Bug 1506515
| Summary: | Possible Null pointer deref in epass2003_select_fid() | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | opensc | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED NOTABUG | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.5 | CC: | huzaifas |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-11-06 05:03:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Your coverity link points to file card-entersafe.c (which still has the same "potential issue"). The upstream commit a3fc62f is already in the RHEL7.4 version of OpenSC (we have 0.16.0+ snapshot and this commit is from early 2015 -- it will be missing in previous unsupported version of OpenSC). Looking closely to the source code, the proposed code path is not possible (in card-entersafe.c), because the sc_file_free() is called only if "r<0" and SC_TEST_RET() is returning for every "r<0". And coverity has some problems with these macros ... sigh ... Please, clarify what you would like to fix. (In reply to Jakub Jelen from comment #2) > Your coverity link points to file card-entersafe.c (which still has the same > "potential issue"). The upstream commit a3fc62f is already in the RHEL7.4 > version of OpenSC (we have 0.16.0+ snapshot and this commit is from early > 2015 -- it will be missing in previous unsupported version of OpenSC). > The coverity scan uses the latest pkg we have a brew build for that is: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=618792 > Looking closely to the source code, the proposed code path is not possible > (in card-entersafe.c), because the sc_file_free() is called only if "r<0" > and SC_TEST_RET() is returning for every "r<0". And coverity has some > problems with these macros ... sigh ... > > Please, clarify what you would like to fix. This is quite possible, in this case, i am going to close this bugs as notabug |
Upstream commit a3fc62f79ff867ca2a2c5be24aff1759d3476417 uses the following: - if (file->type == SC_FILE_TYPE_DF) { + if (file && file->type == SC_FILE_TYPE_DF) { in epass2003_select_fid() Coverity called this an UAF, not sure if its reachable or even trigger-able, but would been nice to have this backported. http://cov01.lab.eng.brq.redhat.com/covscanhub/task/60217/log/opensc-0.16.0-5.20170227git777e2a3.el7/scan-results.html#def2