Re: [PATCH] tpm: Fix uninitialized name_size_alg in tpm_buf_append_name()

Next message: syzbot: "[syzbot] [bridge?] kernel BUG in __get_vm_area_node"
Previous message: Michael S. Tsirkin: "Re: [PATCH v5 09/28] mm: vma_alloc_anon_folio_pmd: pass raw fault address to vma_alloc_folio"
Next in thread: Gunnar Kudrjavets: "Re: [PATCH v2] tpm: Fix uninitialized name_size_alg in tpm_buf_append_name()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jarkko Sakkinen

Date: Sat May 09 2026 - 15:35:27 EST

On Thu, May 07, 2026 at 08:18:22PM +0000, Gunnar Kudrjavets wrote:
> When tpm_buf_append_name() is called with a non-NULL name for a
> handle, the code skips the tpm2_read_public() path (which sets
> name_size_alg from the return value) and falls through to memcpy()
> with an uninitialized name_size_alg as the size argument.
>
> The contract for tpm_buf_append_name() supports callers passing a
> non-NULL name. No current in-tree callers do so, making this a latent
> bug that would trigger if a caller ever provides a pre-computed name
> for a handle.

This is great observation but it is not a regression technically.

Thus, this really should just state the issue and don't make it
look like a bug report based on transcript that does not happen
in the wild.

I guess this is better than parameter removal since name caching
would make sense [1] in future.

[1] Already done but gathered zero interest at the time:
https://lore.kernel.org/linux-integrity/20260125192526.782202-1-jarkko@xxxxxxxxxx/
Probably patch set should be reworked to have only relevant patches
as my tpm_get_random() patches did not gather too much following :-)

BR, Jarkko