[kernel/f15] Fix CVE-2011-1161 CVE-2011-1162
Josh Boyer
jwboyer at fedoraproject.org
Fri Sep 23 16:24:10 UTC 2011
commit bbc0f03b3029a3cb8eacdadc0a1d83d425e47769
Author: Josh Boyer <jwboyer at redhat.com>
Date: Fri Sep 23 10:44:18 2011 -0400
Fix CVE-2011-1161 CVE-2011-1162
TPM-Call-tpm_transmit-with-correct-size.patch | 43 +++++++++++++++++++++
TPM-Zero-buffer-after-copying-to-userspace.patch | 45 ++++++++++++++++++++++
kernel.spec | 11 +++++
3 files changed, 99 insertions(+), 0 deletions(-)
---
diff --git a/TPM-Call-tpm_transmit-with-correct-size.patch b/TPM-Call-tpm_transmit-with-correct-size.patch
new file mode 100644
index 0000000..64f776f
--- /dev/null
+++ b/TPM-Call-tpm_transmit-with-correct-size.patch
@@ -0,0 +1,43 @@
+From 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 Mon Sep 17 00:00:00 2001
+From: Peter Huewe <huewe.external.infineon at googlemail.com>
+Date: Thu, 15 Sep 2011 14:37:43 -0300
+Subject: [PATCH] TPM: Call tpm_transmit with correct size
+
+This patch changes the call of tpm_transmit by supplying the size of the
+userspace buffer instead of TPM_BUFSIZE.
+
+This got assigned CVE-2011-1161.
+
+[The first hunk didn't make sense given one could expect
+ way less data than TPM_BUFSIZE, so added tpm_transmit boundary
+ check over bufsiz instead
+ The last parameter of tpm_transmit() reflects the amount
+ of data expected from the device, and not the buffer size
+ being supplied to it. It isn't ideal to parse it directly,
+ so we just set it to the maximum the input buffer can handle
+ and let the userspace API to do such job.]
+
+Signed-off-by: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
+Cc: Stable Kernel <stable at kernel.org>
+Signed-off-by: James Morris <jmorris at namei.org>
+---
+ drivers/char/tpm/tpm.c | 3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
+index caf8012..1fe9793 100644
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
+ u32 count, ordinal;
+ unsigned long stop;
+
++ if (bufsiz > TPM_BUFSIZE)
++ bufsiz = TPM_BUFSIZE;
++
+ count = be32_to_cpu(*((__be32 *) (buf + 2)));
+ ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
+ if (count == 0)
+--
+1.7.6
+
diff --git a/TPM-Zero-buffer-after-copying-to-userspace.patch b/TPM-Zero-buffer-after-copying-to-userspace.patch
new file mode 100644
index 0000000..1b3d9ac
--- /dev/null
+++ b/TPM-Zero-buffer-after-copying-to-userspace.patch
@@ -0,0 +1,45 @@
+From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
+From: Peter Huewe <huewe.external.infineon at googlemail.com>
+Date: Thu, 15 Sep 2011 14:47:42 -0300
+Subject: [PATCH] TPM: Zero buffer after copying to userspace
+
+Since the buffer might contain security related data it might be a good idea to
+zero the buffer after we have copied it to userspace.
+
+This got assigned CVE-2011-1162.
+
+Signed-off-by: Rajiv Andrade <srajiv at linux.vnet.ibm.com>
+Cc: Stable Kernel <stable at kernel.org>
+Signed-off-by: James Morris <jmorris at namei.org>
+---
+ drivers/char/tpm/tpm.c | 6 +++++-
+ 1 files changed, 5 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
+index 1fe9793..9ca5c02 100644
+--- a/drivers/char/tpm/tpm.c
++++ b/drivers/char/tpm/tpm.c
+@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
+ {
+ struct tpm_chip *chip = file->private_data;
+ ssize_t ret_size;
++ int rc;
+
+ del_singleshot_timer_sync(&chip->user_read_timer);
+ flush_work_sync(&chip->work);
+@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
+ ret_size = size;
+
+ mutex_lock(&chip->buffer_mutex);
+- if (copy_to_user(buf, chip->data_buffer, ret_size))
++ rc = copy_to_user(buf, chip->data_buffer, ret_size);
++ memset(chip->data_buffer, 0, ret_size);
++ if (rc)
+ ret_size = -EFAULT;
++
+ mutex_unlock(&chip->buffer_mutex);
+ }
+
+--
+1.7.6
+
diff --git a/kernel.spec b/kernel.spec
index fb60811..df0b984 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -690,6 +690,10 @@ Patch21007: ucvideo-fix-crash-when-linking-entities.patch
# CVE-2011-3192
Patch21008: cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+# CVE-2011-1161 CVE-2011-1162
+Patch21009: TPM-Call-tpm_transmit-with-correct-size.patch
+Patch21010: TPM-Zero-buffer-after-copying-to-userspace.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1249,6 +1253,10 @@ ApplyPatch ucvideo-fix-crash-when-linking-entities.patch
# CVE-2011-3191
ApplyPatch cifs-fix-possible-memory-corruption-in-CIFSFindNext.patch
+# CVE-2011-1161 CVE-2011-1162
+ApplyPatch TPM-Call-tpm_transmit-with-correct-size.patch
+ApplyPatch TPM-Zero-buffer-after-copying-to-userspace.patch
+
# END OF PATCH APPLICATIONS
%endif
@@ -1869,6 +1877,9 @@ fi
# and build.
%changelog
+* Fri Sep 23 2011 Josh Boyer <jwboyer at redhat.com>
+- CVE-2011-1161 CVE-2011-1162: tpm: infoleaks
+
* Thu Sep 22 2011 Dennis Gilmore <dennis at ausil.us>
- build a vmlinux image on sparc64
More information about the scm-commits
mailing list