[Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977

[Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977

[Fabrice Fontaine]

A vulnerability was found in OpenSC. This security flaw cause a buffer
overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
attacker can supply a smart card package with malformed ASN1 context.
The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
tags, where remaining length is wrongly caculated due to moved starting
pointer. This leads to possible heap-based buffer oob read. In cases
where ASAN is enabled while compiling this causes a crash. Further info
leak or more damage is possible.

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 ...alculation-to-fix-buffer-overrun-bug.patch | 51 +++++++++++++++++++
 package/opensc/opensc.mk                      |  3 ++
 2 files changed, 54 insertions(+)
 create mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch

diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
new file mode 100644
index 0000000000..079f960b59
--- /dev/null
+++ b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
@@ -0,0 +1,51 @@
+From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
+From: fullwaywang <fullwaywang@tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
+ overrun bug. Fixes #2785
+
+Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 	sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-	const u8  *p = rbuf, *q;
++	const u8  *p = rbuf, *q, *pp;
+ 	size_t    len, tlen = 0, ilen = 0;
+ 
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		return 0;
+ 
+ 	while (len != 0) {
+-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-		if (p == NULL)
++		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++		if (pp == NULL)
+ 			return 0;
+ 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
+ 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
+ 			/* and Package Number 0x07					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
+ 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
+ 			/* and Package Number 0x02					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x02)
diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk
index 32f0fdaa8b..823bc50102 100644
--- a/package/opensc/opensc.mk
+++ b/package/opensc/opensc.mk
@@ -15,4 +15,7 @@ OPENSC_DEPENDENCIES = openssl pcsc-lite
 OPENSC_INSTALL_STAGING = YES
 OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
 
+# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
+OPENSC_IGNORE_CVES += CVE-2023-2977
+
 $(eval $(autotools-package))
-- 
2.40.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977

[Yann E. MORIN]

Fabrice, All,

On 2023-09-19 22:49 +0200, Fabrice Fontaine spake thusly:
> A vulnerability was found in OpenSC. This security flaw cause a buffer
> overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
> attacker can supply a smart card package with malformed ASN1 context.
> The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
> tags, where remaining length is wrongly caculated due to moved starting
> pointer. This leads to possible heap-based buffer oob read. In cases
> where ASAN is enabled while compiling this causes a crash. Further info
> leak or more damage is possible.
> 
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  ...alculation-to-fix-buffer-overrun-bug.patch | 51 +++++++++++++++++++
>  package/opensc/opensc.mk                      |  3 ++
>  2 files changed, 54 insertions(+)
>  create mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> 
> diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> new file mode 100644
> index 0000000000..079f960b59
> --- /dev/null
> +++ b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> @@ -0,0 +1,51 @@
> +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
> +From: fullwaywang <fullwaywang@tencent.com>
> +Date: Mon, 29 May 2023 10:38:48 +0800
> +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
> + overrun bug. Fixes #2785
> +
> +Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a
> +Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
> +---
> + src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
> + 1 file changed, 5 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
> +index 9715cf390f..f41f73c349 100644
> +--- a/src/pkcs15init/pkcs15-cardos.c
> ++++ b/src/pkcs15init/pkcs15-cardos.c
> +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + 	sc_apdu_t apdu;
> +         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
> +         int       r;
> +-	const u8  *p = rbuf, *q;
> ++	const u8  *p = rbuf, *q, *pp;
> + 	size_t    len, tlen = 0, ilen = 0;
> + 
> + 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
> +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + 		return 0;
> + 
> + 	while (len != 0) {
> +-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
> +-		if (p == NULL)
> ++		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
> ++		if (pp == NULL)
> + 			return 0;
> + 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
> + 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
> + 			/* and Package Number 0x07					*/
> +-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
> ++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
> + 			if (q == NULL || ilen != 4)
> + 				return 0;
> + 			if (q[0] == 0x07)
> +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
> + 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
> + 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
> + 			/* and Package Number 0x02					*/
> +-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
> ++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
> + 			if (q == NULL || ilen != 4)
> + 				return 0;
> + 			if (q[0] == 0x02)
> diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk
> index 32f0fdaa8b..823bc50102 100644
> --- a/package/opensc/opensc.mk
> +++ b/package/opensc/opensc.mk
> @@ -15,4 +15,7 @@ OPENSC_DEPENDENCIES = openssl pcsc-lite
>  OPENSC_INSTALL_STAGING = YES
>  OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests
>  
> +# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch
> +OPENSC_IGNORE_CVES += CVE-2023-2977
> +
>  $(eval $(autotools-package))
> -- 
> 2.40.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/1] package/opensc: fix CVE-2023-2977

[Peter Korsgaard]

>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:

 > A vulnerability was found in OpenSC. This security flaw cause a buffer
 > overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The
 > attacker can supply a smart card package with malformed ASN1 context.
 > The cardos_have_verifyrc_package function scans the ASN1 buffer for 2
 > tags, where remaining length is wrongly caculated due to moved starting
 > pointer. This leads to possible heap-based buffer oob read. In cases
 > where ASAN is enabled while compiling this causes a crash. Further info
 > leak or more damage is possible.

 > Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>

Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot