Bug 732629 (CVE-2011-1162) - CVE-2011-1162 kernel: tpm: infoleak
Summary: CVE-2011-1162 kernel: tpm: infoleak
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1162
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20110308,reported=20110314,sou...
Depends On: 732630 732631 732632 732633 732634 748693 760578
Blocks: 732621
TreeView+ depends on / blocked
 
Reported: 2011-08-23 07:01 UTC by Eugene Teo (Security Response)
Modified: 2019-06-08 18:53 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-10 13:02:39 UTC


Attachments (Terms of Use)
Fix for CVE-2011-1161 (897 bytes, patch)
2011-09-08 09:27 UTC, Jiri Benc
no flags Details | Diff
Fix for CVE-2011-1162 (892 bytes, patch)
2011-09-08 09:29 UTC, Jiri Benc
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1465 normal SHIPPED_LIVE Important: kernel security and bug fix update 2011-11-22 21:45:37 UTC
Red Hat Product Errata RHSA-2011:1479 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2011-11-29 19:25:05 UTC
Red Hat Product Errata RHSA-2012:0010 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2012-01-11 01:14:23 UTC

Description Eugene Teo (Security Response) 2011-08-23 07:01:13 UTC
CVE-2011-1162
[PATCH 3/3] char/tpm: zero buffer after copying to userspace
http://tpmdd.git.sourceforge.net/git/gitweb.cgi?p=tpmdd/tpmdd;a=commitdiff;h=44480e4077cd782aa8f54eb472b292547f030520
prevents storing of previous result, leakage to other drivers

[Update 2011-10-11] CVE-2011-1161 rejected. Please see comment #14 for more info.

Acknowledgements:

Red Hat would like to thank Peter Huewe for reporting this issue.

Comment 1 Eugene Teo (Security Response) 2011-08-23 07:05:40 UTC
Separated from bug 684671 (CVE-2011-1160) as the two issues listed here do not
have official fixes yet.

Comment 4 Jiri Benc 2011-09-08 09:27:24 UTC
Created attachment 522071 [details]
Fix for CVE-2011-1161

Patch for tpm_transmit for reference, as the mentioned git repo disappeared.

Comment 5 Jiri Benc 2011-09-08 09:29:08 UTC
Created attachment 522072 [details]
Fix for CVE-2011-1162

Patch for tpm_read

Comment 6 Eugene Teo (Security Response) 2011-09-16 12:02:35 UTC
(In reply to comment #4)
> Created attachment 522071 [details]
> Fix for CVE-2011-1161
> 
> Patch for tpm_transmit for reference, as the mentioned git repo disappeared.

https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956

(In reply to comment #5)
> Created attachment 522072 [details]
> Fix for CVE-2011-1162
> 
> Patch for tpm_read

https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8

Comment 7 Josh Boyer 2011-09-23 14:31:21 UTC
These have been pulled into Linus' tree now.

Comment 8 Eugene Teo (Security Response) 2011-09-27 04:49:07 UTC
(In reply to comment #6)
> (In reply to comment #4)
> > Created attachment 522071 [details]
> > Fix for CVE-2011-1161
> > 
> > Patch for tpm_transmit for reference, as the mentioned git repo disappeared.
> 
> https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956

https://github.com/torvalds/linux/commit/6b07d30a

> (In reply to comment #5)
> > Created attachment 522072 [details]
> > Fix for CVE-2011-1162
> > 
> > Patch for tpm_read
> 
> https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8

https://github.com/torvalds/linux/commit/3321c07a

Comment 9 Jiri Benc 2011-09-27 07:15:38 UTC
As correctly pointed out, the first patch as originally submitted is incorrect (see the description in the corrected patch: "The last parameter of pm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it"). However, the new version has no effect - all callers of tpm_transmit either pass a constant buffer size (way lower than TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As tpm_transmit is static, there are no unknown external callers.

Thus, the first patch is not needed. There is also no security issue as far as I can see.

Comment 13 Petr Matousek 2011-10-11 19:13:53 UTC
(In reply to comment #9)
> As correctly pointed out, the first patch as originally submitted is incorrect
> (see the description in the corrected patch: "The last parameter of
> pm_transmit() reflects the amount of data expected from the device, and not the
> buffer size being supplied to it"). However, the new version has no effect -
> all callers of tpm_transmit either pass a constant buffer size (way lower than
> TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As
> tpm_transmit is static, there are no unknown external callers.
> 
> Thus, the first patch is not needed. There is also no security issue as far as
> I can see.

Right.

This patch in its original form tried to limit TPM_PARAMSIZE to the userspace buffer size. While this is still an unsolved problem (because of the patch changes), with patches for CVE-2011-1160 and CVE-2011-1162 applied this is a security hardening not a security flaw.

Comment 14 Petr Matousek 2011-10-11 19:27:13 UTC
CVE-2011-1161 REJECT request
http://www.openwall.com/lists/oss-security/2011/10/11/1

Comment 15 Eugene Teo (Security Response) 2011-10-25 04:08:45 UTC
Created kernel tracking bugs for this issue

Affects: fedora-all [bug 748693]

Comment 16 errata-xmlrpc 2011-11-22 16:50:05 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html

Comment 17 errata-xmlrpc 2011-11-29 14:36:07 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1479 https://rhn.redhat.com/errata/RHSA-2011-1479.html

Comment 19 errata-xmlrpc 2012-01-10 20:16:04 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html


Note You need to log in before you can comment on or make changes to this bug.