packages/opensc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!32 fix more oss-fuzz

Browse Source 
From: @zou_lin77
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-08-23 01:43:49 +00:00 committed by Gitee
commit e816bcd897
13 changed files with 753 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
card-Correctly-free-pointers-durint-cache-invalidati.patch Normal file
View File

@ -0,0 +1,32 @@
From 61eb4e487e00ed6758a62f07222488c5ec5fdb42 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 30 Nov 2020 14:15:59 +0100
Subject: [PATCH] card: Correctly free pointers durint cache invalidation
As the whole structure is memset(0) on the following line,
we need to clean the pointers before doing so.
Thanks oss-fuzz
Related to:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27797
---
src/libopensc/card.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libopensc/card.c b/src/libopensc/card.c
index 0de8b7e..03c3cc8 100644
--- a/src/libopensc/card.c
+++ b/src/libopensc/card.c
@@ -1367,6 +1367,8 @@ scconf_block *sc_get_conf_block(sc_context_t *ctx, const char *name1, const char
void sc_invalidate_cache(struct sc_card *card)
{
if (card) {
+ sc_file_free(card->cache.current_ef);
+ sc_file_free(card->cache.current_df);
memset(&card->cache, 0, sizeof(card->cache));
card->cache.valid = 0;
}
--
1.8.3.1

43
cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch Normal file
View File

@ -0,0 +1,43 @@
From 1252aca9f10771ef5ba8405e73cf2da50827958f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 4 Feb 2021 13:11:01 +0100
Subject: [PATCH] cardos: Correctly calculate the left bytes to avoid buffer
overrun
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912
---
src/libopensc/card-cardos.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
index 06dd3e3..2d50b8c 100644
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)
sc_apdu_t apdu;
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
int r;
- const u8 *p = rbuf, *q;
+ const u8 *p = rbuf, *q, *pp;
size_t len, tlen = 0, ilen = 0;
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)
return 0;
while (len != 0) {
- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
- if (p == NULL)
+ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+ if (pp == NULL)
return 0;
- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
if (q == NULL || ilen != 4)
return 0;
if (q[0] == 0x1c)
--
1.8.3.1

79
iasecc-Avoid-another-memory-leak.patch Normal file
View File

@ -0,0 +1,79 @@
From 03cbf91be54e2b54dd87176d1136570610e32f3f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 15 Jan 2021 13:40:34 +0100
Subject: [PATCH] iasecc: Avoid another memory leak
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29456
---
src/libopensc/card-iasecc.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
index d144b69..07a99f8 100644
--- a/src/libopensc/card-iasecc.c
+++ b/src/libopensc/card-iasecc.c
@@ -310,12 +310,14 @@ iasecc_select_mf(struct sc_card *card, struct sc_file **file_out)
mf_file->type = SC_FILE_TYPE_DF;
mf_file->path = path;
- if (card->cache.valid)
- sc_file_free(card->cache.current_df);
+ if (card->cache.valid) {
+ sc_file_free(card->cache.current_df);
+ }
card->cache.current_df = NULL;
- if (card->cache.valid)
+ if (card->cache.valid) {
sc_file_free(card->cache.current_ef);
+ }
card->cache.current_ef = NULL;
sc_file_dup(&card->cache.current_df, mf_file);
@@ -1069,25 +1071,23 @@ iasecc_select_file(struct sc_card *card, const struct sc_path *path,
sc_log(ctx, "FileType %i", file->type);
if (file->type == SC_FILE_TYPE_DF) {
- if (card->cache.valid)
+ if (card->cache.valid) {
sc_file_free(card->cache.current_df);
+ }
card->cache.current_df = NULL;
-
- if (card->cache.valid)
- sc_file_free(card->cache.current_ef);
- card->cache.current_ef = NULL;
-
sc_file_dup(&card->cache.current_df, file);
card->cache.valid = 1;
}
else {
- if (card->cache.valid)
+ if (card->cache.valid) {
sc_file_free(card->cache.current_ef);
+ }
card->cache.current_ef = NULL;
sc_file_dup(&card->cache.current_ef, file);
+ card->cache.valid = 1;
}
if (file_out) {
@@ -1493,8 +1493,9 @@ iasecc_delete_file(struct sc_card *card, const struct sc_path *path)
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
LOG_TEST_RET(ctx, rv, "Delete file failed");
- if (card->cache.valid)
+ if (card->cache.valid) {
sc_file_free(card->cache.current_ef);
+ }
card->cache.current_ef = NULL;
}
--
1.8.3.1

