tpm: Fix auth session leak in tpm2_get_random() error path

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When tpm_buf_fill_hmac_session() fails inside the do-while loop in
tpm2_get_random(), the function returns directly after destroying the
buffer, without ending the auth session via tpm2_end_auth_session().

This leaks the TPM auth session resource. All other error paths within
the loop correctly reach the 'out' label which calls both
tpm_buf_destroy() and tpm2_end_auth_session().

Fix this by replacing the early return with a goto to the existing 'out'
label, which already handles both cleanup operations. The redundant
tpm_buf_destroy() call is removed since 'out' takes care of it.

Cc: stable@vger.kernel.org # v6.19+
Fixes: 6e9722e9a7bf ("tpm2-sessions: Fix out of range indexing in name_size")
Signed-off-by: Gunnar Kudrjavets <gunnarku@amazon.com>
Reviewed-by: Justinien Bouron <jbouron@amazon.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

authored by

Gunnar Kudrjavets and committed by

Jarkko Sakkinen 2 weeks ago 666c1a2c bb7a4e3b

+2 -4

1 changed file

expand all

drivers

char

tpm

tpm2-cmd.c

+2 -4

drivers/char/tpm/tpm2-cmd.c

··· 295 295 } 296 296 tpm_buf_append_u16(&buf, num_bytes); 297 297 err = tpm_buf_fill_hmac_session(chip, &buf); 298 - if (err) { 299 - tpm_buf_destroy(&buf); 300 - return err; 301 - } 298 + if (err) 299 + goto out; 302 300 303 301 err = tpm_transmit_cmd(chip, &buf, 304 302 offsetof(struct tpm2_get_random_out,

Configure Feed

Configure Feed