From 3f08f81d78e1a0e27c6c14ccc7de5f37a95842be Mon Sep 17 00:00:00 2001 From: zou_lin77 <422351577@qq.com> Date: Thu, 19 Aug 2021 15:49:49 +0800 Subject: [PATCH] fix more oss-fuzz --- ...ree-pointers-durint-cache-invalidati.patch | 32 +++ ...-calculate-the-left-bytes-to-avoid-b.patch | 43 ++++ iasecc-Avoid-another-memory-leak.patch | 79 +++++++ oberthur-Avoid-memory-leaks.patch | 75 +++++++ oberthur-Avoid-two-buffer-overflows.patch | 46 ++++ oberthur-Fix-memory-leaks.patch | 39 ++++ ...e-another-read-data-on-failure-paths.patch | 77 +++++++ oberthur-Handle-1B-OIDs.patch | 28 +++ ...more-memory-issues-during-initializa.patch | 199 ++++++++++++++++++ ...-One-more-overlooked-buffer-overflow.patch | 31 +++ oberthur-fixed-Heap-buffer-overflow.patch | 34 +++ opensc.spec | 18 +- 12 files changed, 699 insertions(+), 2 deletions(-) create mode 100644 card-Correctly-free-pointers-durint-cache-invalidati.patch create mode 100644 cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch create mode 100644 iasecc-Avoid-another-memory-leak.patch create mode 100644 oberthur-Avoid-memory-leaks.patch create mode 100644 oberthur-Avoid-two-buffer-overflows.patch create mode 100644 oberthur-Fix-memory-leaks.patch create mode 100644 oberthur-Free-another-read-data-on-failure-paths.patch create mode 100644 oberthur-Handle-1B-OIDs.patch create mode 100644 oberthur-Handle-more-memory-issues-during-initializa.patch create mode 100644 oberthur-One-more-overlooked-buffer-overflow.patch create mode 100644 oberthur-fixed-Heap-buffer-overflow.patch diff --git a/card-Correctly-free-pointers-durint-cache-invalidati.patch b/card-Correctly-free-pointers-durint-cache-invalidati.patch new file mode 100644 index 0000000..be7cd4c --- /dev/null +++ b/card-Correctly-free-pointers-durint-cache-invalidati.patch @@ -0,0 +1,32 @@ +From 61eb4e487e00ed6758a62f07222488c5ec5fdb42 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 30 Nov 2020 14:15:59 +0100 +Subject: [PATCH] card: Correctly free pointers durint cache invalidation + +As the whole structure is memset(0) on the following line, +we need to clean the pointers before doing so. + +Thanks oss-fuzz + +Related to: +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27797 +--- + src/libopensc/card.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libopensc/card.c b/src/libopensc/card.c +index 0de8b7e..03c3cc8 100644 +--- a/src/libopensc/card.c ++++ b/src/libopensc/card.c +@@ -1367,6 +1367,8 @@ scconf_block *sc_get_conf_block(sc_context_t *ctx, const char *name1, const char + void sc_invalidate_cache(struct sc_card *card) + { + if (card) { ++ sc_file_free(card->cache.current_ef); ++ sc_file_free(card->cache.current_df); + memset(&card->cache, 0, sizeof(card->cache)); + card->cache.valid = 0; + } +-- +1.8.3.1 + diff --git a/cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch b/cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch new file mode 100644 index 0000000..5ad1c02 --- /dev/null +++ b/cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch @@ -0,0 +1,43 @@ +From 1252aca9f10771ef5ba8405e73cf2da50827958f Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 4 Feb 2021 13:11:01 +0100 +Subject: [PATCH] cardos: Correctly calculate the left bytes to avoid buffer + overrun + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912 +--- + src/libopensc/card-cardos.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c +index 06dd3e3..2d50b8c 100644 +--- a/src/libopensc/card-cardos.c ++++ b/src/libopensc/card-cardos.c +@@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card) + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; +- const u8 *p = rbuf, *q; ++ const u8 *p = rbuf, *q, *pp; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); +@@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card) + return 0; + + while (len != 0) { +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); +- if (p == NULL) ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); ++ if (pp == NULL) + return 0; +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x1c) +-- +1.8.3.1 + diff --git a/iasecc-Avoid-another-memory-leak.patch b/iasecc-Avoid-another-memory-leak.patch new file mode 100644 index 0000000..2708b88 --- /dev/null +++ b/iasecc-Avoid-another-memory-leak.patch @@ -0,0 +1,79 @@ +From 03cbf91be54e2b54dd87176d1136570610e32f3f Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Fri, 15 Jan 2021 13:40:34 +0100 +Subject: [PATCH] iasecc: Avoid another memory leak + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29456 +--- + src/libopensc/card-iasecc.