75
oberthur-Avoid-memory-leaks.patch Normal file
View File

@ -0,0 +1,75 @@
From 251c4f6b7613a9cea421035e5971c793fc30f9e2 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 3 Feb 2021 21:27:21 +0100
Subject: [PATCH] oberthur: Avoid memory leaks
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29998
---
src/libopensc/pkcs15-oberthur.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 576e3cf..fa823be 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -575,7 +575,7 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
struct sc_pkcs15_pubkey_info key_info;
struct sc_pkcs15_object key_obj;
char ch_tmp[0x100];
- unsigned char *info_blob;
+ unsigned char *info_blob = NULL;
size_t len, info_len, offs;
unsigned flags;
int rv;
@@ -592,8 +592,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
/* Flags */
offs = 2;
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'tag'");
+ }
flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
key_info.usage = sc_oberthur_decode_usage(flags);
if (flags & OBERTHUR_ATTR_MODIFIABLE)
@@ -601,8 +603,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
sc_log(ctx, "Public key key-usage:%04X", key_info.usage);
/* Label */
- if (offs + 2 > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'Label'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
if (len) {
if (len > sizeof(key_obj.label) - 1)
@@ -612,14 +616,20 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
offs += 2 + len;
/* ID */
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'ID'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (!len || len > sizeof(key_info.id.value))
+ if (!len || len > sizeof(key_info.id.value)) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'ID' length");
+ }
memcpy(key_info.id.value, info_blob + offs + 2, len);
key_info.id.len = len;
+ free(info_blob);
+
/* Ignore Start/End dates */
snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PUB, file_id);
--
1.8.3.1

46
oberthur-Avoid-two-buffer-overflows.patch Normal file
View File

@ -0,0 +1,46 @@
From 17d8980cde7be597afc366b7e311d0d7cadcb1f4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 3 Feb 2021 21:46:15 +0100
Subject: [PATCH] oberthur: Avoid two buffer overflows
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30112
---
src/libopensc/pkcs15-oberthur.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index d3236a9..bf88a06 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -884,12 +884,16 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs = 2;
/* Label */
- if (offs > info_len) {
+ if (offs + 2 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'");
}
label = info_blob + offs + 2;
label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ if (offs + 2 + label_len > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'label' received");
+ }
if (label_len > sizeof(dobj.label) - 1)
label_len = sizeof(dobj.label) - 1;
offs += 2 + *(info_blob + offs + 1);
@@ -906,7 +910,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs += 2 + app_len;
/* OID encode like DER(ASN.1(oid)) */
- if (offs > info_len) {
+ if (offs + 1 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
}
--
1.8.3.1

