A flaw was found in OpenSC 0.19.0. Function sc_context_create in ctx.c in libopensc has a memory leak. References: https://github.com/OpenSC/OpenSC/issues/1586
Initially a bit confusing as upstream reporter didn't mention the command. The command isn't actually given, but you can see a hint in the upstream trace: eidenv. Compile with asan, run with no args: ``` No smart card readers found. Failed to connect to card: Unknown error ================================================================= ==28673==ERROR: LeakSanitizer: detected memory leaks Direct leak of 632 byte(s) in 1 object(s) allocated from: #0 0x4ebd3f in calloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebd3f) #1 0x7f554572aebe in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:809:8 #2 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6 #3 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412) Indirect leak of 224 byte(s) in 1 object(s) allocated from: #0 0x4ebd3f in calloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebd3f) #1 0x7f554580419a in pcsc_init /home/work/workspace/opensc/OpenSC/src/libopensc/reader-pcsc.c:763:10 #2 0x7f554572b427 in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:861:6 #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6 #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412) Indirect leak of 40 byte(s) in 1 object(s) allocated from: #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff) #1 0x7f5545b24624 in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:260:43 #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11 #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6 #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff) #1 0x7f5545b240ce in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:244:47 #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11 #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6 #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412) Indirect leak of 24 byte(s) in 1 object(s) allocated from: #0 0x4ebaff in malloc (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x4ebaff) #1 0x7f5545b2408e in list_init /home/work/workspace/opensc/OpenSC/src/common/simclist.c:243:47 #2 0x7f554572b14e in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:827:11 #3 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6 #4 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412) Indirect leak of 7 byte(s) in 1 object(s) allocated from: #0 0x438390 in __interceptor_strdup (/home/work/workspace/opensc/OpenSC/src/tools/.libs/lt-eidenv+0x438390) #1 0x7f554572af8f in sc_context_create /home/work/workspace/opensc/OpenSC/src/libopensc/ctx.c:816:19 #2 0x528a3d in main /home/work/workspace/opensc/OpenSC/src/tools/eidenv.c:397:6 #3 0x7f554529f412 in __libc_start_main (/lib64/libc.so.6+0x24412) SUMMARY: AddressSanitizer: 951 byte(s) leaked in 6 allocation(s). ```
After fixing the first "leak", we get this. ``` [work@localhost-live ~]$ valgrind --leak-check=full eidenv ==21692== Memcheck, a memory error detector ==21692== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==21692== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==21692== Command: eidenv ==21692== No smart card readers found. Failed to connect to card: Unknown error ==21692== ==21692== HEAP SUMMARY: ==21692== in use at exit: 1,727 bytes in 9 blocks ==21692== total heap usage: 118 allocs, 109 frees, 12,986 bytes allocated ==21692== ==21692== 112 (40 direct, 72 indirect) bytes in 1 blocks are definitely lost in loss record 7 of 9 ==21692== at 0x483880B: malloc (vg_replace_malloc.c:309) ==21692== by 0x502C324: ??? ==21692== by 0x502B69A: ??? ==21692== by 0x48B6A36: pcsc_detect_readers (reader-pcsc.c:1354) ==21692== by 0x486483D: sc_ctx_detect_readers (ctx.c:744) ==21692== by 0x4864CAD: sc_context_create (ctx.c:879) ==21692== by 0x4024E0: main (eidenv.c:397) ==21692== ==21692== LEAK SUMMARY: ==21692== definitely lost: 40 bytes in 1 blocks ==21692== indirectly lost: 72 bytes in 3 blocks ==21692== possibly lost: 0 bytes in 0 blocks ==21692== still reachable: 1,615 bytes in 5 blocks ==21692== suppressed: 0 bytes in 0 blocks ==21692== Reachable blocks (those to which a pointer was found) are not shown. ==21692== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==21692== ==21692== For counts of detected and suppressed errors, rerun with: -v ==21692== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) ```
The second leak is almost certainly https://github.com/OpenSC/OpenSC/issues/512 and https://salsa.debian.org/rousseau/PCSC/issues/1. Issue seems to be in pcsc-lite, and not opensc.
Submitted potential fix for first memory leak upstream. Second leak is in pcsc-lite and I have not investigated that. As of now, my thoughts are that this CVE is invalid and should be rejected. Upstream sources have CVSS scores of up to 9.8 -- I believe those are incorrect as well and our customers are not impacted by this.
Tracking other leak here: https://bugzilla.redhat.com/show_bug.cgi?id=1684673