Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 3ab1aff89477dafb1aaeafe8c8669114a02b7226

Authored by Tim Gardner
Committed by Rajiv Andrade
1 parent 968de8e24d
Exists in smarc-l5.0.0_1.0.0-ga and in 5 other branches imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga

TPM: Zero buffer whole after copying to userspace 

Commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 correctly clears the TPM
buffer if the user specified read length is >= the TPM buffer length. However,
if the user specified read length is < the TPM buffer length, then part of the
TPM buffer is left uncleared.

Reported-by: Seth Forshee <seth.forshee@canonical.com>
Cc: Debora Velarde <debora@linux.vnet.ibm.com>
Cc: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: Marcel Selhorst <m.selhorst@sirrix.com>
Cc: tpmdd-devel@lists.sourceforge.net
Cc: stable@vger.kernel.org
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>

Showing 1 changed file with 2 additions and 1 deletions Side-by-side Diff

drivers/char/tpm/tpm.c
Diff comments   View file @ 3ab1aff
... ... @@ -1221,12 +1221,13 @@
1221 1221 ret_size = atomic_read(&chip->data_pending);
1222 1222 atomic_set(&chip->data_pending, 0);
1223 1223 if (ret_size > 0) { /* relay data */
  1224 + ssize_t orig_ret_size = ret_size;
1224 1225 if (size < ret_size)
1225 1226 ret_size = size;
1226 1227  
1227 1228 mutex_lock(&chip->buffer_mutex);
1228 1229 rc = copy_to_user(buf, chip->data_buffer, ret_size);
1229   - memset(chip->data_buffer, 0, ret_size);
  1230 + memset(chip->data_buffer, 0, orig_ret_size);
1230 1231 if (rc)
1231 1232 ret_size = -EFAULT;
1232 1233