.us>
 - build a vmlinux image on sparc64

More information about the scm-commits mailing list