Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package #2785

Closed
fullwaywang opened this issue May 26, 2023 · 3 comments · Fixed by #2787
Closed

Possible buffer overrun vulnerability in pkcs15 cardos_have_verifyrc_package #2785

fullwaywang opened this issue May 26, 2023 · 3 comments · Fixed by #2787

Comments

@fullwaywang
Copy link

Problem Description

On reviewing historical CVE vulnerabilities, I found a possible recurring vulnerability as CVE-2021-42782, which was reported by oss-fuzz and fixed in commit 1252aca.

The newly found issue exists in pkcs15-init module. Like the original bug in libopensc, cardos_have_verifyrc_package in pkcs15-cardos.c scans an ans1 buffer for 2 tags. The pointer p is moved after each sc_asn1_find_tag invocation, which results in the miscalculation of the length of left bytes in buffer and hence reading beyond the end of the buffer.

Proposed Resolution

Almost the same patch like 1252aca will do:

diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
index 9715cf39..f41f73c3 100644
--- a/src/pkcs15init/pkcs15-cardos.c
+++ b/src/pkcs15init/pkcs15-cardos.c
@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
        sc_apdu_t apdu;
         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
         int       r;
-       const u8  *p = rbuf, *q;
+       const u8  *p = rbuf, *q, *pp;
        size_t    len, tlen = 0, ilen = 0;

        sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
                return 0;

        while (len != 0) {
-               p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
-               if (p == NULL)
+               pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+               if (pp == NULL)
                        return 0;
                if (card->type == SC_CARD_TYPE_CARDOS_M4_3)     {
                        /* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01 */
                        /* and Package Number 0x07                                      */
-                       q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
+                       q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
                        if (q == NULL || ilen != 4)
                                return 0;
                        if (q[0] == 0x07)
@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
                } else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)      {
                        /* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03  */
                        /* and Package Number 0x02                                      */
-                       q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
+                       q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
                        if (q == NULL || ilen != 4)
                                return 0;
                        if (q[0] == 0x02)

Reference

https://www.opencve.io/cve/CVE-2021-42782
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912

@frankmorgner
Copy link
Member

yes, indeed. Could you create a pull request, please?

How did you find this problem? is there some systematic/automatic process possible?

@fullwaywang
Copy link
Author

Sure, I'll make a PR on monday.
There is indeed a novel method to scan for recurring bugs of historical vulnerabilities in OSS. I have been reporting detected issues to any investigated project. Hopefully I could present the details in some upcoming conference.

@ByteHackr
Copy link

CVE-2023-2977 was assigned for this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants