Commit 666c1a2c authored Apr 08, 2026 by Gunnar Kudrjavets Committed by Jarkko Sakkinen Apr 21, 2026

tpm: Fix auth session leak in tpm2_get_random() error path



When tpm_buf_fill_hmac_session() fails inside the do-while loop in
tpm2_get_random(), the function returns directly after destroying the
buffer, without ending the auth session via tpm2_end_auth_session().

This leaks the TPM auth session resource. All other error paths within
the loop correctly reach the 'out' label which calls both
tpm_buf_destroy() and tpm2_end_auth_session().

Fix this by replacing the early return with a goto to the existing 'out'
label, which already handles both cleanup operations. The redundant
tpm_buf_destroy() call is removed since 'out' takes care of it.

Cc: stable@vger.kernel.org # v6.19+
Fixes: 6e9722e9 ("tpm2-sessions: Fix out of range indexing in name_size")
Signed-off-by: Gunnar Kudrjavets <gunnarku@amazon.com>
Reviewed-by: Justinien Bouron <jbouron@amazon.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

parent bb7a4e3b

drivers/char/tpm/tpm2-cmd.c

+2 −4

Original line number	Diff line number	Diff line
		@@ -295,10 +295,8 @@ int tpm2_get_random(struct tpm_chip chip, u8 dest, size_t max)
		}
		tpm_buf_append_u16(&buf, num_bytes);
		err = tpm_buf_fill_hmac_session(chip, &buf);
		if (err) {
		tpm_buf_destroy(&buf);
		return err;
		}
		if (err)
		goto out;

		err = tpm_transmit_cmd(chip, &buf,
		offsetof(struct tpm2_get_random_out,