Menu
▾
▴
Re: [Opensc-devel] Preventing malformed ODFs causing segfaults.
|
From: Douglas E E. <dee...@gm...> - 2015-06-03 16:47:42
|
Good point. A card to designed to cause a segfault... We really do need to make sure we don't segfault.
On 6/3/2015 3:44 AM, Dirk-Willem van Gulik wrote:
>
>> On 02 Jun 2015, at 18:36, Douglas E Engert <dee...@gm... <mailto:dee...@gm...>> wrote:
>>
>>
>>
>> On 6/2/2015 10:32 AM, Dirk-Willem van Gulik wrote:
>>> We seem to be a bit trusting of the cruft which can be on a card; found I needed below to stop naughty cards
>>> from causing segfaults (and hence locking subsequent users out of their desktops (a bit of fragility outside OpenSC)).
>>>
>>> Just wondering - is this sort of thing common (and should I scan most of the code for this) — or have i found a rare case ?
>>
>> It depends. The part of OpenSC that tries to determine the type of card, would be more likely to run into "naughty cards"
>> or cards that don't follow all the standards or cards that have not been initialized as expected.
>>
>> Cards that may have worked with older versions of OpenSC, may not work with newer versions, as newer code
>> may not have been tested against the older cards For example There are cards that emulate PKCS#15 and newer code
>> added to OpenSC for example the sc_enum_apps() may not be emulated correctly. For example the ODF in older code
>> does not need to be emulated. Not clear if it does now.
>>
>> Older versions of cards that may have worked before. But newer versions of the card or the files on new cards
>> are not the same as before because the card issuer changed something.
>>
>> Can you say what cards caused these problems?
>
> We dove into this because we saw a card specifically designed to make (login) daemons segfault (and hence fall back to lesser systems due to non ideal designed processes).
>
> This is basically an organisational/procedure attack - where a DoS leads to the human/apparatus complex to do unsafe things to tide over; and the exploit is then there; not in OpenSC per-se.
>
> By pure co-incidence (going through old logs) we discovered that various AET cards; including a card issued to most Dutch civil servants also causes pretty much all opensc tools (and pkcs11/15) to
> segfault.
>
> In this case it is more ‘silly’ — cards respond to queries with a:
>
> {
> (char []) "I am the SafeSign Applet of A.E.T. Europe B.V. please authenticate yourself\n”,
> 0x90, 0x00
> }
>
> that confuses OpenSC enough to segfault in various places on mere insertion/query.
>
> Dw.
>
>>
>>>
>>> Dw.
>>>
>>> https://github.com/OpenSC/OpenSC/commit/1061b5ded0edbc6a1f2cb4fd599b7c950ffe18ff
>>>
>>> src/libopensc/dir.c
>>> @@ -149,6 +149,10 @@ int sc_enum_apps(sc_card_t *card)
>>> r = sc_select_file(card, &path, &card->ef_dir);
>>> LOG_TEST_RET(ctx, r, "Cannot select EF.DIR file");
>>>
>>> +if (card->ef_dir == NULL) {
>>> +LOG_TEST_RET(ctx, SC_ERROR_INVALID_CARD, "EF(DIR) nonexistant.");
>>> +}
>>> +
>>> if (card->ef_dir->type != SC_FILE_TYPE_WORKING_EF) {
>>> sc_file_free(card->ef_dir);
>>> card->ef_dir = NULL;
>>>
>>> src/libopensc/pkcs15.c
>>> @@ -1044,6 +1044,10 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
>>> sc_log(ctx, "Cannot make absolute path to EF(ODF); error:%i", err);
>>> goto end;
>>> }
>>> +if (p15card->file_odf == NULL) {
>>> +sc_log(ctx, "After making absolute path to EF(ODF) still no odf.");
>>> +goto end;
>>> +}
>>> sc_log(ctx, "absolute path to EF(ODF) %s", sc_print_path(&tmppath));
>>> err = sc_select_file(card, &tmppath, &p15card->file_odf);
>>> }
>>> @@ -1059,6 +1063,8 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
>>> goto end;
>>> }
>>>
>>> +assert(p15card->file_odf);
>>> +
>>> len = p15card->file_odf->size;
>>> if (!len) {
>>> sc_log(ctx, "EF(ODF) is empty”);
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li... <mailto:Ope...@li...>
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>> --
>>
>> Douglas E. Engert <DEE...@gm... <mailto:DEE...@gm...>>
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li... <mailto:Ope...@li...>
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Douglas E. Engert <DEE...@gm...>
|
