lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LRH.2.00.1103220956350.14837@tundra.namei.org>
Date:	Tue, 22 Mar 2011 10:01:00 +1100 (EST)
From:	James Morris <jmorris@...ei.org>
To:	Rajiv Andrade <srajiv@...ux.vnet.ibm.com>
cc:	Linux kernel mailing list <linux-kernel@...r.kernel.org>,
	Peter Huewe <huewe.external.infineon@...glemail.com>
Subject: Re: [GIT PULL] TPM driver robustness fixes

On Wed, 16 Mar 2011, Rajiv Andrade wrote:

> Hi James,
> 
> 
> The following changes since commit 2e270d84223262a38d4755c61d55f5c73ea89e56:
> 
>   Merge branch 'for-linus' of
> git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 (2011-03-16
> 13:26:17 -0700)
> 
> are available in the git repository at:
> 
>   git://tpmdd.git.sourceforge.net/gitroot/tpmdd/tpmdd/ for-james
> 
> Peter Huewe (3):
> 
>       This patch changes the call of tpm_transmit by supplying the size of the
> userspace buffer instead of TPM_BUFSIZE
> 
>       This patch fixes information leakage to the userspace by initializing
> the data buffer to zero
> 
>       Since the buffer might contain security related data it might be a good
> idea to zero the buffer after we have copied it to userspace.

These patches don't have proper subjects.

Also:

                if (copy_to_user(buf, chip->data_buffer, ret_size))
                        ret_size = -EFAULT;
+               memset(chip->data_buffer, 0, ret_size);


Consider what happens in memset if copy_to_user fails.

One of the patches is flagged with "Discussion needed ...", without any 
evidence of that the discussion happened.



- James
-- 
James Morris
<jmorris@...ei.org>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