[kernel] r17558 - in dists/lenny-security/linux-2.6/debian: . patches/bugfix/all patches/series

Dann Frazier dannf at alioth.debian.org
Wed Jun 1 05:57:50 UTC 2011 

Author: dannf
Date: Wed Jun  1 05:57:49 2011
New Revision: 17558

Log:
char/tpm: Fix unitialized usage of data buffer (CVE-2011-1160)

Added:
   dists/lenny-security/linux-2.6/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch
Modified:
   dists/lenny-security/linux-2.6/debian/changelog
   dists/lenny-security/linux-2.6/debian/patches/series/26lenny3

Modified: dists/lenny-security/linux-2.6/debian/changelog
==============================================================================
--- dists/lenny-security/linux-2.6/debian/changelog	Wed Jun  1 05:52:50 2011	(r17557)
+++ dists/lenny-security/linux-2.6/debian/changelog	Wed Jun  1 05:57:49 2011	(r17558)
@@ -30,6 +30,7 @@
   * serial: Fix information leak in TIOCGICOUNT ioctl (CVE-2010-4075)
   * net: ax25: improve information leak to userland fix, a further fix
     for CVE-2010-3875
+  * char/tpm: Fix unitialized usage of data buffer (CVE-2011-1160)
 
   [ Ben Hutchings ]
   * [vserver] Complete fix for CVE-2010-4243 (Closes: #618485)

Added: dists/lenny-security/linux-2.6/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/lenny-security/linux-2.6/debian/patches/bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch	Wed Jun  1 05:57:49 2011	(r17558)
@@ -0,0 +1,28 @@
+commit 1309d7afbed112f0e8e90be9af975550caa0076b
+Author: Peter Huewe <huewe.external.infineon at googlemail.com>
+Date:   Tue Mar 29 13:31:25 2011 +0200
+
+    char/tpm: Fix unitialized usage of data buffer
+    
+    This patch fixes information leakage to the userspace by initializing
+    the data buffer to zero.
+    
+    Reported-by: Peter Huewe <huewe.external at infineon.com>
+    Signed-off-by: Peter Huewe <huewe.external at infineon.com>
+    Signed-off-by: Marcel Selhorst <m.selhorst at sirrix.com>
+    [ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
+      deeper problems than a simple multiplication can fix.   - Linus ]
+    Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+    [dannf: adjusted to apply to Debian's 2.6.26]
+
+--- linux-source-2.6.26.orig/drivers/char/tpm/tpm.c	2008-07-13 15:51:29.000000000 -0600
++++ linux-source-2.6.26/drivers/char/tpm/tpm.c	2011-05-31 23:53:14.451994322 -0600
+@@ -922,7 +922,7 @@ int tpm_open(struct inode *inode, struct
+ 
+ 	spin_unlock(&driver_lock);
+ 
+-	chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
++	chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
+ 	if (chip->data_buffer == NULL) {
+ 		chip->num_opens--;
+ 		put_device(chip->dev);

Modified: dists/lenny-security/linux-2.6/debian/patches/series/26lenny3
==============================================================================
--- dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Wed Jun  1 05:52:50 2011	(r17557)
+++ dists/lenny-security/linux-2.6/debian/patches/series/26lenny3	Wed Jun  1 05:57:49 2011	(r17558)
@@ -27,3 +27,4 @@
 + bugfix/all/fs-cifs-reject-dns-upcall-add_key-req-from-userspace.patch
 + bugfix/all/serial_core-clean-data-before-filling-it.patch
 + bugfix/all/net-ax25-fix-information-leak-to-userland-harder.patch
++ bugfix/all/tpm-fix-uninitialized-usage-of-data-buffer.patch

More information about the Kernel-svn-changes mailing list