[hardy CVE 1/1] char/tpm: Fix unitialized usage of data buffer
Andy Whitcroft
apw at canonical.com
Wed Jul 27 15:20:23 UTC 2011
From: Peter Huewe <huewe.external.infineon at googlemail.com>
This patch fixes information leakage to the userspace by initializing
the data buffer to zero.
Reported-by: Peter Huewe <huewe.external at infineon.com>
Signed-off-by: Peter Huewe <huewe.external at infineon.com>
Signed-off-by: Marcel Selhorst <m.selhorst at sirrix.com>
[ Also removed the silly "* sizeof(u8)". If that isn't 1, we have way
deeper problems than a simple multiplication can fix. - Linus ]
Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
(backported from commit 1309d7afbed112f0e8e90be9af975550caa0076b)
CVE-2011-1160
BugLink: http://bugs.launchpad.net/bugs/816546
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
drivers/char/tpm/tpm.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index c88424a..14ad745 100644
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -922,7 +922,7 @@ int tpm_open(struct inode *inode, struct file *file)
spin_unlock(&driver_lock);
- chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
+ chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
if (chip->data_buffer == NULL) {
chip->num_opens--;
put_device(chip->dev);
--
1.7.4.1
More information about the kernel-team
mailing list