packages/opensc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!32 fix more oss-fuzz

Browse Source 
From: @zou_lin77
Reviewed-by: @zhujianwei001
Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot 2021-08-23 01:43:49 +00:00 committed by Gitee
commit e816bcd897
13 changed files with 753 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
card-Correctly-free-pointers-durint-cache-invalidati.patch Normal file
View File

@ -0,0 +1,32 @@
From 61eb4e487e00ed6758a62f07222488c5ec5fdb42 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 30 Nov 2020 14:15:59 +0100
Subject: [PATCH] card: Correctly free pointers durint cache invalidation
As the whole structure is memset(0) on the following line,
we need to clean the pointers before doing so.
Thanks oss-fuzz
Related to:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27797
---
src/libopensc/card.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/libopensc/card.c b/src/libopensc/card.c
index 0de8b7e..03c3cc8 100644
--- a/src/libopensc/card.c
+++ b/src/libopensc/card.c
@@ -1367,6 +1367,8 @@ scconf_block *sc_get_conf_block(sc_context_t *ctx, const char *name1, const char
void sc_invalidate_cache(struct sc_card *card)
{
if (card) {
+ sc_file_free(card->cache.current_ef);
+ sc_file_free(card->cache.current_df);
memset(&card->cache, 0, sizeof(card->cache));
card->cache.valid = 0;
}
--
1.8.3.1

43
cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch Normal file
View File

@ -0,0 +1,43 @@
From 1252aca9f10771ef5ba8405e73cf2da50827958f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 4 Feb 2021 13:11:01 +0100
Subject: [PATCH] cardos: Correctly calculate the left bytes to avoid buffer
overrun
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912
---
src/libopensc/card-cardos.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
index 06dd3e3..2d50b8c 100644
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)
sc_apdu_t apdu;
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
int r;
- const u8 *p = rbuf, *q;
+ const u8 *p = rbuf, *q, *pp;
size_t len, tlen = 0, ilen = 0;
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)
return 0;
while (len != 0) {
- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
- if (p == NULL)
+ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+ if (pp == NULL)
return 0;
- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
if (q == NULL || ilen != 4)
return 0;
if (q[0] == 0x1c)
--
1.8.3.1

79
iasecc-Avoid-another-memory-leak.patch Normal file
View File

@ -0,0 +1,79 @@
From 03cbf91be54e2b54dd87176d1136570610e32f3f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 15 Jan 2021 13:40:34 +0100
Subject: [PATCH] iasecc: Avoid another memory leak
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29456
---
src/libopensc/card-iasecc.c | 23 ++++++++++++-----------
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
index d144b69..07a99f8 100644
--- a/src/libopensc/card-iasecc.c
+++ b/src/libopensc/card-iasecc.c
@@ -310,12 +310,14 @@ iasecc_select_mf(struct sc_card *card, struct sc_file **file_out)
mf_file->type = SC_FILE_TYPE_DF;
mf_file->path = path;
- if (card->cache.valid)
- sc_file_free(card->cache.current_df);
+ if (card->cache.valid) {
+ sc_file_free(card->cache.current_df);
+ }
card->cache.current_df = NULL;
- if (card->cache.valid)
+ if (card->cache.valid) {
sc_file_free(card->cache.current_ef);
+ }
card->cache.current_ef = NULL;
sc_file_dup(&card->cache.current_df, mf_file);
@@ -1069,25 +1071,23 @@ iasecc_select_file(struct sc_card *card, const struct sc_path *path,
sc_log(ctx, "FileType %i", file->type);
if (file->type == SC_FILE_TYPE_DF) {
- if (card->cache.valid)
+ if (card->cache.valid) {
sc_file_free(card->cache.current_df);
+ }
card->cache.current_df = NULL;
-
- if (card->cache.valid)
- sc_file_free(card->cache.current_ef);
- card->cache.current_ef = NULL;
-
sc_file_dup(&card->cache.current_df, file);
card->cache.valid = 1;
}
else {
- if (card->cache.valid)
+ if (card->cache.valid) {
sc_file_free(card->cache.current_ef);
+ }
card->cache.current_ef = NULL;
sc_file_dup(&card->cache.current_ef, file);
+ card->cache.valid = 1;
}
if (file_out) {
@@ -1493,8 +1493,9 @@ iasecc_delete_file(struct sc_card *card, const struct sc_path *path)
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
LOG_TEST_RET(ctx, rv, "Delete file failed");
- if (card->cache.valid)
+ if (card->cache.valid) {
sc_file_free(card->cache.current_ef);
+ }
card->cache.current_ef = NULL;
}
--
1.8.3.1

75
oberthur-Avoid-memory-leaks.patch Normal file
View File

@ -0,0 +1,75 @@
From 251c4f6b7613a9cea421035e5971c793fc30f9e2 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 3 Feb 2021 21:27:21 +0100
Subject: [PATCH] oberthur: Avoid memory leaks
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29998
---
src/libopensc/pkcs15-oberthur.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 576e3cf..fa823be 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -575,7 +575,7 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
struct sc_pkcs15_pubkey_info key_info;
struct sc_pkcs15_object key_obj;
char ch_tmp[0x100];
- unsigned char *info_blob;
+ unsigned char *info_blob = NULL;
size_t len, info_len, offs;
unsigned flags;
int rv;
@@ -592,8 +592,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
/* Flags */
offs = 2;
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'tag'");
+ }
flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
key_info.usage = sc_oberthur_decode_usage(flags);
if (flags & OBERTHUR_ATTR_MODIFIABLE)
@@ -601,8 +603,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
sc_log(ctx, "Public key key-usage:%04X", key_info.usage);
/* Label */
- if (offs + 2 > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'Label'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
if (len) {
if (len > sizeof(key_obj.label) - 1)
@@ -612,14 +616,20 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
offs += 2 + len;
/* ID */
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'ID'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (!len || len > sizeof(key_info.id.value))
+ if (!len || len > sizeof(key_info.id.value)) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'ID' length");
+ }
memcpy(key_info.id.value, info_blob + offs + 2, len);
key_info.id.len = len;
+ free(info_blob);
+
/* Ignore Start/End dates */
snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PUB, file_id);
--
1.8.3.1

46
oberthur-Avoid-two-buffer-overflows.patch Normal file
View File

@ -0,0 +1,46 @@
From 17d8980cde7be597afc366b7e311d0d7cadcb1f4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 3 Feb 2021 21:46:15 +0100
Subject: [PATCH] oberthur: Avoid two buffer overflows
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30112
---
src/libopensc/pkcs15-oberthur.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index d3236a9..bf88a06 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -884,12 +884,16 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs = 2;
/* Label */
- if (offs > info_len) {
+ if (offs + 2 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'");
}
label = info_blob + offs + 2;
label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ if (offs + 2 + label_len > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'label' received");
+ }
if (label_len > sizeof(dobj.label) - 1)
label_len = sizeof(dobj.label) - 1;
offs += 2 + *(info_blob + offs + 1);
@@ -906,7 +910,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs += 2 + app_len;
/* OID encode like DER(ASN.1(oid)) */
- if (offs > info_len) {
+ if (offs + 1 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
}
--
1.8.3.1

53
oberthur-Correctly-check-for-return-values.patch Normal file
View File

@ -0,0 +1,53 @@
From 1db88374bb7706a115d5c3617c6f16115c33bf27 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 7 Jan 2021 14:20:31 +0100
Subject: [PATCH] oberthur: Correctly check for return values
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843
---
src/libopensc/pkcs15-oberthur.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 29aab0b..576e3cf 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -304,7 +304,7 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
if (verify_pin && rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED) {
struct sc_pkcs15_object *objs[0x10], *pin_obj = NULL;
const struct sc_acl_entry *acl = sc_file_get_acl_entry(file, SC_AC_OP_READ);
- int ii;
+ int ii, nobjs;
if (acl == NULL) {
sc_file_free(file);
@@ -313,18 +313,19 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
}
- rv = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 0x10);
- if (rv != SC_SUCCESS) {
+ nobjs = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 0x10);
+ if (nobjs < 1) {
sc_file_free(file);
free(*out);
*out = NULL;
- LOG_TEST_RET(ctx, rv, "Cannot read oberthur file: get AUTH objects error");
+ LOG_TEST_RET(ctx, SC_ERROR_DATA_OBJECT_NOT_FOUND,
+ "Cannot read oberthur file: get AUTH objects error");
}
- for (ii=0; ii<rv; ii++) {
+ for (ii = 0; ii < nobjs; ii++) {
struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *) objs[ii]->data;
sc_log(ctx, "compare PIN/ACL refs:%i/%i, method:%i/%i",
- auth_info->attrs.pin.reference, acl->key_ref, auth_info->auth_method, acl->method);
+ auth_info->attrs.pin.reference, acl->key_ref, auth_info->auth_method, acl->method);
if (auth_info->attrs.pin.reference == (int)acl->key_ref && auth_info->auth_method == (unsigned)acl->method) {
pin_obj = objs[ii];
break;
--
1.8.3.1

