Re: [opensc-devel] heap corruption in pkcs11-global:C_GetSlotList in svn

Andre Zepezauer Mon, 14 Jun 2010 11:16:08 -0700

Hello Douglas,

attached is a patch that is almost the same like yours. The only
difference is, that it still honours the max_virtual_slots property.
Consider it as untested too.


Regards,
Andre Zepezauer

On Mon, 2010-06-14 at 09:44 -0500, Douglas E. Engert wrote:
> 
> On 6/12/2010 6:02 AM, Martin Vogt wrote:
> > Hello,
> >
> > today I had a glibc error with svn head, which looks like "writing
> > over an array boundary" to me:
> >
> >> 0x7fe7120b66f0 12:48:44.133 [opensc-pkcs11] 
> >> pkcs11-global.c:447:C_GetSlotList: doing free
> >> *** glibc detected *** 
> >> /home/kde/work/opensc/svn_head/opensc/src/tools/.libs/pkcs11-tool: free(): 
> >> invalid next size (fast): 0x0000000000629b00 ***
> >> ======= Backtrace: =========
> >> /lib64/libc.so.6[0x7fe710d42108]
> >> /lib6Aborted
> >
> > The glibc abort happens in the function: pkcs11-global:C_GetSlotList
> > As far as I understand this, the section:(around line 380)
> >
> >
> >> if ((found = (CK_SLOT_ID_PTR)malloc (sizeof (*found) * 
> >> sc_pkcs11_conf.max_virtual_slots)) == NULL) {
> >>            rv = CKR_HOST_MEMORY;
> >>            goto out;
> >> }
> >
> 
> This looks like a hold over from previous code. It looks like  
> list_size(&virtual_slots)
> should be used, and the code should be  moved after the detection for new 
> readers.
> See *untested* patch attached.
> 
> With the changes for virtual_slots being based on readers found, does this 
> mean
> the opensc.conf max_virtual_slots is obsolete?
> 
> 
> > allocates an array with sc_pkcs11_conf.max_virtual_slots entries. My
> > printf says that:
> >
> >> sc_debug(context, SC_LOG_DEBUG_NORMAL,"found 
> >> 2:%d\n",sc_pkcs11_conf.max_virtual_slots);
> >> 0x7fe7120b66f0 12:48:44.132 [opensc-pkcs11] 
> >> pkcs11-global.c:381:C_GetSlotList: found 2:1
> >
> > ==>  1
> >
> > But then it writes to this array 5 times:(around line 400)
> >
> >> if (!tokenPresent || (slot->slot_info.flags&  CKF_TOKEN_PRESENT)) {
> >>    sc_debug(context, SC_LOG_DEBUG_NORMAL,"writing found :%d\n",numMatches);
> >> /*
> >> if (numMatches>= sc_pkcs11_conf.max_virtual_slots) {
> >>   printf("malloc error in found\n");
> >>   exit(1);
> >> }
> >> */
> >> found[numMatches++] = slot->id;
> >     
> > 0x7fe7120b66f0 12:48:44.133 [opensc-pkcs11]
> > pkcs11-global.c:408:C_GetSlotList: writing found :0
> > 0x7fe7120b66f0 12:48:44.133 [opensc-pkcs11]
> > pkcs11-global.c:408:C_GetSlotList: writing found :1
> > 0x7fe7120b66f0 12:48:44.133 [opensc-pkcs11]
> > pkcs11-global.c:408:C_GetSlotList: writing found :2
> > 0x7fe7120b66f0 12:48:44.133 [opensc-pkcs11]
> > pkcs11-global.c:408:C_GetSlotList: writing found :3
> > 0x7fe7120b66f0 12:48:44.133 [opensc-pkcs11]
> > pkcs11-global.c:408:C_GetSlotList: writing found :4
> > 0x7fe7120b66f0 12:48:44.133 [opensc-pkcs11]
> > pkcs11-global.c:422:C_GetSlotList: was only a size inquiry (5)
> >
> >
> > Is this the heap corruption detected by glibc?
> >
> > Maybe I have a broken config file, but can this
> > be handled somehow without a heap corruption?
> >
> > regards,
> >
> > Martin
> > _______________________________________________
> > opensc-devel mailing list
> > opensc-devel@lists.opensc-project.org
> > http://www.opensc-project.org/mailman/listinfo/opensc-devel
> >
> >
> 
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

Index: pkcs11-global.c
===================================================================
--- pkcs11-global.c	(revision 4413)
+++ pkcs11-global.c	(working copy)
@@ -376,29 +376,28 @@
 		goto out;
 	}
 
-	if (
-		(found = (CK_SLOT_ID_PTR)malloc (
-			sizeof (*found) * sc_pkcs11_conf.max_virtual_slots
-		)) == NULL
-	) {
-		rv = CKR_HOST_MEMORY;
-		goto out;
-	}
+	sc_debug(context, SC_LOG_DEBUG_NORMAL, "C_GetSlotList(token=%d, %s)", tokenPresent,
+		 (pSlotList==NULL_PTR && sc_pkcs11_conf.plug_and_play)? "plug-n-play":"refresh");
 
-	sc_debug(context, SC_LOG_DEBUG_NORMAL, "C_GetSlotList(token=%d, %s)", tokenPresent, (pSlotList==NULL_PTR && sc_pkcs11_conf.plug_and_play)? "plug-n-play":"refresh");
-
 	/* Slot list can only change in v2.20 */
 	if (pSlotList == NULL_PTR && sc_pkcs11_conf.plug_and_play) {
 		/* Trick NSS into updating the slot list by changing the hotplug slot ID */
 		sc_pkcs11_slot_t *hotplug_slot = list_get_at(&virtual_slots, 0);
 		hotplug_slot->id--;
 		sc_ctx_detect_readers(context); 
-		
 	}
+
 	card_detect_all();
 
+	found = (CK_SLOT_ID_PTR) malloc(list_size(&virtual_slots) * sizeof(CK_SLOT_ID));
+
+	if (found == NULL) {
+		rv = CKR_HOST_MEMORY;
+		goto out;
+	}
+
 	numMatches = 0;
-	for (i=0; i<list_size(&virtual_slots); i++) {
+	for (i=0; i<list_size(&virtual_slots) && i<sc_pkcs11_conf.max_virtual_slots; i++) {
 	        slot = (sc_pkcs11_slot_t *) list_get_at(&virtual_slots, i);
 	        if (!tokenPresent || (slot->slot_info.flags & CKF_TOKEN_PRESENT))
 			found[numMatches++] = slot->id;

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] heap corruption in pkcs11-global:C_GetSlotList in svn

Reply via email to