From b36fe93161e35a5f869dd3e55dd6db965cc13ea0 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Feb 2026 12:03:11 -0500 Subject: [PATCH 1/7] tpm2: Resolve a false-positive issue with detected by gcc -fanalyzer gcc's -fanalyzer claims that strtoul() may be called with str == NULL. However, this cannot happen since in this case retVal would have been set from the call to RuntimeProfileGetFromJSON(). In case of error returned from RuntimeProfileGetFromJSON() we would not get to call strtoul(). So this is a false-positive. Signed-off-by: Stefan Berger --- src/tpm2/RuntimeProfile.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/tpm2/RuntimeProfile.c b/src/tpm2/RuntimeProfile.c index a0afd5229..ffd95c38c 100644 --- a/src/tpm2/RuntimeProfile.c +++ b/src/tpm2/RuntimeProfile.c @@ -418,6 +418,9 @@ GetStateFormatLevelFromJSON(const char *json, if (retVal) return retVal; + if (!str) /* str==NULL cannot happen without retVal having been set; -fanalyzer issue */ + return TPM_RC_FAILURE; + errno = 0; v = strtoul(str, NULL, 10); if (v > UINT_MAX || errno) { From 9a4950621e1aa8727db38bc3aa19f542d43b0306 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Feb 2026 12:32:39 -0500 Subject: [PATCH 2/7] tpm12: Cast sizeof result to uint32_t to match va_arg type (-fanalyzer) Resolve the following gcc -fanalyzer issue by casting the result of sizeof() to uint32_t. tpm12/tpm_cryptoh.c:977:16: warning: 'va_arg' expected 'uint32_t' \ {aka 'unsigned int'} but received 'long unsigned int' \ for variadic argument 3 of 'ap' [CWE-686] [-Wanalyzer-va-arg-type-mismatch] Signed-off-by: Stefan Berger --- src/tpm12/tpm_cryptoh.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tpm12/tpm_cryptoh.c b/src/tpm12/tpm_cryptoh.c index 62fc43898..124ee2f84 100644 --- a/src/tpm12/tpm_cryptoh.c +++ b/src/tpm12/tpm_cryptoh.c @@ -2374,7 +2374,7 @@ TPM_RESULT TPM_CryptoTest(void) if (rc == 0) { printf(" TPM_CryptoTest: Test 1 - SHA1 one part\n"); rc = TPM_SHA1(actual, - sizeof(buffer1) - 1, buffer1, + (uint32_t)sizeof(buffer1) - 1, buffer1, 0, NULL); } if (rc == 0) { @@ -2390,7 +2390,7 @@ TPM_RESULT TPM_CryptoTest(void) printf(" TPM_CryptoTest: Test 2 - SHA1 two parts\n"); rc = TPM_SHA1(actual, 16, buffer1, /* first 16 */ - sizeof(buffer1) - 17, buffer1 + 16, /* rest */ + (uint32_t)sizeof(buffer1) - 17, buffer1 + 16, /* rest */ 0, NULL); } if (rc == 0) { From 19fa5af4f43f14178088bf8fe28055b2dce7d6bc Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Feb 2026 12:44:07 -0500 Subject: [PATCH 3/7] tpm12: Initialize continueAuthSession to avoid -fanalyzer error Resolve the following gcc -fanalyzer issue by initializing the variable. tpm12/tpm_migration.c: In function 'TPM_Process_CMK_CreateBlob': tpm12/tpm_migration.c:3389:10: warning: use of uninitialized value 'continueAuthSession' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 3389 | !continueAuthSession) && | ^~~~~~~~~~~~~~~~~~~~ Signed-off-by: Stefan Berger --- src/tpm12/tpm_migration.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tpm12/tpm_migration.c b/src/tpm12/tpm_migration.c index af856e574..4cf87c369 100644 --- a/src/tpm12/tpm_migration.c +++ b/src/tpm12/tpm_migration.c @@ -2898,7 +2898,7 @@ TPM_RESULT TPM_Process_CMK_CreateBlob(tpm_state_t *tpm_state, TPM_AUTHHANDLE parentAuthHandle; /* The authorization handle used for the parent key. */ TPM_NONCE nonceOdd; /* Nonce generated by system associated with parentAuthHandle */ - TPM_BOOL continueAuthSession; /* Continue use flag for parent session */ + TPM_BOOL continueAuthSession = FALSE;/* Continue use flag for parent session */ TPM_AUTHDATA parentAuth; /* The authorization digest for inputs and parentHandle. HMAC key: parentKey.usageAuth. */ From 29433b9d10fe052c70c083a64db24814691f0b36 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Feb 2026 13:15:36 -0500 Subject: [PATCH 4/7] tpm12: Resolve some issues detected by gcc -fanalyzer in tpm_session.c Resolve the following issues detected by gcc's -fanalyzer: tpm12/tpm_session.c: In function 'TPM_AuthSessionData_Store': tpm12/tpm_session.c:187:65: warning: dereference of NULL 'tpm_auth_session_data' [CWE-476] [-Wanalyzer-null-dereference] 187 | rc = TPM_Sbuffer_Append32(sbuffer, tpm_auth_session_data->handle); tpm12/tpm_session.c: In function 'TPM_Process_SaveContext': tpm12/tpm_session.c:3197:41: warning: use of uninitialized value 'tpm_key_handle_entry' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 3197 | if (tpm_key_handle_entry->keyControl & TPM_KEY_CONTROL_OWNER_EVICT) { tpm12/tpm_session.c:3230:26: warning: use of uninitialized value 'tpm_key_handle_entry' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 3230 | returnCode = TPM_KeyHandleEntry_Store(&r1ContextSensitive, tpm_key_handle_entry); tpm12/tpm_session.c:3236:26: warning: use of uninitialized value 'tpm_transport_internal' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 3236 | returnCode = TPM_TransportInternal_Store(&r1ContextSensitive, tpm_transport_internal); tpm12/tpm_session.c:3239:26: warning: use of uninitialized value 'tpm_daa_session_data' [CWE-457] [-Wanalyzer-use-of-uninitialized-value] 3239 | returnCode = TPM_DaaSessionData_Store(&r1ContextSensitive, tpm_daa_session_data); Signed-off-by: Stefan Berger --- src/tpm12/tpm_session.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/tpm12/tpm_session.c b/src/tpm12/tpm_session.c index da1e7e58c..3428c6ce4 100644 --- a/src/tpm12/tpm_session.c +++ b/src/tpm12/tpm_session.c @@ -182,6 +182,11 @@ TPM_RESULT TPM_AuthSessionData_Store(TPM_STORE_BUFFER *sbuffer, TPM_RESULT rc = 0; printf(" TPM_AuthSessionData_Store:\n"); + if (rc == 0) { + if (tpm_auth_session_data == NULL) { // -fanalyzer + rc = TPM_FAIL; + } + } /* store handle */ if (rc == 0) { rc = TPM_Sbuffer_Append32(sbuffer, tpm_auth_session_data->handle); @@ -3047,10 +3052,10 @@ TPM_RESULT TPM_Process_SaveContext(tpm_state_t *tpm_state, TPM_BOOL transportEncrypt; /* wrapped in encrypted transport session */ TPM_STORE_BUFFER b1_sbuffer; /* serialization of b1 */ TPM_STCLEAR_DATA *v1StClearData = NULL; - TPM_KEY_HANDLE_ENTRY *tpm_key_handle_entry; /* key table entry for the handle */ + TPM_KEY_HANDLE_ENTRY *tpm_key_handle_entry = NULL; /* key table entry for the handle */ TPM_AUTH_SESSION_DATA *tpm_auth_session_data = NULL; /* session table entry for the handle */ - TPM_TRANSPORT_INTERNAL *tpm_transport_internal; /* transport table entry for the handle */ - TPM_DAA_SESSION_DATA *tpm_daa_session_data; /* daa session table entry for the handle */ + TPM_TRANSPORT_INTERNAL *tpm_transport_internal = NULL; /* transport table entry for the handle */ + TPM_DAA_SESSION_DATA *tpm_daa_session_data = NULL; /* daa session table entry for the handle */ TPM_NONCE *n1ContextNonce = NULL; TPM_SYMMETRIC_KEY_TOKEN k1ContextKey = NULL; TPM_STORE_BUFFER r1ContextSensitive; /* serialization of sensitive data clear text */ @@ -3180,6 +3185,11 @@ TPM_RESULT TPM_Process_SaveContext(tpm_state_t *tpm_state, printf("TPM_Process_SaveContext: Locating nonce\n"); /* a. If resourceType is TPM_RT_KEY */ if (resourceType == TPM_RT_KEY) { + if (returnCode == TPM_SUCCESS) { + if (tpm_key_handle_entry == NULL) { // -fanalyzer + returnCode = TPM_FAIL; + } + } if (returnCode == TPM_SUCCESS) { /* i. If TPM_STCLEAR_DATA -> contextNonceKey is NULLS */ TPM_Nonce_IsZero(&isZero, tpm_state->tpm_stclear_data.contextNonceKey); From 062a5f9d33cc8b04eacf6c0233b119ac612c9a56 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Feb 2026 13:28:25 -0500 Subject: [PATCH 5/7] tpm12: Resolve some issues detected by gcc -fanalyzer in tpm_counter.c Resolve the following issues detected by gcc's -fanalyzer: tpm12/tpm_counter.c: In function 'TPM_CounterValue_StorePublic.part.0': tpm12/tpm_counter.c:421:61: warning: dereference of NULL 'tpm_counter_value' [CWE-476] [-Wanalyzer-null-dereference] 421 | rc = TPM_Sbuffer_Append32(sbuffer, tpm_counter_value->counter); | ~~~~~~~~~~~~~~~~~^~~~~~~~~ Signed-off-by: Stefan Berger --- src/tpm12/tpm_counter.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tpm12/tpm_counter.c b/src/tpm12/tpm_counter.c index 65a2db2ad..3cd9cee7e 100644 --- a/src/tpm12/tpm_counter.c +++ b/src/tpm12/tpm_counter.c @@ -408,6 +408,11 @@ TPM_RESULT TPM_CounterValue_StorePublic(TPM_STORE_BUFFER *sbuffer, TPM_RESULT rc = 0; printf(" TPM_CounterValue_StorePublic:\n"); + if (rc == 0) { + if (tpm_counter_value == NULL) { // -fanalyzer + rc = TPM_FAIL; + } + } /* store tag */ if (rc == 0) { rc = TPM_Sbuffer_Append16(sbuffer, TPM_TAG_COUNTER_VALUE); From 3bdb4f06c1bedecd4fc75e235268ba584a9e415b Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Feb 2026 13:33:21 -0500 Subject: [PATCH 6/7] tpm12: Resolve some issues detected by gcc -fanalyzer in tpm_nvram.c Resolve the following issues detected by gcc's -fanalyzer: tpm12/tpm_nvram.c: In function 'TPM_Process_NVDefineSpace': tpm12/tpm_nvram.c:2908:20: warning: dereference of NULL 'd1_new' [CWE-476] [-Wanalyzer-null-dereference] 2908 | newNVIndex = pubInfo->nvIndex; /* save the possibly new index */ | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~ Signed-off-by: Stefan Berger --- src/tpm12/tpm_nvram.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tpm12/tpm_nvram.c b/src/tpm12/tpm_nvram.c index b67e36c5b..a42826910 100644 --- a/src/tpm12/tpm_nvram.c +++ b/src/tpm12/tpm_nvram.c @@ -2896,6 +2896,11 @@ TPM_RESULT TPM_Process_NVDefineSpace(tpm_state_t *tpm_state, if (returnCode == TPM_SUCCESS) { returnCode = TPM_NVIndexEntries_GetFreeEntry(&d1_new, &(tpm_state->tpm_nv_index_entries)); } + if (returnCode == TPM_SUCCESS) { + if (d1_new == NULL) { // -fanalyzer + returnCode = TPM_FAIL; + } + } /* get pubInfo parameter */ if (returnCode == TPM_SUCCESS) { pubInfo = &(d1_new->pubInfo); /* pubInfo is an input parameter */ From c4916eeed8c37f7d1bdf2e9a296b99d3b7495152 Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Wed, 11 Feb 2026 13:49:02 -0500 Subject: [PATCH 7/7] tpm2: Check for NULL pointer before dereferencing it (-fanalyzer) Check that the object returned from HandleToObject is not NULL before dereferencing it. In practice, this cannot currently happen in the call paths that GetHierachy() is called because the object described by the handle is known to exist. Signed-off-by: Stefan Berger --- src/tpm2/Object.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/tpm2/Object.c b/src/tpm2/Object.c index bfe08e61a..f80264f66 100644 --- a/src/tpm2/Object.c +++ b/src/tpm2/Object.c @@ -226,7 +226,10 @@ TPMI_RH_HIERARCHY GetHierarchy(TPMI_DH_OBJECT handle // IN :object handle ) { - return HandleToObject(handle)->hierarchy; + OBJECT *object = HandleToObject(handle); // libtpms changed begin: -fanalyzer + + pAssert(object); + return object->hierarchy; // libtpms changed end } //*** FindEmptyObjectSlot()