Re: [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977

From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977
Date: Wed, 20 Sep 2023 19:42:11 +0200	[thread overview]
Message-ID: <20230920174211.GJ512384@scaer> (raw)
In-Reply-To: <20230919204910.444965-1-fontaine.fabrice@gmail.com>

Fabrice, All,

On 2023-09-19 22:49 +0200, Fabrice Fontaine spake thusly:
> A vulnerability was found in OpenSC. This security flaw cause a buffer
> overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
> attacker can supply a smart card package with malformed ASN1 context.
> The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
> tags, where remaining length is wrongly caculated due to moved starting
> pointer. This leads to possible heap-based buffer oob read. In cases
> where ASAN is enabled while compiling this causes a crash. Further info
> leak or more damage is possible.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...alculation-to-fix-buffer-overrun-bug.patch | 51 +++++++++++++++++++
>  package/opensc/opensc.mk                      |  3 ++
>  2 files changed, 54 insertions(+)
>  create mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> 
> diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> new file mode 100644
> index 0000000000..079f960b59
> --- /dev/null
> +++ b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> @@ -0,0 +1,51 @@
> +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
> +From: fullwaywang <fullwaywang@tencent.com>
> +Date: Mon, 29 May 2023 10:38:48 +0800
> +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
> + overrun bug. Fixes #2785
> +
> +Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
> +index 9715cf390f..f41f73c349 100644
> +--- a/src/pkcs15init/pkcs15-cardos.c
> ++++ b/src/pkcs15init/pkcs15-cardos.c
> +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + 	sc_apdu_t apdu;
> +         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
> +         int       r;
> +-	const u8  *p = rbuf, *q;
> ++	const u8  *p = rbuf, *q, *pp;
> + 	size_t    len, tlen = 0, ilen = 0;
> + 
> + 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
> +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + 		return 0;
> + 
> + 	while (len != 0) {
> +-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
> +-		if (p == NULL)
> ++		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
> ++		if (pp == NULL)
> + 			return 0;
> + 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
> + 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
> + 			/* and Package Number 0x07					*/
> +-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
> ++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
> + 			if (q == NULL || ilen != 4)
> + 				return 0;
> + 			if (q[0] == 0x07)
> +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
> + 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
> + 			/* and Package Number 0x02					*/
> +-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
> ++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
> + 			if (q == NULL || ilen != 4)
> + 				return 0;
> + 			if (q[0] == 0x02)
> diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk
> index 32f0fdaa8b..823bc50102 100644
> --- a/package/opensc/opensc.mk
> +++ b/package/opensc/opensc.mk
> @@ -15,4 +15,7 @@ OPENSC_DEPENDENCIES = openssl pcsc-lite
>  OPENSC_INSTALL_STAGING = YES
>  OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
>  
> +# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> +OPENSC_IGNORE_CVES += CVE-2023-2977
> +
>  $(eval $(autotools-package))
> -- 
> 2.40.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot