2196234 – OpenSC Segmentation Fault (core dump) due to lack of NULL termination

Bug 2196234 - OpenSC Segmentation Fault (core dump) due to lack of NULL termination [NEEDINFO]

Summary: OpenSC Segmentation Fault (core dump) due to lack of NULL termination

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	opensc
Sub Component:
Version:	8.10
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	8.9
Assignee:	Jakub Jelen
QA Contact:	Marek Havrila
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-05-08 11:56 UTC by Jason Pyeron
Modified:	2023-08-02 13:37 UTC (History)
CC List:	1 user (show)
Fixed In Version:	opensc-0.20.0-5.el8
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	mhavrila: needinfo? (jpyeron)

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	OpenSC/OpenSC/commit/34dad7f543f006ad269ce1f935a9e8d3e3a83db7	None	None	None	2023-05-08 11:56:53 UTC
Red Hat Issue Tracker	CRYPTO-10956	None	None	None	2023-06-15 15:06:45 UTC
Red Hat Issue Tracker	RHELPLAN-156606	None	None	None	2023-05-08 11:57:52 UTC
chromium.org	oss-fuzz 20510	None	None	None	2023-05-08 11:56:53 UTC

Description Jason Pyeron 2023-05-08 11:56:53 UTC

Description of problem:

There is a seg fault caused by a lack of null termination. 

Version-Release number of selected component (if applicable):

opensc-0.20.0-4

How reproducible:

100% when memory alignment is missing a coincidental NULL.

Steps to Reproduce:
1. perform operations on a Gemalto ID Prime smart card

Actual results:

Segmentation fault

Expected results:

success

Additional info:

Fixed in upstream, see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20510

https://github.com/OpenSC/OpenSC/commit/34dad7f543f006ad269ce1f935a9e8d3e3a83db7

--- ./src/libopensc/card-idprime.c.orig 2023-05-07 06:13:39.000000000 +0000
+++ ./src/libopensc/card-idprime.c      2023-05-07 06:13:12.000000000 +0000
@@ -52,6 +52,7 @@
          "ff:ff:00:ff:ff:ff:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff",
          "Gemalto IDPrime MD 8840, 3840, 3810, 840 and 830 Cards",
          SC_CARD_TYPE_IDPRIME_GENERIC, 0, NULL },
+       { NULL, NULL, NULL, 0, 0, NULL }
 };

 static const sc_path_t idprime_path = {

Comment 1 Jakub Jelen 2023-05-09 08:34:44 UTC

Thank you for the report. We should indeed fix this when we will build a new package for RHEL 8.

Comment 3 Marek Havrila 2023-06-30 14:28:20 UTC

Dear Jason,

would you be able to test opensc build with the fix and let us know if it works for you? We should be able to provide you with the build next week.

Regards,
Marek

Note You need to log in before you can comment on or make changes to this bug.