Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory leak #1586

Closed
RootUp opened this issue Jan 20, 2019 · 11 comments
Closed

Memory leak #1586

RootUp opened this issue Jan 20, 2019 · 11 comments

Comments

@RootUp
Copy link

RootUp commented Jan 20, 2019

Hi Team,

I have build this repo using clang via ASAN, a memory leak was detected in eidenv.c

ASAN

==32025==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 632 byte(s) in 1 object(s) allocated from:
    #0 0x4d28d8 in calloc (/home/input0/Desktop/OpenSC/src/tools/.libs/eidenv+0x4d28d8)
    #1 0x7f0bc7ce69df in sc_context_create /home/input0/Desktop/OpenSC/src/libopensc/ctx.c:809:8
    #2 0x50ca93 in main /home/input0/Desktop/OpenSC/src/tools/eidenv.c:397:6
    #3 0x7f0bc6be6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Indirect leak of 224 byte(s) in 1 object(s) allocated from:
    #0 0x4d28d8 in calloc (/home/input0/Desktop/OpenSC/src/tools/.libs/eidenv+0x4d28d8)
    #1 0x7f0bc7da7bf0 in pcsc_init /home/input0/Desktop/OpenSC/src/libopensc/reader-pcsc.c:763:10
    #2 0x50ca93 in main /home/input0/Desktop/OpenSC/src/tools/eidenv.c:397:6
    #3 0x7f0bc6be6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4d26d0 in __interceptor_malloc (/home/input0/Desktop/OpenSC/src/tools/.libs/eidenv+0x4d26d0)
    #1 0x7f0bc813fd39 in list_init /home/input0/Desktop/OpenSC/src/common/simclist.c:260:43

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4d26d0 in __interceptor_malloc (/home/input0/Desktop/OpenSC/src/tools/.libs/eidenv+0x4d26d0)
    #1 0x7f0bc813fb1e in list_init /home/input0/Desktop/OpenSC/src/common/simclist.c:244:47

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4d26d0 in __interceptor_malloc (/home/input0/Desktop/OpenSC/src/tools/.libs/eidenv+0x4d26d0)
    #1 0x7f0bc813fafc in list_init /home/input0/Desktop/OpenSC/src/common/simclist.c:243:47

Indirect leak of 7 byte(s) in 1 object(s) allocated from:
    #0 0x471c20 in strdup (/home/input0/Desktop/OpenSC/src/tools/.libs/eidenv+0x471c20)
    #1 0x7f0bc7ce6a69 in sc_context_create /home/input0/Desktop/OpenSC/src/libopensc/ctx.c:818:19
    #2 0x50ca93 in main /home/input0/Desktop/OpenSC/src/tools/eidenv.c:397:6
    #3 0x7f0bc6be6b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: 951 byte(s) leaked in 6 allocation(s).

eidenv.c

	r = sc_context_create(&ctx, &ctx_param);
	if (r) {
	fprintf(stderr, "Failed to establish context: %s\n",
		sc_strerror(r));
return 1;
@frankmorgner
Copy link
Member

sc_context_create should clean up its allocations in case of an error. please check whether you're using an old version. At best, check what the problem is and make a pull request.

@RootUp
Copy link
Author

RootUp commented Jan 21, 2019

Will surely have a look and do a PR, but I have used the latest version in this case.
git clone https://github.com/OpenSC/OpenSC

@abergmann
Copy link

CVE-2019-6502 was assigned to this issue.

@frankmorgner
Copy link
Member

@RootUp did you make any progress? There is also this issue #1220, that may be related.

@RootUp
Copy link
Author

RootUp commented Feb 10, 2019

Hi @frankmorgner
Not yet, but its in my todo list. Thank you.

@sgayou
Copy link

sgayou commented Feb 19, 2019

Hi RootUp. Could you please share how you are triggering/reproducing this leak?

@RootUp
Copy link
Author

RootUp commented Feb 19, 2019

Sure, below steps for your reference.

git clone https://github.com/OpenSC/OpenSC.git
./bootstrap
CC=afl-clang-fast CXX=afl-clang-fast++ ASAN_OPTIONS=symbolize=0 AFL_USE_ASAN=1 ./configure
make

@sgayou
Copy link

sgayou commented Feb 21, 2019

Thanks, that's how to build it, but how do you reliably reproduce the issue?

@RootUp
Copy link
Author

RootUp commented Feb 23, 2019

Hi @sgayou I can reproduce this issue almost every time.

@sgayou
Copy link

sgayou commented Mar 1, 2019

Thank you for reporting this RootUp.

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1668933 for more information.

Submitted a pull request 1616 to fix this. The first issue appears to be a failure to sc_release_context when a card reader isn't found. Instead of just returning -1, cleanup needs to occur first.

After that fix, the 632/224 byte leaks are gone, but there are still a few smaller leaks. I believe the secondary leaks are from pcsc-lite and not OpenSC. See this issue: #512

Overall, I don't think think the first issue is a security issue at all. The second may be, but it would be a potential denial of service in pcsc-lite instead of OpenSC (although it would impact OpenSC as a consumer of the library). Interestingly, pcsc-lite doesn't have a CVE assigned for that flaw, which seems a bit more credible.

I'd recommend the maintainer REJECT this CVE. Let me know if anyone else has a different opinion on the analysis.

@sgayou
Copy link

sgayou commented Mar 4, 2019

After that fix, the 632/224 byte leaks are gone, but there are still a few smaller leaks. I believe the secondary leaks are from pcsc-lite and not OpenSC. See this issue: #512

I am now unable to reproduce these "secondary leaks" after testing multiple times. Unclear what I was doing yesterday to cause them, but they're gone now. Tested on versions across various RHEL builds as well as Fedora 29.

Patch still seems correct for initial issue.

frankmorgner pushed a commit that referenced this issue Mar 6, 2019
CVE-2019-6502 was assigned to what appears to be a very minor
memory leak that only occurs on an error-case in a CLI tool.
If util_connect_card fails, we still need to release the sc
context previously allocated by sc_context_create else memory
will leak.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants