Bug 732629 (CVE-2011-1162)
Summary: | CVE-2011-1162 kernel: tpm: infoleak | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Eugene Teo (Security Response) <eteo> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | unspecified | CC: | anton, arozansk, bhu, davej, dhoward, fhrbata, jbenc, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, plougher, pmatouse, rt-maint, sforsber, tcallawa, vdanen, vgoyal, williams | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-05-10 13:02:39 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 732630, 732631, 732632, 732633, 732634, 748693, 760578 | ||||||||
Bug Blocks: | 732621 | ||||||||
Attachments: |
|
Description
Eugene Teo (Security Response)
2011-08-23 07:01:13 UTC
Separated from bug 684671 (CVE-2011-1160) as the two issues listed here do not have official fixes yet. Created attachment 522071 [details] Fix for CVE-2011-1161 Patch for tpm_transmit for reference, as the mentioned git repo disappeared. Created attachment 522072 [details] Fix for CVE-2011-1162 Patch for tpm_read (In reply to comment #4) > Created attachment 522071 [details] > Fix for CVE-2011-1161 > > Patch for tpm_transmit for reference, as the mentioned git repo disappeared. https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956 (In reply to comment #5) > Created attachment 522072 [details] > Fix for CVE-2011-1162 > > Patch for tpm_read https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8 These have been pulled into Linus' tree now. (In reply to comment #6) > (In reply to comment #4) > > Created attachment 522071 [details] > > Fix for CVE-2011-1161 > > > > Patch for tpm_transmit for reference, as the mentioned git repo disappeared. > > https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956 https://github.com/torvalds/linux/commit/6b07d30a > (In reply to comment #5) > > Created attachment 522072 [details] > > Fix for CVE-2011-1162 > > > > Patch for tpm_read > > https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8 https://github.com/torvalds/linux/commit/3321c07a As correctly pointed out, the first patch as originally submitted is incorrect (see the description in the corrected patch: "The last parameter of pm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it"). However, the new version has no effect - all callers of tpm_transmit either pass a constant buffer size (way lower than TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As tpm_transmit is static, there are no unknown external callers. Thus, the first patch is not needed. There is also no security issue as far as I can see. (In reply to comment #9) > As correctly pointed out, the first patch as originally submitted is incorrect > (see the description in the corrected patch: "The last parameter of > pm_transmit() reflects the amount of data expected from the device, and not the > buffer size being supplied to it"). However, the new version has no effect - > all callers of tpm_transmit either pass a constant buffer size (way lower than > TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As > tpm_transmit is static, there are no unknown external callers. > > Thus, the first patch is not needed. There is also no security issue as far as > I can see. Right. This patch in its original form tried to limit TPM_PARAMSIZE to the userspace buffer size. While this is still an unsolved problem (because of the patch changes), with patches for CVE-2011-1160 and CVE-2011-1162 applied this is a security hardening not a security flaw. Created kernel tracking bugs for this issue Affects: fedora-all [bug 748693] This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1479 https://rhn.redhat.com/errata/RHSA-2011-1479.html This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html |