Bug 732629 (CVE-2011-1162)

Summary:

CVE-2011-1162 kernel: tpm: infoleak

Product:

[Other] Security Response

Reporter:

Eugene Teo (Security Response) <eteo>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

low

Docs Contact:

Priority:

low

Version:

unspecified

CC:

anton, arozansk, bhu, davej, dhoward, fhrbata, jbenc, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, plougher, pmatouse, rt-maint, sforsber, tcallawa, vdanen, vgoyal, williams

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2012-05-10 13:02:39 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

732630, 732631, 732632, 732633, 732634, 748693, 760578

Bug Blocks:

732621

Attachments:

Description	Flags
Fix for CVE-2011-1161	none
Fix for CVE-2011-1162	none

Description Eugene Teo (Security Response) 2011-08-23 07:01:13 UTC

CVE-2011-1162
[PATCH 3/3] char/tpm: zero buffer after copying to userspace
http://tpmdd.git.sourceforge.net/git/gitweb.cgi?p=tpmdd/tpmdd;a=commitdiff;h=44480e4077cd782aa8f54eb472b292547f030520
prevents storing of previous result, leakage to other drivers

[Update 2011-10-11] CVE-2011-1161 rejected. Please see comment #14 for more info.

Acknowledgements:

Red Hat would like to thank Peter Huewe for reporting this issue.

Comment 1 Eugene Teo (Security Response) 2011-08-23 07:05:40 UTC

Separated from bug 684671 (CVE-2011-1160) as the two issues listed here do not
have official fixes yet.

Comment 4 Jiri Benc 2011-09-08 09:27:24 UTC

Created attachment 522071 [details]
Fix for CVE-2011-1161

Patch for tpm_transmit for reference, as the mentioned git repo disappeared.

Comment 5 Jiri Benc 2011-09-08 09:29:08 UTC

Created attachment 522072 [details]
Fix for CVE-2011-1162

Patch for tpm_read

Comment 6 Eugene Teo (Security Response) 2011-09-16 12:02:35 UTC

(In reply to comment #4)
> Created attachment 522071 [details]
> Fix for CVE-2011-1161
> 
> Patch for tpm_transmit for reference, as the mentioned git repo disappeared.

https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956

(In reply to comment #5)
> Created attachment 522072 [details]
> Fix for CVE-2011-1162
> 
> Patch for tpm_read

https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8

Comment 7 Josh Boyer 2011-09-23 14:31:21 UTC

These have been pulled into Linus' tree now.

Comment 8 Eugene Teo (Security Response) 2011-09-27 04:49:07 UTC

(In reply to comment #6)
> (In reply to comment #4)
> > Created attachment 522071 [details]
> > Fix for CVE-2011-1161
> > 
> > Patch for tpm_transmit for reference, as the mentioned git repo disappeared.
> 
> https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956

https://github.com/torvalds/linux/commit/6b07d30a

> (In reply to comment #5)
> > Created attachment 522072 [details]
> > Fix for CVE-2011-1162
> > 
> > Patch for tpm_read
> 
> https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8

https://github.com/torvalds/linux/commit/3321c07a

Comment 9 Jiri Benc 2011-09-27 07:15:38 UTC

As correctly pointed out, the first patch as originally submitted is incorrect (see the description in the corrected patch: "The last parameter of pm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it"). However, the new version has no effect - all callers of tpm_transmit either pass a constant buffer size (way lower than TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As tpm_transmit is static, there are no unknown external callers.

Thus, the first patch is not needed. There is also no security issue as far as I can see.

Comment 13 Petr Matousek 2011-10-11 19:13:53 UTC

(In reply to comment #9)
> As correctly pointed out, the first patch as originally submitted is incorrect
> (see the description in the corrected patch: "The last parameter of
> pm_transmit() reflects the amount of data expected from the device, and not the
> buffer size being supplied to it"). However, the new version has no effect -
> all callers of tpm_transmit either pass a constant buffer size (way lower than
> TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As
> tpm_transmit is static, there are no unknown external callers.
> 
> Thus, the first patch is not needed. There is also no security issue as far as
> I can see.

Right.

This patch in its original form tried to limit TPM_PARAMSIZE to the userspace buffer size. While this is still an unsolved problem (because of the patch changes), with patches for CVE-2011-1160 and CVE-2011-1162 applied this is a security hardening not a security flaw.

Comment 14 Petr Matousek 2011-10-11 19:27:13 UTC

CVE-2011-1161 REJECT request
http://www.openwall.com/lists/oss-security/2011/10/11/1

Comment 15 Eugene Teo (Security Response) 2011-10-25 04:08:45 UTC

Created kernel tracking bugs for this issue

Affects: fedora-all [bug 748693]

Comment 16 errata-xmlrpc 2011-11-22 16:50:05 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html

Comment 17 errata-xmlrpc 2011-11-29 14:36:07 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1479 https://rhn.redhat.com/errata/RHSA-2011-1479.html

Comment 19 errata-xmlrpc 2012-01-10 20:16:04 UTC

This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html