39
oberthur-Fix-memory-leaks.patch Normal file
View File

@ -0,0 +1,39 @@
From 715c17c469f6c463dd511a5deb229da4de9ee100 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 17 Mar 2021 20:17:34 +0100
Subject: [PATCH] oberthur: Fix memory leaks
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
---
src/libopensc/pkcs15-oberthur.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 314a7bd..4ba201f 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -211,6 +211,7 @@ sc_oberthur_get_certificate_authority(struct sc_pkcs15_der *der, int *out_author
BIO_set_mem_buf(bio, &buf_mem, BIO_NOCLOSE);
x = d2i_X509_bio(bio, 0);
+ free(buf_mem.data);
BIO_free(bio);
if (!x)
return SC_ERROR_INVALID_DATA;
@@ -729,7 +730,10 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
cinfo.value.len = cert_len;
rv = sc_oberthur_get_certificate_authority(&cinfo.value, &cinfo.authority);
- LOG_TEST_RET(ctx, rv, "Failed to add certificate: get certificate attributes error");
+ if (rv != SC_SUCCESS) {
+ free(cinfo.value.value);
+ LOG_TEST_RET(ctx, rv, "Failed to add certificate: get certificate attributes error");
+ }
if (flags & OBERTHUR_ATTR_MODIFIABLE)
cobj.flags |= SC_PKCS15_CO_FLAG_MODIFIABLE;
--
1.8.3.1

77
oberthur-Free-another-read-data-on-failure-paths.patch Normal file
View File

@ -0,0 +1,77 @@
From 9c91a4327e6db579f7f964f147fd6e94a0e1b85e Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 3 Feb 2021 21:34:52 +0100
Subject: [PATCH] oberthur: Free another read data on failure paths
---
src/libopensc/pkcs15-oberthur.c | 21 ++++++++++++++++-----
1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index fa823be..d3236a9 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -876,14 +876,18 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
LOG_TEST_RET(ctx, rv, "Failed to add data: read oberthur file error");
- if (info_len < 2)
+ if (info_len < 2) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'tag'");
+ }
flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
offs = 2;
/* Label */
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'");
+ }
label = info_blob + offs + 2;
label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
if (label_len > sizeof(dobj.label) - 1)
@@ -891,8 +895,10 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs += 2 + *(info_blob + offs + 1);
/* Application */
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'application'");
+ }
app = info_blob + offs + 2;
app_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
if (app_len > sizeof(dinfo.app_label) - 1)
@@ -900,13 +906,17 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs += 2 + app_len;
/* OID encode like DER(ASN.1(oid)) */
- if (offs > info_len)
+ if (offs > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
+ }
oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
if (oid_len) {
oid = info_blob + offs + 2;
- if (*oid != 0x06 || (*(oid + 1) != oid_len - 2))
+ if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: invalid 'OID' format");
+ }
oid += 2;
oid_len -= 2;
}
@@ -933,6 +943,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
rv = sc_pkcs15emu_add_data_object(p15card, &dobj, &dinfo);
+ free(info_blob);
LOG_FUNC_RETURN(p15card->card->ctx, rv);
}
--
1.8.3.1

28
oberthur-Handle-1B-OIDs.patch Normal file
View File

@ -0,0 +1,28 @@
From cae5c71f90cc5b364efe14040923fd5aa3b5dd90 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 6 Apr 2021 12:45:24 +0200
Subject: [PATCH] oberthur: Handle 1B OIDs
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32807
---
src/libopensc/pkcs15-oberthur.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 0ddfc3f..6487656 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -973,7 +973,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'oid' received");
}
- if (oid_len) {
+ if (oid_len > 2) {
oid = info_blob + offs + 2;
if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
free(info_blob);
--
1.8.3.1

