char/tpm: Fix unitialized usage of data buffer

This patch fixes information leakage to the userspace by initializing
the data buffer to zero.

Reported-by: Peter Huewe <[email protected]>
Signed-off-by: Peter Huewe <[email protected]>
Signed-off-by: Marcel Selhorst <[email protected]>
[ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
  deeper problems than a simple multiplication can fix.   - Linus ]
Signed-off-by: Linus Torvalds <[email protected]>

diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c
index 1f46f1cd9225c3c0d2a894bc80d3d1e74fe012e7..7beb0e25f1e1e2ca192ae563eb43f6dc0147f8f8 100644 (file)
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -980,7 +980,7 @@ int tpm_open(struct inode *inode, struct file *file)
                return -EBUSY;
        }
 
-       chip->data_buffer = kmalloc(TPM_BUFSIZE * sizeof(u8), GFP_KERNEL);
+       chip->data_buffer = kzalloc(TPM_BUFSIZE, GFP_KERNEL);
        if (chip->data_buffer == NULL) {
                clear_bit(0, &chip->is_open);
                put_device(chip->dev);