[PATCH] tpm: Fix auth session leak in tpm2_get_random() error path

[PATCH] tpm: Fix auth session leak in tpm2_get_random() error path

[Gunnar Kudrjavets]

When tpm_buf_fill_hmac_session() fails inside the do-while loop in
tpm2_get_random(), the function returns directly after destroying the
buffer, without ending the auth session via tpm2_end_auth_session().

This leaks the TPM auth session resource. All other error paths within
the loop correctly reach the 'out' label which calls both
tpm_buf_destroy() and tpm2_end_auth_session().

Fix this by replacing the early return with a goto to the existing 'out'
label, which already handles both cleanup operations. The redundant
tpm_buf_destroy() call is removed since 'out' takes care of it.

Fixes: 6e9722e9a7bf ("tpm2-sessions: Fix out of range indexing in name_size")
Signed-off-by: Gunnar Kudrjavets <gunnarku@amazon.com>
Reviewed-by: Justinien Bouron <jbouron@amazon.com>
---
 drivers/char/tpm/tpm2-cmd.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
index e00f668f8c84..b11e6fa8b740 100644
--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -295,10 +295,8 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
 		}
 		tpm_buf_append_u16(&buf, num_bytes);
 		err = tpm_buf_fill_hmac_session(chip, &buf);
-		if (err) {
-			tpm_buf_destroy(&buf);
-			return err;
-		}
+		if (err)
+			goto out;
 
 		err = tpm_transmit_cmd(chip, &buf,
 				       offsetof(struct tpm2_get_random_out,

base-commit: 7f2a32c0e87814f0e7852b17fa9f10321f882c36
-- 
2.47.3

Re: [PATCH] tpm: Fix auth session leak in tpm2_get_random() error path

[Jarkko Sakkinen]

On Thu, Apr 02, 2026 at 06:11:39PM +0000, Gunnar Kudrjavets wrote:
> When tpm_buf_fill_hmac_session() fails inside the do-while loop in
> tpm2_get_random(), the function returns directly after destroying the
> buffer, without ending the auth session via tpm2_end_auth_session().
> 
> This leaks the TPM auth session resource. All other error paths within
> the loop correctly reach the 'out' label which calls both
> tpm_buf_destroy() and tpm2_end_auth_session().
> 
> Fix this by replacing the early return with a goto to the existing 'out'
> label, which already handles both cleanup operations. The redundant
> tpm_buf_destroy() call is removed since 'out' takes care of it.
> 
> Fixes: 6e9722e9a7bf ("tpm2-sessions: Fix out of range indexing in name_size")
> Signed-off-by: Gunnar Kudrjavets <gunnarku@amazon.com>
> Reviewed-by: Justinien Bouron <jbouron@amazon.com>
> ---
>  drivers/char/tpm/tpm2-cmd.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/char/tpm/tpm2-cmd.c b/drivers/char/tpm/tpm2-cmd.c
> index e00f668f8c84..b11e6fa8b740 100644
> --- a/drivers/char/tpm/tpm2-cmd.c
> +++ b/drivers/char/tpm/tpm2-cmd.c
> @@ -295,10 +295,8 @@ int tpm2_get_random(struct tpm_chip *chip, u8 *dest, size_t max)
>  		}
>  		tpm_buf_append_u16(&buf, num_bytes);
>  		err = tpm_buf_fill_hmac_session(chip, &buf);
> -		if (err) {
> -			tpm_buf_destroy(&buf);
> -			return err;
> -		}
> +		if (err)
> +			goto out;
>  
>  		err = tpm_transmit_cmd(chip, &buf,
>  				       offsetof(struct tpm2_get_random_out,
> 
> base-commit: 7f2a32c0e87814f0e7852b17fa9f10321f882c36
> -- 
> 2.47.3
> 

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko