File opensc-CVE-2024-45616.patch of Package opensc.35665
commit 1d3b410e06d33cfc4c70e8a25386e456cfbd7bd1
Author: Veronika HanulĂková <vhanulik@redhat.com>
Date: Thu Jul 11 15:27:19 2024 +0200
cardos: Fix uninitialized values
Thanks Matteo Marini for report
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
fuzz_card/2
Index: opensc-0.13.0/src/libopensc/card-cardos.c
===================================================================
--- opensc-0.13.0.orig/src/libopensc/card-cardos.c
+++ opensc-0.13.0/src/libopensc/card-cardos.c
@@ -59,14 +59,14 @@ static struct sc_atr_table cardos_atrs[]
static int cardos_match_card(sc_card_t *card)
{
- unsigned char atr[SC_MAX_ATR_SIZE];
+ unsigned char atr[SC_MAX_ATR_SIZE] = {0};
int i;
i = _sc_match_atr(card, cardos_atrs, &card->type);
if (i < 0)
return 0;
- memcpy(atr, card->atr.value, sizeof(atr));
+ memcpy(atr, card->atr.value, card->atr.len);
/* Do not change card type for CIE! */
if (card->type == SC_CARD_TYPE_CARDOS_CIE_V1)
@@ -75,8 +75,8 @@ static int cardos_match_card(sc_card_t *
return 1;
if (card->type == SC_CARD_TYPE_CARDOS_M4_2) {
int rv;
- sc_apdu_t apdu;
- u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
+ sc_apdu_t apdu = {0};
+ u8 rbuf[SC_MAX_APDU_BUFFER_SIZE] = {0};
/* first check some additional ATR bytes */
if ((atr[4] != 0xff && atr[4] != 0x02) ||
(atr[6] != 0x10 && atr[6] != 0x0a) ||
@@ -92,7 +92,7 @@ static int cardos_match_card(sc_card_t *
apdu.lc = 0;
rv = sc_transmit_apdu(card, &apdu);
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, rv, "APDU transmit failed");
- if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00)
+ if (apdu.sw1 != 0x90 || apdu.sw2 != 0x00 || apdu.resplen < 2)
return 0;
if (apdu.resp[0] != atr[10] ||
apdu.resp[1] != atr[11])
Index: opensc-0.13.0/src/libopensc/card-oberthur.c
===================================================================
--- opensc-0.13.0.orig/src/libopensc/card-oberthur.c
+++ opensc-0.13.0/src/libopensc/card-oberthur.c
@@ -153,7 +153,7 @@ auth_select_aid(struct sc_card *card)
{
struct sc_apdu apdu;
unsigned char apdu_resp[SC_MAX_APDU_BUFFER_SIZE];
- struct auth_private_data *data = (struct auth_private_data *) card->drv_data;
+ struct auth_private_data *data = (struct auth_private_data *)card->drv_data;
int rv, ii;
unsigned char cm[7] = {0xA0,0x00,0x00,0x00,0x03,0x00,0x00};
struct sc_path tmp_path;
@@ -179,6 +179,9 @@ auth_select_aid(struct sc_card *card)
rv = sc_transmit_apdu(card, &apdu);
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, rv, "APDU transmit failed");
+ if (apdu.resplen < 20) {
+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Serial number has incorrect length");
+ }
card->serialnr.len = 4;
memcpy(card->serialnr.value, apdu.resp+15, 4);
Index: opensc-0.13.0/src/libopensc/card-mcrd.c
===================================================================
--- opensc-0.13.0.orig/src/libopensc/card-mcrd.c
+++ opensc-0.13.0/src/libopensc/card-mcrd.c
@@ -767,10 +767,12 @@ do_select(sc_card_t * card, u8 kind,
}
}
- if (p2 == 0x04 && apdu.resp[0] == 0x62) {
+ if (p2 == 0x04 && apdu.resplen > 2 && apdu.resp[0] == 0x62) {
*file = sc_file_new();
if (!*file)
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
+ if (apdu.resp[1] > apdu.resplen - 2)
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_INVALID_DATA);
/* EstEID v3.0 cards are buggy and sometimes return a double 0x62 tag */
if (card->type == SC_CARD_TYPE_MCRD_ESTEID_V30 && apdu.resp[2] == 0x62)
process_fcp(card, *file, apdu.resp + 4, apdu.resp[3]);
Index: opensc-0.13.0/src/libopensc/asn1.c
===================================================================
--- opensc-0.13.0.orig/src/libopensc/asn1.c
+++ opensc-0.13.0/src/libopensc/asn1.c
@@ -62,7 +62,7 @@ int sc_asn1_read_tag(const u8 ** buf, si
size_t left = buflen, len;
unsigned int cla, tag, i;
- if (left < 2)
+ if (left == 0 || !p || buflen == 0)
return SC_ERROR_INVALID_ASN1_OBJECT;
*buf = NULL;
if (*p == 0xff || *p == 0)
@@ -71,6 +71,8 @@ int sc_asn1_read_tag(const u8 ** buf, si
/* parse tag byte(s) */
cla = (*p & SC_ASN1_TAG_CLASS) | (*p & SC_ASN1_TAG_CONSTRUCTED);
tag = *p & SC_ASN1_TAG_PRIMITIVE;
+ if (left < 1)
+ return SC_ERROR_INVALID_ASN1_OBJECT;
p++;
left--;
if (tag == SC_ASN1_TAG_PRIMITIVE) {
Index: opensc-0.13.0/src/libopensc/muscle.c
===================================================================
--- opensc-0.13.0.orig/src/libopensc/muscle.c
+++ opensc-0.13.0/src/libopensc/muscle.c
@@ -89,7 +89,7 @@ int msc_partial_read_object(sc_card_t *c
apdu.resp = data;
r = sc_transmit_apdu(card, &apdu);
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed");
- if(apdu.sw1 == 0x90 && apdu.sw2 == 0x00)
+ if (apdu.sw1 == 0x90 && apdu.sw2 == 0x00 && dataLength <= apdu.resplen)
return dataLength;
if(apdu.sw1 == 0x9C) {
if(apdu.sw2 == 0x07) {
@@ -103,19 +103,22 @@ int msc_partial_read_object(sc_card_t *c
}
sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL,
"got strange SWs: 0x%02X 0x%02X\n", apdu.sw1, apdu.sw2);
- return dataLength;
+ SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_UNKNOWN_DATA_RECEIVED);
}
int msc_read_object(sc_card_t *card, msc_id objectId, int offset, u8 *data, size_t dataLength)
{
- int r;
+ int r = 0;
size_t i;
size_t max_read_unit = MSC_MAX_READ;
- for(i = 0; i < dataLength; i += max_read_unit) {
+ for(i = 0; i < dataLength; i += r) {
r = msc_partial_read_object(card, objectId, offset + i, data + i, MIN(dataLength - i, max_read_unit));
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "Error in partial object read");
+ if (r==0)
+ break;
+
}
return dataLength;
}
Index: opensc-0.13.0/src/libopensc/card-entersafe.c
===================================================================
--- opensc-0.13.0.orig/src/libopensc/card-entersafe.c
+++ opensc-0.13.0/src/libopensc/card-entersafe.c
@@ -1369,6 +1369,9 @@ static int entersafe_get_serialnr(sc_car
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit failed");
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, sc_check_sw(card,apdu.sw1,apdu.sw2),"EnterSafe get SN failed");
+ if (apdu.resplen != 8)
+ LOG_TEST_RET(card->ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of SN");
+
card->serialnr.len=serial->len=8;
memcpy(card->serialnr.value,rbuf,8);
memcpy(serial->value,rbuf,8);