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c +index d144b69..07a99f8 100644 +--- a/src/libopensc/card-iasecc.c ++++ b/src/libopensc/card-iasecc.c +@@ -310,12 +310,14 @@ iasecc_select_mf(struct sc_card *card, struct sc_file **file_out) + mf_file->type = SC_FILE_TYPE_DF; + mf_file->path = path; + +- if (card->cache.valid) +- sc_file_free(card->cache.current_df); ++ if (card->cache.valid) { ++ sc_file_free(card->cache.current_df); ++ } + card->cache.current_df = NULL; + +- if (card->cache.valid) ++ if (card->cache.valid) { + sc_file_free(card->cache.current_ef); ++ } + card->cache.current_ef = NULL; + + sc_file_dup(&card->cache.current_df, mf_file); +@@ -1069,25 +1071,23 @@ iasecc_select_file(struct sc_card *card, const struct sc_path *path, + + sc_log(ctx, "FileType %i", file->type); + if (file->type == SC_FILE_TYPE_DF) { +- if (card->cache.valid) ++ if (card->cache.valid) { + sc_file_free(card->cache.current_df); ++ } + card->cache.current_df = NULL; + +- +- if (card->cache.valid) +- sc_file_free(card->cache.current_ef); +- card->cache.current_ef = NULL; +- + sc_file_dup(&card->cache.current_df, file); + card->cache.valid = 1; + } + else { +- if (card->cache.valid) ++ if (card->cache.valid) { + sc_file_free(card->cache.current_ef); ++ } + + card->cache.current_ef = NULL; + + sc_file_dup(&card->cache.current_ef, file); ++ card->cache.valid = 1; + } + + if (file_out) { +@@ -1493,8 +1493,9 @@ iasecc_delete_file(struct sc_card *card, const struct sc_path *path) + rv = sc_check_sw(card, apdu.sw1, apdu.sw2); + LOG_TEST_RET(ctx, rv, "Delete file failed"); + +- if (card->cache.valid) ++ if (card->cache.valid) { + sc_file_free(card->cache.current_ef); ++ } + card->cache.current_ef = NULL; + } + +-- +1.8.3.1 + diff --git a/oberthur-Avoid-memory-leaks.patch b/oberthur-Avoid-memory-leaks.patch new file mode 100644 index 0000000..492dbbc --- /dev/null +++ b/oberthur-Avoid-memory-leaks.patch @@ -0,0 +1,75 @@ +From 251c4f6b7613a9cea421035e5971c793fc30f9e2 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 3 Feb 2021 21:27:21 +0100 +Subject: [PATCH] oberthur: Avoid memory leaks + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29998 +--- + src/libopensc/pkcs15-oberthur.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index 576e3cf..fa823be 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -575,7 +575,7 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card, + struct sc_pkcs15_pubkey_info key_info; + struct sc_pkcs15_object key_obj; + char ch_tmp[0x100]; +- unsigned char *info_blob; ++ unsigned char *info_blob = NULL; + size_t len, info_len, offs; + unsigned flags; + int rv; +@@ -592,8 +592,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card, + + /* Flags */ + offs = 2; +- if (offs > info_len) ++ if (offs > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'tag'"); ++ } + flags = *(info_blob + 0) * 0x100 + *(info_blob + 1); + key_info.usage = sc_oberthur_decode_usage(flags); + if (flags & OBERTHUR_ATTR_MODIFIABLE) +@@ -601,8 +603,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card, + sc_log(ctx, "Public key key-usage:%04X", key_info.usage); + + /* Label */ +- if (offs + 2 > info_len) ++ if (offs + 2 > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'Label'"); ++ } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; + if (len) { + if (len > sizeof(key_obj.label) - 1) +@@ -612,14 +616,20 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card, + offs += 2 + len; + + /* ID */ +- if (offs > info_len) ++ if (offs > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'ID'"); ++ } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; +- if (!len || len > sizeof(key_info.id.value)) ++ if (!len || len > sizeof(key_info.id.value)) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'ID' length"); ++ } + memcpy(key_info.id.value, info_blob + offs + 2, len); + key_info.id.len = len; + ++ free(info_blob); ++ + /* Ignore Start/End dates */ + + snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PUB, file_id); +-- +1.8.3.1 + diff --git a/oberthur-Avoid-two-buffer-overflows.patch b/oberthur-Avoid-two-buffer-overflows.patch new file mode 100644 index 0000000..326c77c --- /dev/null +++ b/oberthur-Avoid-two-buffer-overflows.patch @@ -0,0 +1,46 @@ +From 17d8980cde7be597afc366b7e311d0d7cadcb1f4 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 3 Feb 2021 21:46:15 +0100 +Subject: [PATCH] oberthur: Avoid two buffer overflows + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30112 +--- + src/libopensc/pkcs15-oberthur.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index d3236a9..bf88a06 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -884,12 +884,16 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card, + offs = 2; + + /* Label */ +- if (offs > info_len) { ++ if (offs + 2 > info_len) { + free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'"); + } + label = info_blob + offs + 2; + label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; ++ if (offs + 2 + label_len > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'label' received"); ++ } + if (label_len > sizeof(dobj.label) - 1) + label_len = sizeof(dobj.label) - 1; + offs += 2 + *(info_blob + offs + 1); +@@ -906,7 +910,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card, + offs += 2 + app_len; + + /* OID encode like DER(ASN.1(oid)) */ +- if (offs > info_len) { ++ if (offs + 1 > info_len) { + free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'"); + } +-- +1.8.3.1 + diff --git a/oberthur-Fix-memory-leaks.patch b/oberthur-Fix-memory-leaks.patch new file mode 100644 index 0000000..c4d9f79 --- /dev/null +++ b/oberthur-Fix-memory-leaks.patch @@ -0,0 +1,39 @@ +From 715c17c469f6c463dd511a5deb229da4de9ee100 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 17 Mar 2021 20:17:34 +0100 +Subject: [PATCH] oberthur: Fix memory leaks + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149 +--- + src/libopensc/pkcs15-oberthur.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index 314a7bd..4ba201f 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -211,6 +211,7 @@ sc_oberthur_get_certificate_authority(struct sc_pkcs15_der *der, int *out_author + + BIO_set_mem_buf(bio, &buf_mem, BIO_NOCLOSE); + x = d2i_X509_bio(bio, 0); ++ free(buf_mem.data); + BIO_free(bio); + if (!x) + return SC_ERROR_INVALID_DATA; +@@ -729,7 +730,10 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file + cinfo.value.len = cert_len; + + rv = sc_oberthur_get_certificate_authority(&cinfo.value, &cinfo.authority); +- LOG_TEST_RET(ctx, rv, "Failed to add certificate: get certificate attributes error"); ++ if (rv != SC_SUCCESS) { ++ free(cinfo.value.value); ++ LOG_TEST_RET(ctx, rv, "Failed to add certificate: get certificate attributes error"); ++ } + + if (flags & OBERTHUR_ATTR_MODIFIABLE) + cobj.flags |= SC_PKCS15_CO_FLAG_MODIFIABLE; +-- +1.8.3.1 + diff --git a/oberthur-Free-another-read-data-on-failure-paths.patch b/oberthur-Free-another-read-data-on-failure-paths.patch new file mode 100644 index 0000000..05bc067 --- /dev/null +++ b/oberthur-Free-another-read-data-on-failure-paths.patch @@ -0,0 +1,77 @@ +From 9c91a4327e6db579f7f964f147fd6e94a0e1b85e Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Wed, 3 Feb 2021 21:34:52 +0100 +Subject: [PATCH] oberthur: Free another read data on failure paths + +--- + src/libopensc/pkcs15-oberthur.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index fa823be..d3236a9 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -876,14 +876,18 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card, + rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1); + LOG_TEST_RET(ctx, rv, "Failed to add data: read oberthur file error"); + +- if (info_len < 2) ++ if (info_len < 2) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'tag'"); ++ } + flags = *(info_blob + 0) * 0x100 + *(info_blob + 1); + offs = 2; + + /* Label */ +- if (offs > info_len) ++ if (offs > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'"); ++ } + label = info_blob + offs + 2; + label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; + if (label_len > sizeof(dobj.label) - 1) +@@ -891,8 +895,10 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card, + offs += 2 + *(info_blob + offs + 1); + + /* Application */ +- if (offs > info_len) ++ if (offs > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'application'"); ++ } + app = info_blob + offs + 2; + app_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; + if (app_len > sizeof(dinfo.app_label) - 1) +@@ -900,13 +906,17 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card, + offs += 2 + app_len; + + /* OID encode like DER(ASN.1(oid)) */ +- if (offs > info_len) ++ if (offs > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'"); ++ } + oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; + if (oid_len) { + oid = info_blob + offs + 2; +- if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) ++ if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: invalid 'OID' format"); ++ } + oid += 2; + oid_len -= 2; + } +@@ -933,6 +943,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card, + + rv = sc_pkcs15emu_add_data_object(p15card, &dobj, &dinfo); + ++ free(info_blob); + LOG_FUNC_RETURN(p15card->card->ctx, rv); + } + +-- +1.8.3.1 + diff --git a/oberthur-Handle-1B-OIDs.patch b/oberthur-Handle-1B-OIDs.patch new file mode 100644 index 0000000..2f8d63b --- /dev/null +++ b/oberthur-Handle-1B-OIDs.patch @@ -0,0 +1,28 @@ +From cae5c71f90cc5b364efe14040923fd5aa3b5dd90 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Tue, 6 Apr 2021 12:45:24 +0200 +Subject: [PATCH] oberthur: Handle 1B OIDs + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32807 +--- + src/libopensc/pkcs15-oberthur.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index 0ddfc3f..6487656 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -973,7 +973,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card, + free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'oid' received"); + } +- if (oid_len) { ++ if (oid_len > 2) { + oid = info_blob + offs + 2; + if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) { + free(info_blob); +-- +1.8.3.1 + diff --git a/oberthur-Handle-more-memory-issues-during-initializa.patch b/oberthur-Handle-more-memory-issues-during-initializa.patch new file mode 100644 index 0000000..d7f6e30 --- /dev/null +++ b/oberthur-Handle-more-memory-issues-during-initializa.patch @@ -0,0 +1,199 @@ +From 40c50a3a4219308aae90f6efd7b10213794a8d86 Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Mon, 1 Mar 2021 11:57:06 +0100 +Subject: [PATCH] oberthur: Handle more memory issues during initialization + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31540 +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31448 +--- + src/libopensc/pkcs15-oberthur.c | 83 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 66 insertions(+), 17 deletions(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index bf88a06..ebaca47 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -659,7 +659,7 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file + struct sc_context *ctx = p15card->card->ctx; + struct sc_pkcs15_cert_info cinfo; + struct sc_pkcs15_object cobj; +- unsigned char *info_blob, *cert_blob; ++ unsigned char *info_blob = NULL, *cert_blob = NULL; + size_t info_len, cert_len, len, offs; + unsigned flags; + int rv; +@@ -675,16 +675,23 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file + rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1); + LOG_TEST_RET(ctx, rv, "Failed to add certificate: read oberthur file error"); + +- if (info_len < 2) ++ if (info_len < 2) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'tag'"); ++ } + flags = *(info_blob + 0) * 0x100 + *(info_blob + 1); + offs = 2; + + /* Label */ +- if (offs + 2 > info_len) ++ if (offs + 2 > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'CN'"); ++ } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; +- if (len) { ++ if (len + offs + 2 > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'CN' length"); ++ } else if (len) { + if (len > sizeof(cobj.label) - 1) + len = sizeof(cobj.label) - 1; + memcpy(cobj.label, info_blob + offs + 2, len); +@@ -692,14 +699,23 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file + offs += 2 + len; + + /* ID */ +- if (offs > info_len) ++ if (offs + 2 > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'ID'"); ++ } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; +- if (len > sizeof(cinfo.id.value)) ++ if (len + offs + 2 > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'ID' length"); ++ } else if (len > sizeof(cinfo.id.value)) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add certificate: invalid 'ID' length"); ++ } + memcpy(cinfo.id.value, info_blob + offs + 2, len); + cinfo.id.len = len; + ++ free(info_blob); ++ + /* Ignore subject, issuer and serial */ + + snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PUB, file_id); +@@ -784,15 +800,23 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card, + rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1); + LOG_TEST_RET(ctx, rv, "Failed to add private key: read oberthur file error"); + +- if (info_len < 2) ++ if (info_len < 2) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'tag'"); ++ } + flags = *(info_blob + 0) * 0x100 + *(info_blob + 1); + offs = 2; + + /* CN */ +- if (offs > info_len) ++ if (offs + 2 > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'CN'"); ++ } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; ++ if (len + offs + 2 > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'CN' length"); ++ } + if (len && !strlen(kobj.label)) { + if (len > sizeof(kobj.label) - 1) + len = sizeof(kobj.label) - 1; +@@ -801,13 +825,21 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card, + offs += 2 + len; + + /* ID */ +- if (offs > info_len) ++ if (offs + 2 > info_len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'ID'"); ++ } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; +- if (!len) ++ if (!len) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: zero length ID"); +- else if (len > sizeof(kinfo.id.value)) ++ } else if (len + offs + 2 > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'ID' length"); ++ } else if (len > sizeof(kinfo.id.value)) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add private key: invalid ID length"); ++ } + memcpy(kinfo.id.value, info_blob + offs + 2, len); + kinfo.id.len = len; + offs += 2 + len; +@@ -816,19 +848,28 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card, + offs += 16; + + /* Subject encoded in ASN1 */ +- if (offs > info_len) +- return SC_ERROR_UNKNOWN_DATA_RECEIVED; ++ if (offs + 2 > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'subject'"); ++ } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; +- if (len) { ++ if (len + offs + 2 > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'subject' length"); ++ } else if (len) { + kinfo.subject.value = malloc(len); +- if (!kinfo.subject.value) ++ if (!kinfo.subject.value) { ++ free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Failed to add private key: memory allocation error"); ++ } + kinfo.subject.len = len; + memcpy(kinfo.subject.value, info_blob + offs + 2, len); + } + + /* Modulus and exponent are ignored */ + ++ free(info_blob); ++ + snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PRV, file_id); + sc_format_path(ch_tmp, &kinfo.path); + sc_log(ctx, "Private key info path %s", ch_tmp); +@@ -899,22 +940,30 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card, + offs += 2 + *(info_blob + offs + 1); + + /* Application */ +- if (offs > info_len) { ++ if (offs + 2 > info_len) { + free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'application'"); + } + app = info_blob + offs + 2; + app_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; ++ if (offs + 2 + app_len > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'application' received"); ++ } + if (app_len > sizeof(dinfo.app_label) - 1) + app_len = sizeof(dinfo.app_label) - 1; + offs += 2 + app_len; + + /* OID encode like DER(ASN.1(oid)) */ +- if (offs + 1 > info_len) { ++ if (offs + 2 > info_len) { + free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'"); + } + oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; ++ if (offs + 2 + oid_len > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'oid' received"); ++ } + if (oid_len) { + oid = info_blob + offs + 2; + if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) { +-- +1.8.3.1 + diff --git a/oberthur-One-more-overlooked-buffer-overflow.patch b/oberthur-One-more-overlooked-buffer-overflow.patch new file mode 100644 index 0000000..cc74068 --- /dev/null +++ b/oberthur-One-more-overlooked-buffer-overflow.patch @@ -0,0 +1,31 @@ +From 5d4daf6c92e4668f5458f380f3cacea3e879d91a Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 18 Mar 2021 19:48:33 +0100 +Subject: [PATCH] oberthur: One more overlooked buffer overflow + +Thanks oss-fuzz + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32202 +--- + src/libopensc/pkcs15-oberthur.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index 4ba201f..0ddfc3f 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -609,7 +609,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card, + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'Label'"); + } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; +- if (len) { ++ if (offs + 2 + len > info_len) { ++ free(info_blob); ++ LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'Label' length"); ++ } else if (len) { + if (len > sizeof(key_obj.label) - 1) + len = sizeof(key_obj.label) - 1; + memcpy(key_obj.label, info_blob + offs + 2, len); +-- +1.8.3.1 + diff --git a/oberthur-fixed-Heap-buffer-overflow.patch b/oberthur-fixed-Heap-buffer-overflow.patch new file mode 100644 index 0000000..4fc15d4 --- /dev/null +++ b/oberthur-fixed-Heap-buffer-overflow.patch @@ -0,0 +1,34 @@ +From 05648b0604bf3e498e8d42dff3c6e7c56a5bf749 Mon Sep 17 00:00:00 2001 +From: Frank Morgner +Date: Wed, 17 Mar 2021 18:16:34 +0100 +Subject: [PATCH] oberthur: fixed Heap-buffer-overflow + +fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149 +--- + src/libopensc/pkcs15-oberthur.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c +index ebaca47..314a7bd 100644 +--- a/src/libopensc/pkcs15-oberthur.c ++++ b/src/libopensc/pkcs15-oberthur.c +@@ -616,12 +616,14 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card, + offs += 2 + len; + + /* ID */ +- if (offs > info_len) { ++ if (offs + 2 > info_len) { + free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'ID'"); + } + len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100; +- if (!len || len > sizeof(key_info.id.value)) { ++ if (len == 0 ++ || len > sizeof(key_info.id.value) ++ || offs + 2 + len > info_len) { + free(info_blob); + LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'ID' length"); + } +-- +1.8.3.1 + diff --git a/opensc.spec b/opensc.spec index bfab478..18cdeb2 100644 --- a/opensc.spec +++ b/opensc.spec @@ -3,7 +3,7 @@ Name: opensc Version: 0.20.0 -Release: 6 +Release: 7 License: LGPLv2.1+ Summary: Smart card library and applications URL: https://github.com/OpenSC/OpenSC/wiki @@ -13,6 +13,17 @@ Patch0: myeid-fixed-memory-leak.patch Patch1: backport-CVE-2020-26570-Heap-buffer-overflow-WRITE.patch Patch2: backport-CVE-2020-26571-fixed-invalid-read.patch Patch3: backport-CVE-2020-26572-prevent-out-of-bounds-write.patch +Patch4: iasecc-Avoid-another-memory-leak.patch +Patch5: card-Correctly-free-pointers-durint-cache-invalidati.patch +Patch6: oberthur-Free-another-read-data-on-failure-paths.patch +Patch7: oberthur-Avoid-two-buffer-overflows.patch +Patch8: oberthur-Handle-more-memory-issues-during-initializa.patch +Patch9: oberthur-Fix-memory-leaks.patch +Patch10: oberthur-Avoid-memory-leaks.patch +Patch11: oberthur-fixed-Heap-buffer-overflow.patch +Patch12: oberthur-One-more-overlooked-buffer-overflow.patch +Patch13: cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch +Patch14: oberthur-Handle-1B-OIDs.patch BuildRequires: openssl-devel pcsc-lite-devel bash-completion docbook-style-xsl readline-devel BuildRequires: desktop-file-utils /usr/bin/xsltproc autoconf automake libtool gcc @@ -136,7 +147,10 @@ make check %{_sysconfdir}/xdg/autostart/pkcs11-register.desktop %changelog -* Wed Feb 3 2021 Hugel - 0.20.0-6 +* Thu Aug 19 2021 zoulin - 0.20.0-7 +- fix more oss-fuzz + +* Wed Feb 3 2021 Hugel - 0.20.0-6 - fix CVE-2020-26572 * Sat Jan 23 2021 zoulin - 0.20.0-5 -- Gitee