53
oberthur-Correctly-check-for-return-values.patch Normal file
View File

@ -0,0 +1,53 @@
From 1db88374bb7706a115d5c3617c6f16115c33bf27 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 7 Jan 2021 14:20:31 +0100
Subject: [PATCH] oberthur: Correctly check for return values
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843
---
src/libopensc/pkcs15-oberthur.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 29aab0b..576e3cf 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -304,7 +304,7 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
if (verify_pin && rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
struct sc_pkcs15_object *objs[0x10], *pin_obj = NULL;
const struct sc_acl_entry *acl = sc_file_get_acl_entry(file, SC_AC_OP_READ);
- int ii;
+ int ii, nobjs;
if (acl == NULL) {
sc_file_free(file);
@@ -313,18 +313,19 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
}
- rv = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 0x10);
- if (rv != SC_SUCCESS) {
+ nobjs = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 0x10);
+ if (nobjs < 1) {
sc_file_free(file);
free(*out);
*out = NULL;
- LOG_TEST_RET(ctx, rv, "Cannot read oberthur file: get AUTH objects error");
+ LOG_TEST_RET(ctx, SC_ERROR_DATA_OBJECT_NOT_FOUND,
+ "Cannot read oberthur file: get AUTH objects error");
}
- for (ii=0; ii<rv; ii++) {
+ for (ii = 0; ii < nobjs; ii++) {
struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *) objs[ii]->data;
sc_log(ctx, "compare PIN/ACL refs:%i/%i, method:%i/%i",
- auth_info->attrs.pin.reference, acl->key_ref, auth_info->auth_method, acl->method);
+ auth_info->attrs.pin.reference, acl->key_ref, auth_info->auth_method, acl->method);
if (auth_info->attrs.pin.reference == (int)acl->key_ref && auth_info->auth_method == (unsigned)acl->method) {
pin_obj = objs[ii];
break;
--
1.8.3.1

39
oberthur-Fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,39 @@
From 715c17c469f6c463dd511a5deb229da4de9ee100 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 17 Mar 2021 20:17:34 +0100
Subject: [PATCH] oberthur: Fix memory leaks
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
---
src/libopensc/pkcs15-oberthur.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 314a7bd..4ba201f 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -211,6 +211,7 @@ sc_oberthur_get_certificate_authority(struct sc_pkcs15_der *der, int *out_author
BIO_set_mem_buf(bio, &buf_mem, BIO_NOCLOSE);
x = d2i_X509_bio(bio, 0);
+ free(buf_mem.data);
BIO_free(bio);
if (!x)
return SC_ERROR_INVALID_DATA;
@@ -729,7 +730,10 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
cinfo.value.len = cert_len;
rv = sc_oberthur_get_certificate_authority(&cinfo.value, &cinfo.authority);
- LOG_TEST_RET(ctx, rv, "Failed to add certificate: get certificate attributes error");
+ if (rv != SC_SUCCESS) {
+ free(cinfo.value.value);
+ LOG_TEST_RET(ctx, rv, "Failed to add certificate: get certificate attributes error");
+ }
if (flags & OBERTHUR_ATTR_MODIFIABLE)
cobj.flags |= SC_PKCS15_CO_FLAG_MODIFIABLE;
--
1.8.3.1

77
oberthur-Free-another-read-data-on-failure-paths.patch Normal file
View File

@ -0,0 +1,77 @@
From 9c91a4327e6db579f7f964f147fd6e94a0e1b85e Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 3 Feb 2021 21:34:52 +0100
Subject: [PATCH] oberthur: Free another read data on failure paths
---
src/libopensc/pkcs15-oberthur.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index fa823be..d3236a9 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -876,14 +876,18 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
LOG_TEST_RET(ctx, rv, "Failed to add data: read oberthur file error");
- if (info_len < 2)
+ if (info_len < 2) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'tag'");
+ }
flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
offs = 2;
/* Label */
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'");
+ }
label = info_blob + offs + 2;
label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
if (label_len > sizeof(dobj.label) - 1)
@@ -891,8 +895,10 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs += 2 + *(info_blob + offs + 1);
/* Application */
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'application'");
+ }
app = info_blob + offs + 2;
app_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
if (app_len > sizeof(dinfo.app_label) - 1)
@@ -900,13 +906,17 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs += 2 + app_len;
/* OID encode like DER(ASN.1(oid)) */
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
+ }
oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
if (oid_len) {
oid = info_blob + offs + 2;
- if (*oid != 0x06 || (*(oid + 1) != oid_len - 2))
+ if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: invalid 'OID' format");
+ }
oid += 2;
oid_len -= 2;
}
@@ -933,6 +943,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
rv = sc_pkcs15emu_add_data_object(p15card, &dobj, &dinfo);
+ free(info_blob);
LOG_FUNC_RETURN(p15card->card->ctx, rv);
}
--
1.8.3.1

