Fix CVE-2011-1161 CVE-2011-1162
This commit is contained in:
parent
18a614272e
commit
646ec82800
|
@ -0,0 +1,43 @@
|
|||
From 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Huewe <huewe.external.infineon@googlemail.com>
|
||||
Date: Thu, 15 Sep 2011 14:37:43 -0300
|
||||
Subject: [PATCH] TPM: Call tpm_transmit with correct size
|
||||
|
||||
This patch changes the call of tpm_transmit by supplying the size of the
|
||||
userspace buffer instead of TPM_BUFSIZE.
|
||||
|
||||
This got assigned CVE-2011-1161.
|
||||
|
||||
[The first hunk didn't make sense given one could expect
|
||||
way less data than TPM_BUFSIZE, so added tpm_transmit boundary
|
||||
check over bufsiz instead
|
||||
The last parameter of tpm_transmit() reflects the amount
|
||||
of data expected from the device, and not the buffer size
|
||||
being supplied to it. It isn't ideal to parse it directly,
|
||||
so we just set it to the maximum the input buffer can handle
|
||||
and let the userspace API to do such job.]
|
||||
|
||||
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
|
||||
Cc: Stable Kernel <stable@kernel.org>
|
||||
Signed-off-by: James Morris <jmorris@namei.org>
|
||||
---
|
||||
drivers/char/tpm/tpm.c | 3 +++
|
||||
1 files changed, 3 insertions(+), 0 deletions(-)
|
||||
|
||||
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
|
||||
index caf8012..1fe9793 100644
|
||||
--- a/drivers/char/tpm/tpm.c
|
||||
+++ b/drivers/char/tpm/tpm.c
|
||||
@@ -383,6 +383,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf,
|
||||
u32 count, ordinal;
|
||||
unsigned long stop;
|
||||
|
||||
+ if (bufsiz > TPM_BUFSIZE)
|
||||
+ bufsiz = TPM_BUFSIZE;
|
||||
+
|
||||
count = be32_to_cpu(*((__be32 *) (buf + 2)));
|
||||
ordinal = be32_to_cpu(*((__be32 *) (buf + 6)));
|
||||
if (count == 0)
|
||||
--
|
||||
1.7.6
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Huewe <huewe.external.infineon@googlemail.com>
|
||||
Date: Thu, 15 Sep 2011 14:47:42 -0300
|
||||
Subject: [PATCH] TPM: Zero buffer after copying to userspace
|
||||
|
||||
Since the buffer might contain security related data it might be a good idea to
|
||||
zero the buffer after we have copied it to userspace.
|
||||
|
||||
This got assigned CVE-2011-1162.
|
||||
|
||||
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
|
||||
Cc: Stable Kernel <stable@kernel.org>
|
||||
Signed-off-by: James Morris <jmorris@namei.org>
|
||||
---
|
||||
drivers/char/tpm/tpm.c | 6 +++++-
|
||||
1 files changed, 5 insertions(+), 1 deletions(-)
|
||||
|
||||
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
|
||||
index 1fe9793..9ca5c02 100644
|
||||
--- a/drivers/char/tpm/tpm.c
|
||||
+++ b/drivers/char/tpm/tpm.c
|
||||
@@ -1105,6 +1105,7 @@ ssize_t tpm_read(struct file *file, char __user *buf,
|
||||
{
|
||||
struct tpm_chip *chip = file->private_data;
|
||||
ssize_t ret_size;
|
||||
+ int rc;
|
||||
|
||||
del_singleshot_timer_sync(&chip->user_read_timer);
|
||||
flush_work_sync(&chip->work);
|
||||
@@ -1115,8 +1116,11 @@ ssize_t tpm_read(struct file *file, char __user *buf,
|
||||
ret_size = size;
|
||||
|
||||
mutex_lock(&chip->buffer_mutex);
|
||||
- if (copy_to_user(buf, chip->data_buffer, ret_size))
|
||||
+ rc = copy_to_user(buf, chip->data_buffer, ret_size);
|
||||
+ memset(chip->data_buffer, 0, ret_size);
|
||||
+ if (rc)
|
||||
ret_size = -EFAULT;
|
||||
+
|
||||
mutex_unlock(&chip->buffer_mutex);
|
||||
}
|
||||
|
||||
--
|
||||
1.7.6
|
||||
|
11
kernel.spec
11
kernel.spec
|
@ -886,6 +886,10 @@ Patch14058: net-Compute-protocol-sequence-numbers-and-fragment-I.patch
|
|||
# CVE-2011-3353
|
||||
Patch14059: fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
|
||||
|
||||
# CVE-2011-1161 CVE-2011-1162
|
||||
Patch14060: TPM-Call-tpm_transmit-with-correct-size.patch
|
||||
Patch14061: TPM-Zero-buffer-after-copying-to-userspace.patch
|
||||
|
||||
%endif
|
||||
|
||||
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
|
||||
|
@ -1671,6 +1675,10 @@ ApplyPatch net-Compute-protocol-sequence-numbers-and-fragment-I.patch
|
|||
# CVE-2011-3353
|
||||
ApplyPatch fuse-check-size-of-FUSE_NOTIFY_INVAL_ENTRY-message.patch
|
||||
|
||||
# CVE-2011-1161 CVE-2011-1162
|
||||
ApplyPatch TPM-Call-tpm_transmit-with-correct-size.patch
|
||||
ApplyPatch TPM-Zero-buffer-after-copying-to-userspace.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
%endif
|
||||
|
@ -2257,6 +2265,9 @@ fi
|
|||
# and build.
|
||||
|
||||
%changelog
|
||||
* Fri Sep 23 2011 Josh Boyer <jwboyer@redhat.com> 2.6.35.14-98
|
||||
- CVE-2011-1161 CVE-2011-1161: tpm: infoleaks
|
||||
|
||||
* Tue Sep 20 2011 Josh Boyer <jwboyer@redhat.com>
|
||||
- CVE-2011-3353: fuse: check size of FUSE_NOTIFY_INVAL_ENTRY message
|
||||
|
||||
|
|
Loading…
Reference in New Issue