From 9c4c3c4c9c0f4e1bf8b98e6465832c05d85317c2 Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Tue, 19 Sep 2023 22:49:10 +0200 Subject: [PATCH] package/opensc: fix CVE-2023-2977 A vulnerability was found in OpenSC. This security flaw cause a buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package. The attacker can supply a smart card package with malformed ASN1 context. The cardos_have_verifyrc_package function scans the ASN1 buffer for 2 tags, where remaining length is wrongly caculated due to moved starting pointer. This leads to possible heap-based buffer oob read. In cases where ASAN is enabled while compiling this causes a crash. Further info leak or more damage is possible. Signed-off-by: Fabrice Fontaine Signed-off-by: Yann E. MORIN --- ...alculation-to-fix-buffer-overrun-bug.patch | 51 +++++++++++++++++++ package/opensc/opensc.mk | 3 ++ 2 files changed, 54 insertions(+) create mode 100644 package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch diff --git a/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch new file mode 100644 index 0000000000..079f960b59 --- /dev/null +++ b/package/opensc/0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch @@ -0,0 +1,51 @@ +From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001 +From: fullwaywang +Date: Mon, 29 May 2023 10:38:48 +0800 +Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer + overrun bug. Fixes #2785 + +Upstream: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a +Signed-off-by: Fabrice Fontaine +--- + src/pkcs15init/pkcs15-cardos.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c +index 9715cf390f..f41f73c349 100644 +--- a/src/pkcs15init/pkcs15-cardos.c ++++ b/src/pkcs15init/pkcs15-cardos.c +@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + sc_apdu_t apdu; + u8 rbuf[SC_MAX_APDU_BUFFER_SIZE]; + int r; +- const u8 *p = rbuf, *q; ++ const u8 *p = rbuf, *q, *pp; + size_t len, tlen = 0, ilen = 0; + + sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88); +@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + return 0; + + while (len != 0) { +- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); +- if (p == NULL) ++ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen); ++ if (pp == NULL) + return 0; + if (card->type == SC_CARD_TYPE_CARDOS_M4_3) { + /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */ + /* and Package Number 0x07 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x07) +@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card) + } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4) { + /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03 */ + /* and Package Number 0x02 */ +- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen); ++ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen); + if (q == NULL || ilen != 4) + return 0; + if (q[0] == 0x02) diff --git a/package/opensc/opensc.mk b/package/opensc/opensc.mk index 32f0fdaa8b..823bc50102 100644 --- a/package/opensc/opensc.mk +++ b/package/opensc/opensc.mk @@ -15,4 +15,7 @@ OPENSC_DEPENDENCIES = openssl pcsc-lite OPENSC_INSTALL_STAGING = YES OPENSC_CONF_OPTS = --disable-cmocka --disable-strict --disable-tests +# 0004-pkcs15init-correct-left-length-calculation-to-fix-buffer-overrun-bug.patch +OPENSC_IGNORE_CVES += CVE-2023-2977 + $(eval $(autotools-package))