pkcs15-init segfaults with a very long --label

[muks]

Problem Description

I'm using opensc-0.21.0-4.fc34.x86_64 on Fedora 34.

The following command segfaults:

$ pkcs15-init -E
Using reader with a card: FT ePass2003Auto 00 00
$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 12345678 --puk 12345678 --label "A very long label for the token, really long."
Using reader with a card: FT ePass2003Auto 00 00
Failed to create PKCS #15 meta structure: Wrong length
Segmentation fault (core dumped)
$ 

Proposed Resolution

pkcs15-init should not segfault.

Steps to reproduce

Run the above commands.

Backtrace from the core

(gdb) bt full
#0  0x00007f8e60ada789 in free () from /lib64/libc.so.6
No symbol table info available.
#1  0x00007f8e60f5c010 in sc_free_apps (card=0x55ddeaa31790) at /usr/src/debug/opensc-0.21.0-4.fc34.x86_64/src/libopensc/dir.c:269
        i = 0
#2  0x00007f8e60f5a15c in sc_card_free (card=0x55ddeaa31790) at /usr/src/debug/opensc-0.21.0-4.fc34.x86_64/src/libopensc/card.c:157
        __FUNCTION__ = "sc_card_free"
#3  0x00007f8e60f5a348 in sc_disconnect_card (card=0x55ddeaa31790) at /usr/src/debug/opensc-0.21.0-4.fc34.x86_64/src/libopensc/card.c:435
        ctx = 0x55ddeaa2ca50
        __FUNCTION__ = "sc_disconnect_card"
#4  0x000055dde904bf4d in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/opensc-0.21.0-4.fc34.x86_64/src/tools/pkcs15-init.c:642
        profile = 0x55ddeaa2d9e0
        n = <optimized out>
        r = -1206
(gdb) 

[dengert]

Can you run this as:
OPENSC_DEBUG=7 pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 12345678 --puk 12345678 --label "A very long label for the token, really long."

Form message "Failed to create PKCS #15 meta structure: Wrong length" it is not clear where the test of a length is being done, or what is being tested. The log would help show where message was being produced.

The failure is while cleaning up and free(apps->label) is most likely a double free or uninitialized pointer.

[muks]

Output of above, piped to file: pkcs15-init.log

[dengert]

@Jakuje This is from opensc-0.21.0-4.fc34.x86_64

@FeitianSmartcardReader Is there a limit on the size of the label for the ePass2003?

Line starting at: 3613 were label is 45 bytes:

asn1.c:1780:asn1_encode_entry:  encoding 'label'
asn1.c:1785:asn1_encode_entry:  type=12, tag=0x10000010, parm=0x56525dd85f70, len=45
asn1.c:1978:asn1_encode_entry:  length of encoded item=47

Line 3653 card returned 6700 which maps to #define SC_ERROR_WRONG_LENGTH -1206.

99 02 67 00 8E 08 B0 E6 07 3A 97 7E 53 E6 67 00

Line 3671:

pkcs15-lib.c:2996:sc_pkcs15init_update_dir: returning with: -1206 (Wrong length)

passes back the error. The card is enforcing some limit to the size of the "dir" record. But the code continues on:

Line 3672:

pkcs15-lib.c:3984:sc_pkcs15init_update_file: called

I would expect the code to have started a cleanup here.

sc_pkcs15init_update_dir only appear to be called from one place: https://github.com/OpenSC/OpenSC/blob/master/src/pkcs15init/pkcs15-lib.c#L910-L926

And there is a FIXME comment that should be addressed.
It would appears that sc_pkcs15init_write_info(p15card, profile, pin_obj); is run but
r = sc_pkcs15init_update_tokeninfo(p15card, profile); was not in your dump.

But I have been looking at the OpenSC source, 0.20.0 and 0.21.0. Your source say it is from opensc-0.21.0-4.fc34.x86_64 and have some additional changes .

Can you try running the code in 0.22.0 https://github.com/OpenSC/OpenSC/releases or build from git.

[muks]

Can you try running the code in 0.22.0 https://github.com/OpenSC/OpenSC/releases or build from git.

I'm not able to make use of the OpenSC 0.22.0 release and up due to bug #2397 due to which pkcs15-init fails to initialize the smartcard even without a long label. It appears to be a regression introduced in OpenSC 0.22.0 (as OpenSC 0.21.0 works). I'll follow up on that bug report also, with debug logs for that bug.

[frankmorgner]

I think (de-)allocations will be tracked, if you run your command as

valgrind --track-origins=yes --keep-stacktraces=alloc-and-free pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 12345678 --puk 12345678

[dengert]

I thing there is some problem with the ACLs, or caching of ACLs or files.

0.20.0 "sc_pkcs15init_authenticate: acl 0x561049d061c0" then goes on to do a verify using the user pin. "`PIN('user PIN',type:0x10,reference:0x2)"

0.22.0 "sc_pkcs15init_authenticate: acl (nil)" then tries to write '4401' but ends with:
"99 02 69 82 8E 08 0B F8 16 64 78 FE B7 4A 69 82"

0.20.0 (Ubuntu-20.04) does:

P:12947; T:0x139928475113536 07:30:23.892 [pkcs15-init] card.c:583:sc_create_file: called; type=2, path=3f0050154401, id=17409, size=256
 928 P:12947; T:0x139928475113536 07:30:23.892 [pkcs15-init] card-epass2003.c:2019:epass2003_construct_fci: SC_FILE_ACL
 929 P:12947; T:0x139928475113536 07:30:23.892 [pkcs15-init] card-epass2003.c:1780:acl_to_ac_byte: returning with: 144
 930 P:12947; T:0x139928475113536 07:30:23.892 [pkcs15-init] card-epass2003.c:1784:acl_to_ac_byte: returning with: 150
 931 P:12947; T:0x139928475113536 07:30:23.893 [pkcs15-init] card-epass2003.c:1784:acl_to_ac_byte: returning with: 150
...

