CVE-2011-1162 [PATCH 3/3] char/tpm: zero buffer after copying to userspace http://tpmdd.git.sourceforge.net/git/gitweb.cgi?p=tpmdd/tpmdd;a=commitdiff;h=44480e4077cd782aa8f54eb472b292547f030520 prevents storing of previous result, leakage to other drivers [Update 2011-10-11] CVE-2011-1161 rejected. Please see comment #14 for more info. Acknowledgements: Red Hat would like to thank Peter Huewe for reporting this issue.
Separated from bug 684671 (CVE-2011-1160) as the two issues listed here do not have official fixes yet.
Created attachment 522071 [details] Fix for CVE-2011-1161 Patch for tpm_transmit for reference, as the mentioned git repo disappeared.
Created attachment 522072 [details] Fix for CVE-2011-1162 Patch for tpm_read
(In reply to comment #4) > Created attachment 522071 [details] > Fix for CVE-2011-1161 > > Patch for tpm_transmit for reference, as the mentioned git repo disappeared. https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956 (In reply to comment #5) > Created attachment 522072 [details] > Fix for CVE-2011-1162 > > Patch for tpm_read https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8
These have been pulled into Linus' tree now.
(In reply to comment #6) > (In reply to comment #4) > > Created attachment 522071 [details] > > Fix for CVE-2011-1161 > > > > Patch for tpm_transmit for reference, as the mentioned git repo disappeared. > > https://github.com/srajiv/tpm/commit/adfea973dfca35407de074ae2052be221e4b8956 https://github.com/torvalds/linux/commit/6b07d30a > (In reply to comment #5) > > Created attachment 522072 [details] > > Fix for CVE-2011-1162 > > > > Patch for tpm_read > > https://github.com/srajiv/tpm/commit/0913d46b54eea18ecb88bb0e1654894e07e87ca8 https://github.com/torvalds/linux/commit/3321c07a
As correctly pointed out, the first patch as originally submitted is incorrect (see the description in the corrected patch: "The last parameter of pm_transmit() reflects the amount of data expected from the device, and not the buffer size being supplied to it"). However, the new version has no effect - all callers of tpm_transmit either pass a constant buffer size (way lower than TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As tpm_transmit is static, there are no unknown external callers. Thus, the first patch is not needed. There is also no security issue as far as I can see.
(In reply to comment #9) > As correctly pointed out, the first patch as originally submitted is incorrect > (see the description in the corrected patch: "The last parameter of > pm_transmit() reflects the amount of data expected from the device, and not the > buffer size being supplied to it"). However, the new version has no effect - > all callers of tpm_transmit either pass a constant buffer size (way lower than > TPM_BUFSIZE), or limit the buffer size to TPM_BUFSIZE themselves. As > tpm_transmit is static, there are no unknown external callers. > > Thus, the first patch is not needed. There is also no security issue as far as > I can see. Right. This patch in its original form tried to limit TPM_PARAMSIZE to the userspace buffer size. While this is still an unsolved problem (because of the patch changes), with patches for CVE-2011-1160 and CVE-2011-1162 applied this is a security hardening not a security flaw.
CVE-2011-1161 REJECT request http://www.openwall.com/lists/oss-security/2011/10/11/1
Created kernel tracking bugs for this issue Affects: fedora-all [bug 748693]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1465 https://rhn.redhat.com/errata/RHSA-2011-1465.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1479 https://rhn.redhat.com/errata/RHSA-2011-1479.html
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2012:0010 https://rhn.redhat.com/errata/RHSA-2012-0010.html