void-packages/srcpkgs/yubico-piv-tool/patches/use-after-free.patch

97 lines
3.8 KiB
Diff
Raw Normal View History

2023-01-05 15:40:18 +01:00
From 855c0a410efe792d24039708612f1525a5e2b7cc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?=
<61348757+xhanulik@users.noreply.github.com>
Date: Thu, 3 Mar 2022 19:03:44 +0100
Subject: [PATCH] Fix usage of pointer after free (#362)
* Set uninitialized variables
* Fix use after free
Causes errors "may be used after 'free'", since
`dec` is not allocated again after `free()`.
Also, removed assigning of `sizeof(dec)`, because
`dec` is not static array, but allocated.
---
ykcs11/tests/ykcs11_tests_util.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ykcs11/tests/ykcs11_tests_util.c b/ykcs11/tests/ykcs11_tests_util.c
index 77270bd3..530d9028 100644
--- a/ykcs11/tests/ykcs11_tests_util.c
+++ b/ykcs11/tests/ykcs11_tests_util.c
@@ -281,7 +281,7 @@ void test_digest_func(CK_FUNCTION_LIST_PTR funcs, CK_SESSION_HANDLE session, CK_
CK_BYTE digest_update[128] = {0};
CK_ULONG digest_update_len;
CK_BYTE hdata[128] = {0};
- CK_ULONG hdata_len;
+ CK_ULONG hdata_len = 0;
CK_MECHANISM mech = {mech_type, NULL, 0};
@@ -1015,7 +1015,7 @@ void test_rsa_sign_thorough(CK_FUNCTION_LIST_PTR funcs, CK_SESSION_HANDLE sessio
EVP_PKEY_CTX *ctx = NULL;
CK_BYTE hdata[512] = {0};
- CK_ULONG hdata_len;
+ CK_ULONG hdata_len = 0;
CK_OBJECT_HANDLE obj_pubkey;
CK_MECHANISM mech = {mech_type, NULL, 0};
@@ -1193,7 +1193,7 @@ void test_rsa_decrypt(CK_FUNCTION_LIST_PTR funcs, CK_SESSION_HANDLE session, CK_
CK_BYTE* data;
CK_BYTE enc[512] = {0};
CK_BYTE* dec;
- CK_ULONG dec_len;
+ CK_ULONG dec_len, dec_len_backup;
if(padding == RSA_NO_PADDING) {
data_len = RSA_size(rsak);
@@ -1228,12 +1228,14 @@ void test_rsa_decrypt(CK_FUNCTION_LIST_PTR funcs, CK_SESSION_HANDLE session, CK_
// Decrypt Update
asrt(funcs->C_DecryptInit(session, &mech, obj_pvtkey[i]), CKR_OK, "DECRYPT INIT");
asrt(funcs->C_Login(session, CKU_CONTEXT_SPECIFIC, (CK_CHAR_PTR)"123456", 6), CKR_OK, "Re-Login USER");
- dec_len = sizeof(dec);
+ dec = malloc(dec_len);
+ dec_len_backup = dec_len;
asrt(funcs->C_DecryptUpdate(session, enc, 100, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
- dec_len = sizeof(dec);
+ dec_len = dec_len_backup;
asrt(funcs->C_DecryptUpdate(session, enc+100, 8, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
- dec_len = sizeof(dec);
+ dec_len = dec_len_backup;
asrt(funcs->C_DecryptUpdate(session, enc+108, 20, dec, &dec_len), CKR_OK, "DECRYPT UPDATE");
+ free(dec);
dec_len = 0;
asrt(funcs->C_DecryptFinal(session, NULL, &dec_len), CKR_OK, "DECRYPT FINAL");
dec = malloc(dec_len);
From 720afc81f5e034d2a8d3944e4f28463f808998a4 Mon Sep 17 00:00:00 2001
From: Dan Fuhry <dan@fuhry.com>
Date: Thu, 16 Jun 2022 15:09:30 -0400
Subject: [PATCH] [ykcs11/tests] fix use-after-free warning in gcc 12
gcc 12 includes a new `-Wuse-after-free` warning mode that detects use
of variables after a call to `free()`. While the use of this variable is
not in fact a use-after-free, it is more correct to not reuse the `dec`
variable or explicitly set it to `NULL` after calling `free`.
This is not a security bug.
Signed-Off-By: Dan Fuhry <dan@fuhry.com>
---
ykcs11/tests/ykcs11_tests_util.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ykcs11/tests/ykcs11_tests_util.c b/ykcs11/tests/ykcs11_tests_util.c
index f10c21cd..876d656c 100644
--- a/ykcs11/tests/ykcs11_tests_util.c
+++ b/ykcs11/tests/ykcs11_tests_util.c
@@ -1143,6 +1143,7 @@ void test_rsa_decrypt(CK_FUNCTION_LIST_PTR funcs, CK_SESSION_HANDLE session, CK_
asrt(dec_len, data_len, "DECRYPTED DATA LEN");
asrt(memcmp(data, dec, dec_len), 0, "DECRYPTED DATA");
free(dec);
+ dec = NULL;
// Decrypt Update
asrt(funcs->C_DecryptInit(session, &mech, obj_pvtkey[i]), CKR_OK, "DECRYPT INIT");