442 P:12947; T:0x139928475113536 07:30:24.783 [pkcs15-init] card-epass2003.c:1798:epass2003_process_fci: processing FCI bytes
1443 P:12947; T:0x139928475113536 07:30:24.783 [pkcs15-init] card-epass2003.c:1802:epass2003_process_fci:   file identifier: 0x4401
1444 P:12947; T:0x139928475113536 07:30:24.783 [pkcs15-init] card-epass2003.c:1810:epass2003_process_fci:   bytes in file: 4864
1445 P:12947; T:0x139928475113536 07:30:24.783 [pkcs15-init] card-epass2003.c:1873:epass2003_process_fci: type working EF, EF structure 1
1446 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] card-epass2003.c:1398:epass2003_select_fid: returning with: 0 (Success)
1447 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] card.c:852:sc_select_file: returning with: 0 (Success)
1448 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] pkcs15-lib.c:3850:sc_pkcs15init_authenticate: called
1449 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] pkcs15-lib.c:3852:sc_pkcs15init_authenticate: path '3f0050154401', op=23
1450 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] pkcs15-lib.c:3863:sc_pkcs15init_authenticate: acl 0x561049d061c0
1451 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] pkcs15-lib.c:3877:sc_pkcs15init_authenticate: verify acl(method:16,reference:2)
1452 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] pkcs15-lib.c:3695:sc_pkcs15init_verify_secret: called
1453 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] pkcs15-lib.c:3699:sc_pkcs15init_verify_secret: get and verify PIN('user PIN',type:0x10,reference:0x2)
1454 P:12947; T:0x139928475113536 07:30:24.784 [pkcs15-init] pkcs15-lib.c:2165:sc_pkcs15init_get_pin_reference: called

But with 0.22.0 from github:

968 P:13199; T:0x140573691557952 07:38:30.049 [pkcs15-init] ../../../src/src/libopensc/card.c:583:sc_create_file: called; type=2, path=3f0050154401, id=17409, size=256
 969 P:13199; T:0x140573691557952 07:38:30.049 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:2038:epass2003_construct_fci: SC_FILE_ACL
 970 P:13199; T:0x140573691557952 07:38:30.049 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:1799:acl_to_ac_byte: returning with: 144
 971 P:13199; T:0x140573691557952 07:38:30.050 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:1803:acl_to_ac_byte: returning with: 150
 972 P:13199; T:0x140573691557952 07:38:30.050 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:1803:acl_to_ac_byte: returning with: 150

...

501 P:13199; T:0x140573691557952 07:38:30.940 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:1817:epass2003_process_fci: processing FCI bytes
1502 P:13199; T:0x140573691557952 07:38:30.940 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:1821:epass2003_process_fci:   file identifier: 0x4401
1503 P:13199; T:0x140573691557952 07:38:30.940 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:1829:epass2003_process_fci:   bytes in file: 4864
1504 P:13199; T:0x140573691557952 07:38:30.940 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:1892:epass2003_process_fci: type working EF, EF structure 1
1505 P:13199; T:0x140573691557952 07:38:30.940 [pkcs15-init] ../../../src/src/libopensc/card-epass2003.c:1405:epass2003_select_fid: returning with: 0 (Success)
1506 P:13199; T:0x140573691557952 07:38:30.940 [pkcs15-init] ../../../src/src/libopensc/card.c:879:sc_select_file: returning with: 0 (Success)
1507 P:13199; T:0x140573691557952 07:38:30.941 [pkcs15-init] ../../../src/src/pkcs15init/pkcs15-lib.c:3850:sc_pkcs15init_authenticate: called
1508 P:13199; T:0x140573691557952 07:38:30.941 [pkcs15-init] ../../../src/src/pkcs15init/pkcs15-lib.c:3852:sc_pkcs15init_authenticate: path '3f0050154401', op=23
1509 P:13199; T:0x140573691557952 07:38:30.941 [pkcs15-init] ../../../src/src/pkcs15init/pkcs15-lib.c:3868:sc_pkcs15init_authenticate: acl (nil)
1510 P:13199; T:0x140573691557952 07:38:30.941 [pkcs15-init] ../../../src/src/pkcs15init/pkcs15-lib.c:3888:sc_pkcs15init_authenticate: returning with: 0 (Success)

Hopefully some one can look at this closer.

There are a few other minor things too. Will submit PR later in week or week end.

[dengert]

To add a long label you can modify the epass2003.profile: line 45:
dir-size = 112; to dir-size = 128;
It is not clear why in the option onepin section the dir-size is so small, vs the option default which uses 128.
I was able to create a long label:

pkcs15-tool --list-info
Using reader with a card: Feitian ePass2003 00 00
PKCS#15 Card [A_very_long_label_for_the_token,_long.]:
	Version        : 0
	Serial number  : 3744031016091101
	Manufacturer ID: EnterSafe
	Last update    : 20210910152459Z
	Flags          : EID compliant

I leave it up to you to test any longer labels.

The segfault is fixed by 84152c9 and is part of #2403

[dengert]

Actually in my testing I changed both the option default and option onepin to df-dir = 128;