From c04a1c6afc6bca0fa5739ecf4f58e4723d82e82f Mon Sep 17 00:00:00 2001 From: Li ZhiGang Date: Thu, 9 Nov 2023 09:53:30 +0800 Subject: [PATCH] drivers/gmjstcm: import CVE-2011-1160 CVE-2011-1162 fixes to tcm.c kylin inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I7TEYD -------------------------------- https://gitee.com/openeuler/kernel/issues/I7TEYD report 2 bugs in gmjstcm driver, reported as CVEs in kernel tpm driver. [Vulnerability information] There may be information leakage vulnerabilities in the tcm_read function and tcm_open function in drivers/staging/gmjstcm/tcm.c The tcm_read function did not set this memory to 0 after calling the copy_to_user function, causing the user to read the information in the last tcm instruction. The tcm_open function does not set the memory block to 0 when allocating memory (kmalloc), which may lead to information leakage vulnerabilities. Here are the two fixes for TPM: 1. CVE-2011-1160 commit 1309d7afbed1 ("char/tpm: Fix unitialized usage of data buffer") 2. CVE-2011-1162 commit 3321c07ae506 ("TPM: Zero buffer after copying to userspace") import 2 fixes from tpm.c to tcm.c Signed-off-by: Li ZhiGang --- drivers/staging/gmjstcm/tcm.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/staging/gmjstcm/tcm.c b/drivers/staging/gmjstcm/tcm.c index 5c41bfa8b423..133be151f710 100644 --- a/drivers/staging/gmjstcm/tcm.c +++ b/drivers/staging/gmjstcm/tcm.c @@ -660,7 +660,7 @@ int tcm_open(struct inode *inode, struct file *file) spin_unlock(&driver_lock); - chip->data_buffer = kmalloc(TCM_BUFSIZE * sizeof(u8), GFP_KERNEL); + chip->data_buffer = kzalloc(TCM_BUFSIZE, GFP_KERNEL); if (chip->data_buffer == NULL) { chip->num_opens--; put_device(chip->dev); @@ -739,6 +739,7 @@ ssize_t tcm_read(struct file *file, char __user *buf, { struct tcm_chip *chip = file->private_data; int ret_size = 0; + int rc; del_singleshot_timer_sync(&chip->user_read_timer); flush_work(&chip->work); @@ -749,7 +750,9 @@ ssize_t tcm_read(struct file *file, char __user *buf, ret_size = size; mutex_lock(&chip->buffer_mutex); - if (copy_to_user(buf, chip->data_buffer, ret_size)) + rc = copy_to_user(buf, chip->data_buffer, ret_size); + memset(chip->data_buffer, 0, ret_size); + if (rc) ret_size = -EFAULT; mutex_unlock(&chip->buffer_mutex); } -- Gitee