When tpm_buf_append_name() is called with a non-NULL name for a
handle, the code skips the tpm2_read_public() path (which sets
name_size_alg from the return value) and falls through to memcpy()
with an uninitialized name_size_alg as the size argument.
The contract for tpm_buf_append_name() supports callers passing a
non-NULL name. No current in-tree callers do so, making this a latent
bug that would trigger if a caller ever provides a pre-computed name
for a handle.
Fix this by restructuring the if/else to call name_size() when name
is provided, sharing the error check and name_size_alg assignment
with the existing tpm2_read_public() path. This restores the type of
validation that existed before commit bda1cbf73c6e ("tpm2-sessions:
Fix tpm2_read_public range checks") refactored the function.
Tested with KASAN by assigning 0xDEAD to name_size_alg to simulate an
undefined initial value. Calling tpm_buf_append_name() with a non-NULL
value for name results in the following warnings from KASAN:
BUG: KASAN: stack-out-of-bounds in tpm_buf_append_name+0x1e0/0x680
Read of size 57005 at addr ffff80009e5e79f0 by task sh/49616
Call trace:
show_stack+0x34/0xa0 (C)
dump_stack_lvl+0x5c/0x80
print_report+0x160/0x4b8
kasan_report+0x7c/0xd0
kasan_check_range+0xe8/0x190
__asan_memcpy+0x3c/0xa0
tpm_buf_append_name+0x1e0/0x680
run_test.isra.0+0x14c/0x1d8
There are no KASAN errors with the fix applied, and the function
behaves as expected.
Fixes: bda1cbf73c6e ("tpm2-sessions: Fix tpm2_read_public range checks")
Assisted-by: Kiro:claude-opus-4.6
Reviewed-by: Justinien Bouron <[email protected]>
Reviewed-by: Muhammad Hammad Ijaz <[email protected]>
Signed-off-by: Gunnar Kudrjavets <[email protected]>
---
drivers/char/tpm/tpm2-sessions.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/char/tpm/tpm2-sessions.c b/drivers/char/tpm/tpm2-sessions.c
index c4da6fde748f..795cd99dc6fe 100644
--- a/drivers/char/tpm/tpm2-sessions.c
+++ b/drivers/char/tpm/tpm2-sessions.c
@@ -285,11 +285,14 @@ int tpm_buf_append_name(struct tpm_chip *chip, struct
tpm_buf *buf,
mso == TPM2_MSO_NVRAM) {
if (!name) {
ret = tpm2_read_public(chip, handle, auth->name[slot]);
- if (ret < 0)
- goto err;
-
- name_size_alg = ret;
+ } else {
+ ret = name_size(name);
}
+
+ if (ret < 0)
+ goto err;
+
+ name_size_alg = ret;
} else {
if (name) {
dev_err(&chip->dev, "handle 0x%08x does not use a
name\n",
base-commit: 9ec4175a30eb5adb95e446af83ddf6cb3286a82a
--
2.47.3
