On Thu, May 07, 2026 at 08:18:22PM +0000, Gunnar Kudrjavets wrote:
> When tpm_buf_append_name() is called with a non-NULL name for a
> handle, the code skips the tpm2_read_public() path (which sets
> name_size_alg from the return value) and falls through to memcpy()
> with an uninitialized name_size_alg as the size argument.
>
> The contract for tpm_buf_append_name() supports callers passing a
> non-NULL name. No current in-tree callers do so, making this a latent
> bug that would trigger if a caller ever provides a pre-computed name
> for a handle.
This is great observation but it is not a regression technically.
Thus, this really should just state the issue and don't make it
look like a bug report based on transcript that does not happen
in the wild.
I guess this is better than parameter removal since name caching
would make sense [1] in future.
[1] Already done but gathered zero interest at the time:
https://lore.kernel.org/linux-integrity/[email protected]/
Probably patch set should be reworked to have only relevant patches
as my tpm_get_random() patches did not gather too much following :-)
BR, Jarkko