199
oberthur-Handle-more-memory-issues-during-initializa.patch Normal file
View File

@ -0,0 +1,199 @@
From 40c50a3a4219308aae90f6efd7b10213794a8d86 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 1 Mar 2021 11:57:06 +0100
Subject: [PATCH] oberthur: Handle more memory issues during initialization
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31540
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31448
---
src/libopensc/pkcs15-oberthur.c | 83 ++++++++++++++++++++++++++++++++---------
1 file changed, 66 insertions(+), 17 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index bf88a06..ebaca47 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -659,7 +659,7 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
struct sc_context *ctx = p15card->card->ctx;
struct sc_pkcs15_cert_info cinfo;
struct sc_pkcs15_object cobj;
- unsigned char *info_blob, *cert_blob;
+ unsigned char *info_blob = NULL, *cert_blob = NULL;
size_t info_len, cert_len, len, offs;
unsigned flags;
int rv;
@@ -675,16 +675,23 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
LOG_TEST_RET(ctx, rv, "Failed to add certificate: read oberthur file error");
- if (info_len < 2)
+ if (info_len < 2) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'tag'");
+ }
flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
offs = 2;
/* Label */
- if (offs + 2 > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'CN'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (len) {
+ if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'CN' length");
+ } else if (len) {
if (len > sizeof(cobj.label) - 1)
len = sizeof(cobj.label) - 1;
memcpy(cobj.label, info_blob + offs + 2, len);
@@ -692,14 +699,23 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
offs += 2 + len;
/* ID */
- if (offs > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'ID'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (len > sizeof(cinfo.id.value))
+ if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'ID' length");
+ } else if (len > sizeof(cinfo.id.value)) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add certificate: invalid 'ID' length");
+ }
memcpy(cinfo.id.value, info_blob + offs + 2, len);
cinfo.id.len = len;
+ free(info_blob);
+
/* Ignore subject, issuer and serial */
snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PUB, file_id);
@@ -784,15 +800,23 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
LOG_TEST_RET(ctx, rv, "Failed to add private key: read oberthur file error");
- if (info_len < 2)
+ if (info_len < 2) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'tag'");
+ }
flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
offs = 2;
/* CN */
- if (offs > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'CN'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'CN' length");
+ }
if (len && !strlen(kobj.label)) {
if (len > sizeof(kobj.label) - 1)
len = sizeof(kobj.label) - 1;
@@ -801,13 +825,21 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
offs += 2 + len;
/* ID */
- if (offs > info_len)
+ if (offs + 2 > info_len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'ID'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (!len)
+ if (!len) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: zero length ID");
- else if (len > sizeof(kinfo.id.value))
+ } else if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'ID' length");
+ } else if (len > sizeof(kinfo.id.value)) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add private key: invalid ID length");
+ }
memcpy(kinfo.id.value, info_blob + offs + 2, len);
kinfo.id.len = len;
offs += 2 + len;
@@ -816,19 +848,28 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
offs += 16;
/* Subject encoded in ASN1 */
- if (offs > info_len)
- return SC_ERROR_UNKNOWN_DATA_RECEIVED;
+ if (offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'subject'");
+ }
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (len) {
+ if (len + offs + 2 > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'subject' length");
+ } else if (len) {
kinfo.subject.value = malloc(len);
- if (!kinfo.subject.value)
+ if (!kinfo.subject.value) {
+ free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Failed to add private key: memory allocation error");
+ }
kinfo.subject.len = len;
memcpy(kinfo.subject.value, info_blob + offs + 2, len);
}
/* Modulus and exponent are ignored */
+ free(info_blob);
+
snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PRV, file_id);
sc_format_path(ch_tmp, &kinfo.path);
sc_log(ctx, "Private key info path %s", ch_tmp);
@@ -899,22 +940,30 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
offs += 2 + *(info_blob + offs + 1);
/* Application */
- if (offs > info_len) {
+ if (offs + 2 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'application'");
}
app = info_blob + offs + 2;
app_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ if (offs + 2 + app_len > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'application' received");
+ }
if (app_len > sizeof(dinfo.app_label) - 1)
app_len = sizeof(dinfo.app_label) - 1;
offs += 2 + app_len;
/* OID encode like DER(ASN.1(oid)) */
- if (offs + 1 > info_len) {
+ if (offs + 2 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
}
oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ if (offs + 2 + oid_len > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'oid' received");
+ }
if (oid_len) {
oid = info_blob + offs + 2;
if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
--
1.8.3.1

