xorl %eax, %eax

CVE-2011-1160: Linux kernel TPM Device Driver Information Leak

leave a comment »

Reported by Peter Huewe, this issue was part of the tpm_open() routine which resides in drivers/char/tpm/tpm.c file of the Linux kernel.

/*
 * Device file system interface to the TPM
 *
 * It's assured that the chip will be opened just once,
 * by the check of is_open variable, which is protected
 * by driver_lock.
 */
int tpm_open(struct inode *inode, struct file *file)
{
        int minor = iminor(inode);
        struct tpm_chip *chip = NULL, *pos;
   ...
        chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
        if (chip->data_buffer == NULL
   ...
        file->private_data = chip;
        return 0;
}
EXPORT_SYMBOL_GPL(tpm_open);

For performance purposes kmalloc() does not clear the data of the returned allocated space. Due to this behavior later accesses on this buffer will result in unitialized kernel heap information leaks.

Clearly, the fix was to use a routine that zeroes out the contents of the buffer.

 
-	chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
+	chip->data_buffer = kzalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
 	if (chip->data_buffer == NULL) {

Written by xorl

June 5, 2011 at 18:01

Posted in bugs, linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s