Bug 732629 (CVE-2011-1162)

Summary: CVE-2011-1162 kernel: tpm: infoleak
Product: [Other] Security Response Reporter: Eugene Teo (Security Response) <eteo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: anton, arozansk, bhu, davej, dhoward, fhrbata, jbenc, jkacur, kernel-mgr, kmcmartin, lgoncalv, lwang, plougher, pmatouse, rt-maint, sforsber, tcallawa, vdanen, vgoyal, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-10 13:02:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 732630, 732631, 732632, 732633, 732634, 748693, 760578    
Bug Blocks: 732621    
Attachments:
Description Flags
Fix for CVE-2011-1161
none
Fix for CVE-2011-1162 none

Description Eugene Teo (Security Response) 2011-08-23 07:01:13 UTC
CVE-2011-1162
[PATCH 3/3] char/tpm: zero buffer after copying to userspace
http://tpmdd.git.sourceforge.net/git/gitweb.cgi?p=tpmdd/tpmdd;a=commitdiff;h=44480e4077cd782aa8f54eb472b292547f030520
prevents storing of previous result, leakage to other drivers

[Update 2011-10-11] CVE-2011-1161 rejected. Please see comment #14 for more info.

Acknowledgements:

Red Hat would like to thank Peter Huewe for reporting this issue.

Comment 1 Eugene Teo (Security Response) 2011-08-23 07:05:40 UTC
Separated from bug 684671 (CVE-2011-1160) as the two issues listed here do not
have official fixes yet.

Comment 4 Jiri Benc 2011-09-08 09:27:24 UTC
Created attachment 522071 [details]
Fix for CVE-2011-1161

Patch for tpm_transmit for reference, as the mentioned git repo disappeared.

Comment 5 Jiri Benc 2011-09-08 09:29:08 UTC
Created attachment 522072 [details]
Fix for CVE-2011-1162

Patch for tpm_read

Comment 6 Eugene Teo (Security Response) 2011-09-16 12:02:35 UTC
(In reply to comment #4)
> Created attachment 522071 [details]
> Fix for CVE-2011-1161
> 
> Patch for tpm_transmit for reference, as the mentioned git repo disappeared.

https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956

(In reply to comment #5)
> Created attachment 522072 [details]
> Fix for CVE-2011-1162
> 
> Patch for tpm_read

https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8

Comment 7 Josh Boyer 2011-09-23 14:31:21 UTC
These have been pulled into Linus' tree now.

Comment 8 Eugene Teo (Security Response) 2011-09-27 04:49:07 UTC
(In reply to comment #6)
> (In reply to comment #4)
> > Created attachment 522071 [details]
> > Fix for CVE-2011-1161
> > 
> > Patch for tpm_transmit for reference, as the mentioned git repo disappeared.
> 
> https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956

https://github.com/torvalds/linux/commit/6b07d30a

> (In reply to comment #5)
> > Created attachment 522072 [details]
> > Fix for CVE-2011-1162
> > 
> > Patch for tpm_read
> 
> https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8

https://github.com/torvalds/linux/commit/3321c07a

Comment 9 Jiri Benc 2011-09-27 07:15:38 UTC
As correctly pointed out, the first patch as originally submitted is incorrect (see the description in the corrected patch: "The last parameter of pm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it"). However, the new version has no effect - all callers of tpm_transmit either pass a constant buffer size (way lower than TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As tpm_transmit is static, there are no unknown external callers.

Thus, the first patch is not needed. There is also no security issue as far as I can see.

Comment 13 Petr Matousek 2011-10-11 19:13:53 UTC
(In reply to comment #9)
> As correctly pointed out, the first patch as originally submitted is incorrect
> (see the description in the corrected patch: "The last parameter of
> pm_transmit() reflects the amount of data expected from the device, and not the
> buffer size being supplied to it"). However, the new version has no effect -
> all callers of tpm_transmit either pass a constant buffer size (way lower than
> TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As
> tpm_transmit is static, there are no unknown external callers.
> 
> Thus, the first patch is not needed. There is also no security issue as far as
> I can see.

Right.

This patch in its original form tried to limit TPM_PARAMSIZE to the userspace buffer size. While this is still an unsolved problem (because of the patch changes), with patches for CVE-2011-1160 and CVE-2011-1162 applied this is a security hardening not a security flaw.

Comment 14 Petr Matousek 2011-10-11 19:27:13 UTC
CVE-2011-1161 REJECT request
http://www.openwall.com/lists/oss-security/2011/10/11/1

Comment 15 Eugene Teo (Security Response) 2011-10-25 04:08:45 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 748693]

Comment 16 errata-xmlrpc 2011-11-22 16:50:05 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html

Comment 17 errata-xmlrpc 2011-11-29 14:36:07 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1479 https://rhn.redhat.com/errata/RHSA-2011-1479.html

Comment 19 errata-xmlrpc 2012-01-10 20:16:04 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html