提交 3321c07a 编写于 作者: P Peter Huewe 提交者: James Morris

TPM: Zero buffer after copying to userspace

Since the buffer might contain security related data it might be a good idea to
zero the buffer after we have copied it to userspace.

This got assigned CVE-2011-1162.
Signed-off-by: NRajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Stable Kernel <stable@kernel.org>
Signed-off-by: NJames Morris <jmorris@namei.org>
上级 6b07d30a
......@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
{
struct tpm_chip *chip = file->private_data;
ssize_t ret_size;
int rc;
del_singleshot_timer_sync(&chip->user_read_timer);
flush_work_sync(&chip->work);
......@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
ret_size = size;
mutex_lock(&chip->buffer_mutex);
if (copy_to_user(buf, chip->data_buffer, ret_size))
rc = copy_to_user(buf, chip->data_buffer, ret_size);
memset(chip->data_buffer, 0, ret_size);
if (rc)
ret_size = -EFAULT;
mutex_unlock(&chip->buffer_mutex);
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册