28
oberthur-Handle-1B-OIDs.patch Normal file
View File

@ -0,0 +1,28 @@
From cae5c71f90cc5b364efe14040923fd5aa3b5dd90 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 6 Apr 2021 12:45:24 +0200
Subject: [PATCH] oberthur: Handle 1B OIDs
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32807
---
src/libopensc/pkcs15-oberthur.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 0ddfc3f..6487656 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -973,7 +973,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'oid' received");
}
- if (oid_len) {
+ if (oid_len > 2) {
oid = info_blob + offs + 2;
if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
free(info_blob);
--
1.8.3.1

199
oberthur-Handle-more-memory-issues-during-initializa.patch Normal file
View File

@ -0,0 +1,199 @@
From 40c50a3a4219308aae90f6efd7b10213794a8d86 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 1 Mar 2021 11:57:06 +0100
Subject: [PATCH] oberthur: Handle more memory issues during initialization
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31540
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31448
---
src/libopensc/pkcs15-oberthur.c | 83 ++++++++++++++++++++++++++++++++---------
1 file changed, 66 insertions(+), 17 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index bf88a06..ebaca47 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -659,7 +659,7 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
struct sc_context *ctx = p15card->card->ctx;
struct sc_pkcs15_cert_info cinfo;
struct sc_pkcs15_object cobj;
- unsigned char *info_blob, *cert_blob;
+ unsigned char *info_blob = NULL, *cert_blob = NULL;
size_t info_len, cert_len, len, offs;
unsigned flags;
int rv;
@@ -675,16 +675,23 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
LOG_TEST_RET(ctx, rv, "Failed to add certificate: read oberthur file error");
- if (info_len < 2)
+ if (info_len < 2) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'tag'");
+ }
flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
offs = 2;
/* Label */
- if (offs + 2 > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'CN'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (len) {
+ if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'CN' length");
+ } else if (len) {
if (len > sizeof(cobj.label) - 1)
len = sizeof(cobj.label) - 1;
memcpy(cobj.label, info_blob + offs + 2, len);
@@ -692,14 +699,23 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
offs += 2 + len;
/* ID */
- if (offs > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'ID'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (len > sizeof(cinfo.id.value))
+ if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'ID' length");
+ } else if (len > sizeof(cinfo.id.value)) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add certificate: invalid 'ID' length");
+ }
memcpy(cinfo.id.value, info_blob + offs + 2, len);
cinfo.id.len = len;
+ free(info_blob);
+
/* Ignore subject, issuer and serial */
snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PUB, file_id);
@@ -784,15 +800,23 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
LOG_TEST_RET(ctx, rv, "Failed to add private key: read oberthur file error");
- if (info_len < 2)
+ if (info_len < 2) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'tag'");
+ }
flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
offs = 2;
/* CN */
- if (offs > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'CN'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'CN' length");
+ }
if (len && !strlen(kobj.label)) {
if (len > sizeof(kobj.label) - 1)
len = sizeof(kobj.label) - 1;
@@ -801,13 +825,21 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
offs += 2 + len;
/* ID */
- if (offs > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'ID'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (!len)
+ if (!len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: zero length ID");
- else if (len > sizeof(kinfo.id.value))
+ } else if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'ID' length");
+ } else if (len > sizeof(kinfo.id.value)) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add private key: invalid ID length");
+ }
memcpy(kinfo.id.value, info_blob + offs + 2, len);
kinfo.id.len = len;
offs += 2 + len;
@@ -816,19 +848,28 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
offs += 16;
/* Subject encoded in ASN1 */
- if (offs > info_len)
- return SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ if (offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'subject'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (len) {
+ if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'subject' length");
+ } else if (len) {
kinfo.subject.value = malloc(len);
- if (!kinfo.subject.value)
+ if (!kinfo.subject.value) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Failed to add private key: memory allocation error");
+ }
kinfo.subject.len = len;
memcpy(kinfo.subject.value, info_blob + offs + 2, len);
}
/* Modulus and exponent are ignored */
+ free(info_blob);
+
snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PRV, file_id);
sc_format_path(ch_tmp, &kinfo.path);
sc_log(ctx, "Private key info path %s", ch_tmp);
@@ -899,22 +940,30 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs += 2 + *(info_blob + offs + 1);
/* Application */
- if (offs > info_len) {
+ if (offs + 2 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'application'");
}
app = info_blob + offs + 2;
app_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ if (offs + 2 + app_len > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'application' received");
+ }
if (app_len > sizeof(dinfo.app_label) - 1)
app_len = sizeof(dinfo.app_label) - 1;
offs += 2 + app_len;
/* OID encode like DER(ASN.1(oid)) */
- if (offs + 1 > info_len) {
+ if (offs + 2 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
}
oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ if (offs + 2 + oid_len > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'oid' received");
+ }
if (oid_len) {
oid = info_blob + offs + 2;
if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
--
1.8.3.1

