pcr commands: Fix session leaks

Zhirang Guo · JuergenReppSIT · commit f2dcc6f9e72c · 2025-12-16T19:49:23.000+01:00
All three PCR tools had session leaks in tpm2_tool_onstop():
- tpm2_pcrextend: Authorization sessions and auxiliary sessions were
  set up but never closed, leaking all sessions.
- tpm2_pcrevent: The early return prevented auxiliary session cleanup,
  leaking all auxiliary sessions.
- tpm2_pcrread: The auxiliary session cleanup section was completely
  empty, leaking all auxiliary sessions.

This commit adds proper session cleanup to all three tools:
- Close authorization sessions with error checking
- Close auxiliary sessions in a loop with path guards
- Return accumulated error status

Signed-off-by: Zhirang Guo &lt;jonny_guo@apple.com&gt;
diff --git a/tools/tpm2_pcrevent.c b/tools/tpm2_pcrevent.c
@@ -453,11 +453,26 @@ static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
     /*
      * 2. Close authorization sessions
      */
-    return tpm2_session_close(&ctx.auth.session);
+    tool_rc rc = tool_rc_success;
+    tool_rc tmp_rc = tpm2_session_close(&ctx.auth.session);
+    if (tmp_rc != tool_rc_success) {
+        rc = tmp_rc;
+    }
 
     /*
      * 3. Close auxiliary sessions
      */
+    size_t i;
+    for (i = 0; i < ctx.aux_session_cnt; i++) {
+        if (ctx.aux_session_path[i]) {
+            tmp_rc = tpm2_session_close(&ctx.aux_session[i]);
+            if (tmp_rc != tool_rc_success) {
+                rc = tmp_rc;
+            }
+        }
+    }
+
+    return rc;
 }
 
 static void tpm2_tool_onexit(void) {
diff --git a/tools/tpm2_pcrextend.c b/tools/tpm2_pcrextend.c
@@ -236,12 +236,26 @@ static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
     /*
      * 2. Close authorization sessions
      */
+    tool_rc rc = tool_rc_success;
+    tool_rc tmp_rc = tpm2_session_close(&ctx.auth.session);
+    if (tmp_rc != tool_rc_success) {
+        rc = tmp_rc;
+    }
 
     /*
      * 3. Close auxiliary sessions
      */
+    size_t i;
+    for (i = 0; i < ctx.aux_session_cnt; i++) {
+        if (ctx.aux_session_path[i]) {
+            tmp_rc = tpm2_session_close(&ctx.aux_session[i]);
+            if (tmp_rc != tool_rc_success) {
+                rc = tmp_rc;
+            }
+        }
+    }
 
-    return tool_rc_success;
+    return rc;
 }
 
 static void tpm2_tool_onexit(void) {
diff --git a/tools/tpm2_pcrread.c b/tools/tpm2_pcrread.c
@@ -313,8 +313,19 @@ static tool_rc tpm2_tool_onstop(ESYS_CONTEXT *ectx) {
     /*
      * 3. Close auxiliary sessions
      */
+    tool_rc rc = tool_rc_success;
+    tool_rc tmp_rc = tool_rc_success;
+    size_t i;
+    for (i = 0; i < ctx.aux_session_cnt; i++) {
+        if (ctx.aux_session_path[i]) {
+            tmp_rc = tpm2_session_close(&ctx.aux_session[i]);
+            if (tmp_rc != tool_rc_success) {
+                rc = tmp_rc;
+            }
+        }
+    }
 
-    return tool_rc_success;
+    return rc;
 }
 
 // Register this tool with tpm2_tool.c
