Unverified Commit 4fb47d7d authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!2810 drivers/gmjstcm: import CVE-2011-1160 CVE-2011-1162 fixes to tcm.c 

Merge Pull Request from: @lizg-ky 
 
The kernel issue https://gitee.com/openeuler/kernel/issues/I7TEYD have reported 2 TCM(TPM like chip, by Nationz Technologies Inc.) driver CVE issues.
【Vulnerability information】
  There may be information leakage vulnerabilities in the tcm_read function and tcm_open function in drivers/staging/gmjstcm/tcm.c
  The tcm_read function did not set this memory to 0 after calling the copy_to_user function, causing the user to read the information in the last tcm instruction.
  The tcm_open function does not set the memory block to 0 when allocating memory (kmalloc), which may lead to information leakage vulnerabilities.

Here are the two fixes for TPM:
1. CVE-2011-1160
  commit 1309d7af ("char/tpm: Fix unitialized usage of data buffer")
2. CVE-2011-1162
  commit 3321c07a ("TPM: Zero buffer after copying to userspace")

Now we import and apply such 2 fixes to TCM1.0 driver in drivers/staging/gmjstcm/ dir.
 
 
Link:https://gitee.com/openeuler/kernel/pulls/2810

 

Reviewed-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
Signed-off-by: default avatarZhang Changzhong <zhangchangzhong@huawei.com>
parents a5554642 c04a1c6a

drivers/staging/gmjstcm/tcm.c

+5 −2
Original line number Diff line number Diff line
@@ -660,7 +660,7 @@ int tcm_open(struct inode *inode, struct file *file) 


	spin_unlock(&driver_lock);



	chip->data_buffer = kmalloc(TCM_BUFSIZE * sizeof(u8), GFP_KERNEL);

	chip->data_buffer = kzalloc(TCM_BUFSIZE, GFP_KERNEL);

	if (chip->data_buffer == NULL) {

		chip->num_opens--;

		put_device(chip->dev);
@@ -739,6 +739,7 @@ ssize_t tcm_read(struct file *file, char __user *buf, 
{

	struct tcm_chip *chip = file->private_data;

	int ret_size = 0;

	int rc;



	del_singleshot_timer_sync(&chip->user_read_timer);

	flush_work(&chip->work);
@@ -749,7 +750,9 @@ ssize_t tcm_read(struct file *file, char __user *buf, 
			ret_size = size;



		mutex_lock(&chip->buffer_mutex);

		if (copy_to_user(buf, chip->data_buffer, ret_size))

		rc = copy_to_user(buf, chip->data_buffer, ret_size);

		memset(chip->data_buffer, 0, ret_size);

		if (rc)

			ret_size = -EFAULT;

		mutex_unlock(&chip->buffer_mutex);

	}