Bug 1668933 (CVE-2019-6502) - CVE-2019-6502 opensc: memory leak in sc_context_create in ctx.c in libopensc
Summary: CVE-2019-6502 opensc: memory leak in sc_context_create in ctx.c in libopensc
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-6502
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1668934
TreeView+ depends on / blocked
 
Reported: 2019-01-23 21:50 UTC by Laura Pardo
Modified: 2019-09-29 15:06 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:46:21 UTC


Attachments (Terms of Use)

Description Laura Pardo 2019-01-23 21:50:52 UTC
A flaw was found in OpenSC 0.19.0. Function sc_context_create in ctx.c in libopensc has a memory leak.


References:
https://github.com/OpenSC/OpenSC/issues/1586

Comment 1 Scott Gayou 2019-03-01 17:39:12 UTC
Initially a bit confusing as upstream reporter didn't mention the command. The command isn't actually given, but you can see a hint in the upstream trace: eidenv. Compile with asan, run with no args:

```
No smart card readers found.
Failed to connect to card: Unknown error

=================================================================
==28673==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 632 byte(s) in 1 object(s) allocated from:
    #0 0x4ebd3f in calloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebd3f)
    #1 0x7f554572aebe in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:809:8
    #2 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #3 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 224 byte(s) in 1 object(s) allocated from:
    #0 0x4ebd3f in calloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebd3f)
    #1 0x7f554580419a in pcsc_init /home/work/workspace/opensc/OpenSC/src/libopensc/reader-pcsc.c:763:10
    #2 0x7f554572b427 in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:861:6
    #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff)
    #1 0x7f5545b24624 in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:260:43
    #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11
    #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff)
    #1 0x7f5545b240ce in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:244:47
    #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11
    #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff)
    #1 0x7f5545b2408e in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:243:47
    #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11
    #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

Indirect leak of 7 byte(s) in 1 object(s) allocated from:
    #0 0x438390 in __interceptor_strdup (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x438390)
    #1 0x7f554572af8f in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:816:19
    #2 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6
    #3 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412)

SUMMARY: AddressSanitizer: 951 byte(s) leaked in 6 allocation(s).
```

Comment 2 Scott Gayou 2019-03-01 18:06:42 UTC
After fixing the first "leak", we get this.

```
[work@localhost-live ~]$ valgrind --leak-check=full eidenv
==21692== Memcheck, a memory error detector
==21692== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21692== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==21692== Command: eidenv
==21692== 
No smart card readers found.
Failed to connect to card: Unknown error
==21692== 
==21692== HEAP SUMMARY:
==21692==     in use at exit: 1,727 bytes in 9 blocks
==21692==   total heap usage: 118 allocs, 109 frees, 12,986 bytes allocated
==21692== 
==21692== 112 (40 direct, 72 indirect) bytes in 1 blocks are definitely lost in loss record 7 of 9
==21692==    at 0x483880B: malloc (vg_replace_malloc.c:309)
==21692==    by 0x502C324: ???
==21692==    by 0x502B69A: ???
==21692==    by 0x48B6A36: pcsc_detect_readers (reader-pcsc.c:1354)
==21692==    by 0x486483D: sc_ctx_detect_readers (ctx.c:744)
==21692==    by 0x4864CAD: sc_context_create (ctx.c:879)
==21692==    by 0x4024E0: main (eidenv.c:397)
==21692== 
==21692== LEAK SUMMARY:
==21692==    definitely lost: 40 bytes in 1 blocks
==21692==    indirectly lost: 72 bytes in 3 blocks
==21692==      possibly lost: 0 bytes in 0 blocks
==21692==    still reachable: 1,615 bytes in 5 blocks
==21692==         suppressed: 0 bytes in 0 blocks
==21692== Reachable blocks (those to which a pointer was found) are not shown.
==21692== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==21692== 
==21692== For counts of detected and suppressed errors, rerun with: -v
==21692== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```

Comment 3 Scott Gayou 2019-03-01 18:59:27 UTC
The second leak is almost certainly https://github.com/OpenSC/OpenSC/issues/512 and https://salsa.debian.org/rousseau/PCSC/issues/1. Issue seems to be in pcsc-lite, and not opensc.

Comment 4 Scott Gayou 2019-03-01 19:33:56 UTC
Submitted potential fix for first memory leak upstream. Second leak is in pcsc-lite and I have not investigated that. As of now, my thoughts are that this CVE is invalid and should be rejected. Upstream sources have CVSS scores of up to 9.8 -- I believe those are incorrect as well and our customers are not impacted by this.

Comment 6 Scott Gayou 2019-03-01 20:30:23 UTC
Tracking other leak here: https://bugzilla.redhat.com/show_bug.cgi?id=1684673


Note You need to log in before you can comment on or make changes to this bug.