31
oberthur-One-more-overlooked-buffer-overflow.patch Normal file
View File

@ -0,0 +1,31 @@
From 5d4daf6c92e4668f5458f380f3cacea3e879d91a Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 18 Mar 2021 19:48:33 +0100
Subject: [PATCH] oberthur: One more overlooked buffer overflow
Thanks oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32202
---
src/libopensc/pkcs15-oberthur.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index 4ba201f..0ddfc3f 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -609,7 +609,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'Label'");
}
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (len) {
+ if (offs + 2 + len > info_len) {
+ free(info_blob);
+ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'Label' length");
+ } else if (len) {
if (len > sizeof(key_obj.label) - 1)
len = sizeof(key_obj.label) - 1;
memcpy(key_obj.label, info_blob + offs + 2, len);
--
1.8.3.1

34
oberthur-fixed-Heap-buffer-overflow.patch Normal file
View File

@ -0,0 +1,34 @@
From 05648b0604bf3e498e8d42dff3c6e7c56a5bf749 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Wed, 17 Mar 2021 18:16:34 +0100
Subject: [PATCH] oberthur: fixed Heap-buffer-overflow
fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
---
src/libopensc/pkcs15-oberthur.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index ebaca47..314a7bd 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -616,12 +616,14 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
offs += 2 + len;
/* ID */
- if (offs > info_len) {
+ if (offs + 2 > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'ID'");
}
len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
- if (!len || len > sizeof(key_info.id.value)) {
+ if (len == 0
+ || len > sizeof(key_info.id.value)
+ || offs + 2 + len > info_len) {
free(info_blob);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'ID' length");
}
--
1.8.3.1

18
opensc.spec
View File

@ -3,7 +3,7 @@
Name: opensc Name: opensc
Version: 0.21.0 Version: 0.21.0
Release: 2 Release: 3
License: LGPLv2.1+ License: LGPLv2.1+
Summary: Smart card library and applications Summary: Smart card library and applications
URL: https://github.com/OpenSC/OpenSC/wiki URL: https://github.com/OpenSC/OpenSC/wiki
@ -17,6 +17,19 @@ Obsoletes: coolkey <= 1.1.0-36
Obsoletes: mozilla-opensc-signer < 0.12.0 Obsoletes: mozilla-opensc-signer < 0.12.0
Obsoletes: opensc-devel < 0.12.0 Obsoletes: opensc-devel < 0.12.0
Patch0: iasecc-Avoid-another-memory-leak.patch
Patch1: card-Correctly-free-pointers-durint-cache-invalidati.patch
Patch2: oberthur-Free-another-read-data-on-failure-paths.patch
Patch3: oberthur-Avoid-two-buffer-overflows.patch
Patch4: oberthur-Handle-more-memory-issues-during-initializa.patch
Patch5: oberthur-Fix-memory-leaks.patch
Patch6: oberthur-Correctly-check-for-return-values.patch
Patch7: oberthur-Avoid-memory-leaks.patch
Patch8: oberthur-fixed-Heap-buffer-overflow.patch
Patch9: oberthur-One-more-overlooked-buffer-overflow.patch
Patch10: cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch
Patch11: oberthur-Handle-1B-OIDs.patch
%description %description
OpenSC provides a set of libraries and utilities to work with smart cards. OpenSC provides a set of libraries and utilities to work with smart cards.
Its main focus is on cards that support cryptographic operations, and Its main focus is on cards that support cryptographic operations, and
@ -134,6 +147,9 @@ make check
%{_datadir}/opensc/ %{_datadir}/opensc/
%changelog %changelog
* Thu Aug 19 2021 zoulin <zoulin13@huawei.com> - 0.21.0-3
- fix more oss-fuzz
* Thu Mar 18 2021 Hugel <gengqihu1@huawei.com> - 0.21.0-2 * Thu Mar 18 2021 Hugel <gengqihu1@huawei.com> - 0.21.0-2
- Remove unused file pkcs11-register.desktop - Remove unused file pkcs11-register.desktop