This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 732629 - (CVE-2011-1162) CVE-2011-1162 kernel: tpm: infoleak
CVE-2011-1162 kernel: tpm: infoleak
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20110308,reported=20110314,sou...
: Security
Depends On: 732630 732631 732632 732633 732634 748693 760578
Blocks: 732621
  Show dependency treegraph
 
Reported: 2011-08-23 03:01 EDT by Eugene Teo (Security Response)
Modified: 2015-02-16 10:48 EST (History)
20 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-10 09:02:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Fix for CVE-2011-1161 (897 bytes, patch)
2011-09-08 05:27 EDT, Jiri Benc
no flags Details | Diff
Fix for CVE-2011-1162 (892 bytes, patch)
2011-09-08 05:29 EDT, Jiri Benc
no flags Details | Diff

  None (edit)
Description Eugene Teo (Security Response) 2011-08-23 03:01:13 EDT
CVE-2011-1162
[PATCH 3/3] char/tpm: zero buffer after copying to userspace
http://tpmdd.git.sourceforge.net/git/gitweb.cgi?p=tpmdd/tpmdd;a=commitdiff;h=44480e4077cd782aa8f54eb472b292547f030520
prevents storing of previous result, leakage to other drivers

[Update 2011-10-11] CVE-2011-1161 rejected. Please see comment #14 for more info.

Acknowledgements:

Red Hat would like to thank Peter Huewe for reporting this issue.
Comment 1 Eugene Teo (Security Response) 2011-08-23 03:05:40 EDT
Separated from bug 684671 (CVE-2011-1160) as the two issues listed here do not
have official fixes yet.
Comment 4 Jiri Benc 2011-09-08 05:27:24 EDT
Created attachment 522071 [details]
Fix for CVE-2011-1161

Patch for tpm_transmit for reference, as the mentioned git repo disappeared.
Comment 5 Jiri Benc 2011-09-08 05:29:08 EDT
Created attachment 522072 [details]
Fix for CVE-2011-1162

Patch for tpm_read
Comment 6 Eugene Teo (Security Response) 2011-09-16 08:02:35 EDT
(In reply to comment #4)
> Created attachment 522071 [details]
> Fix for CVE-2011-1161
> 
> Patch for tpm_transmit for reference, as the mentioned git repo disappeared.

https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956

(In reply to comment #5)
> Created attachment 522072 [details]
> Fix for CVE-2011-1162
> 
> Patch for tpm_read

https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8
Comment 7 Josh Boyer 2011-09-23 10:31:21 EDT
These have been pulled into Linus' tree now.
Comment 8 Eugene Teo (Security Response) 2011-09-27 00:49:07 EDT
(In reply to comment #6)
> (In reply to comment #4)
> > Created attachment 522071 [details]
> > Fix for CVE-2011-1161
> > 
> > Patch for tpm_transmit for reference, as the mentioned git repo disappeared.
> 
> https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956

https://github.com/torvalds/linux/commit/6b07d30a

> (In reply to comment #5)
> > Created attachment 522072 [details]
> > Fix for CVE-2011-1162
> > 
> > Patch for tpm_read
> 
> https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8

https://github.com/torvalds/linux/commit/3321c07a
Comment 9 Jiri Benc 2011-09-27 03:15:38 EDT
As correctly pointed out, the first patch as originally submitted is incorrect (see the description in the corrected patch: "The last parameter of pm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it"). However, the new version has no effect - all callers of tpm_transmit either pass a constant buffer size (way lower than TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As tpm_transmit is static, there are no unknown external callers.

Thus, the first patch is not needed. There is also no security issue as far as I can see.
Comment 13 Petr Matousek 2011-10-11 15:13:53 EDT
(In reply to comment #9)
> As correctly pointed out, the first patch as originally submitted is incorrect
> (see the description in the corrected patch: "The last parameter of
> pm_transmit() reflects the amount of data expected from the device, and not the
> buffer size being supplied to it"). However, the new version has no effect -
> all callers of tpm_transmit either pass a constant buffer size (way lower than
> TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As
> tpm_transmit is static, there are no unknown external callers.
> 
> Thus, the first patch is not needed. There is also no security issue as far as
> I can see.

Right.

This patch in its original form tried to limit TPM_PARAMSIZE to the userspace buffer size. While this is still an unsolved problem (because of the patch changes), with patches for CVE-2011-1160 and CVE-2011-1162 applied this is a security hardening not a security flaw.
Comment 14 Petr Matousek 2011-10-11 15:27:13 EDT
CVE-2011-1161 REJECT request
http://www.openwall.com/lists/oss-security/2011/10/11/1
Comment 15 Eugene Teo (Security Response) 2011-10-25 00:08:45 EDT
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 748693]
Comment 16 errata-xmlrpc 2011-11-22 11:50:05 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html
Comment 17 errata-xmlrpc 2011-11-29 09:36:07 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1479 https://rhn.redhat.com/errata/RHSA-2011-1479.html
Comment 19 errata-xmlrpc 2012-01-10 15:16:04 EST
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html

Note You need to log in before you can comment on or make changes to this bug.