31
oberthur-One-more-overlooked-buffer-overflow.patch Normal file
View File

@ -0,0 +1,31 @@
From 5d4daf6c92e4668f5458f380f3cacea3e879d91a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 18 Mar 2021 19:48:33 +0100
Subject: [PATCH] oberthur: One more overlooked buffer overflow
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32202
---
src/libopensc/pkcs15-oberthur.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 4ba201f..0ddfc3f 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -609,7 +609,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'Label'");
}
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (len) {
+ if (offs + 2 + len > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'Label' length");
+ } else if (len) {
if (len > sizeof(key_obj.label) - 1)
len = sizeof(key_obj.label) - 1;
memcpy(key_obj.label, info_blob + offs + 2, len);
--
1.8.3.1

34
oberthur-fixed-Heap-buffer-overflow.patch Normal file
View File

@ -0,0 +1,34 @@
From 05648b0604bf3e498e8d42dff3c6e7c56a5bf749 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Wed, 17 Mar 2021 18:16:34 +0100
Subject: [PATCH] oberthur: fixed Heap-buffer-overflow
fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
---
src/libopensc/pkcs15-oberthur.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index ebaca47..314a7bd 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -616,12 +616,14 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
offs += 2 + len;
/* ID */
- if (offs > info_len) {
+ if (offs + 2 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'ID'");
}
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (!len || len > sizeof(key_info.id.value)) {
+ if (len == 0
+ || len > sizeof(key_info.id.value)
+ || offs + 2 + len > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'ID' length");
}
--
1.8.3.1

18
opensc.spec
View File

@ -3,7 +3,7 @@
Name: opensc
Version: 0.21.0
Release: 2
Release: 3
License: LGPLv2.1+
Summary: Smart card library and applications
URL: https://github.com/OpenSC/OpenSC/wiki
@ -17,6 +17,19 @@ Obsoletes: coolkey <= 1.1.0-36
Obsoletes: mozilla-opensc-signer < 0.12.0
Obsoletes: opensc-devel < 0.12.0
Patch0: iasecc-Avoid-another-memory-leak.patch
Patch1: card-Correctly-free-pointers-durint-cache-invalidati.patch
Patch2: oberthur-Free-another-read-data-on-failure-paths.patch
Patch3: oberthur-Avoid-two-buffer-overflows.patch
Patch4: oberthur-Handle-more-memory-issues-during-initializa.patch
Patch5: oberthur-Fix-memory-leaks.patch
Patch6: oberthur-Correctly-check-for-return-values.patch
Patch7: oberthur-Avoid-memory-leaks.patch
Patch8: oberthur-fixed-Heap-buffer-overflow.patch
Patch9: oberthur-One-more-overlooked-buffer-overflow.patch
Patch10: cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch
Patch11: oberthur-Handle-1B-OIDs.patch
%description
OpenSC provides a set of libraries and utilities to work with smart cards.
Its main focus is on cards that support cryptographic operations, and
@ -134,6 +147,9 @@ make check
%{_datadir}/opensc/
%changelog
* Thu Aug 19 2021 zoulin <zoulin13@huawei.com> - 0.21.0-3
- fix more oss-fuzz
* Thu Mar 18 2021 Hugel <gengqihu1@huawei.com> - 0.21.0-2
- Remove unused file pkcs11-register.desktop