From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753360Ab1LFSti (ORCPT ); Tue, 6 Dec 2011 13:49:38 -0500 Received: from mail.tpi.com ([70.99.223.143]:2238 "EHLO mail.tpi.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751603Ab1LFSte (ORCPT ); Tue, 6 Dec 2011 13:49:34 -0500 From: Tim Gardner To: linux-kernel@vger.kernel.org Cc: Seth Forshee , Tim Gardner , Debora Velarde , Rajiv Andrade , Marcel Selhorst , tpmdd-devel@lists.sourceforge.net, stable@vger.kernel.org Subject: [PATCH 1/3] TPM: Zero buffer whole after copying to userspace Date: Tue, 6 Dec 2011 11:29:20 -0700 Message-Id: <1323196162-2717-2-git-send-email-tim.gardner@canonical.com> X-Mailer: git-send-email 1.7.0.4 In-Reply-To: <1323196162-2717-1-git-send-email-tim.gardner@canonical.com> References: <1323196162-2717-1-git-send-email-tim.gardner@canonical.com> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 correctly clears the TPM buffer if the user specified read length is >= the TPM buffer length. However, if the user specified read length is < the TPM buffer length, then part of the TPM buffer is left uncleared. Reported-by: Seth Forshee Cc: Debora Velarde Cc: Rajiv Andrade Cc: Marcel Selhorst Cc: tpmdd-devel@lists.sourceforge.net Cc: stable@vger.kernel.org Signed-off-by: Tim Gardner --- drivers/char/tpm/tpm.c | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c index 361a1df..b366b34 100644 --- a/drivers/char/tpm/tpm.c +++ b/drivers/char/tpm/tpm.c @@ -1115,12 +1115,13 @@ ssize_t tpm_read(struct file *file, char __user *buf, ret_size = atomic_read(&chip->data_pending); atomic_set(&chip->data_pending, 0); if (ret_size > 0) { /* relay data */ + ssize_t orig_ret_size = ret_size; if (size < ret_size) ret_size = size; mutex_lock(&chip->buffer_mutex); rc = copy_to_user(buf, chip->data_buffer, ret_size); - memset(chip->data_buffer, 0, ret_size); + memset(chip->data_buffer, 0, orig_ret_size); if (rc) ret_size = -EFAULT; -- 1.7.0.4