opensc/opensc-CVE-2024-45620.patch

commit a1bcc6516f43d570899820d259b71c53f8049168
Author: Veronika Hanulíková <vhanulik@redhat.com>
Date:   Thu Jul 18 09:23:20 2024 +0200

    pkcs15-starcos: Check length of file to be non-zero
    
    Thanks Matteo Marini for report
    https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8
    
    fuzz_pkcs15init/20

Index: opensc-0.24.0/src/pkcs15init/pkcs15-starcos.c
===================================================================
--- opensc-0.24.0.orig/src/pkcs15init/pkcs15-starcos.c
+++ opensc-0.24.0/src/pkcs15init/pkcs15-starcos.c
@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profil
 		return r;
 	len = tfile->size;
 	sc_file_free(tfile);
+	if (len == 0)
+		return SC_ERROR_INTERNAL;
 	buf = malloc(len);
 	if (!buf)
 		return SC_ERROR_OUT_OF_MEMORY;
@@ -684,7 +686,7 @@ static int starcos_write_pukey(sc_profil
 	if (num_keys == 0xff)
 		num_keys = 0;
 	/* encode public key */
-	keylen  = starcos_encode_pukey(rsa, NULL, kinfo);
+	keylen = starcos_encode_pukey(rsa, NULL, kinfo);
 	if (!keylen) {
 		free(buf);
 		return SC_ERROR_INTERNAL;
Index: opensc-0.24.0/src/libopensc/iasecc-sdo.c
===================================================================
--- opensc-0.24.0.orig/src/libopensc/iasecc-sdo.c
+++ opensc-0.24.0/src/libopensc/iasecc-sdo.c
@@ -317,16 +317,25 @@ iasecc_se_parse(struct sc_card *card, un
 
 	LOG_FUNC_CALLED(ctx);
 
+        if (data_len < 1)
+                LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
 		size_size = iasecc_parse_size(data + 1, data_len - 1, &size);
 		LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");
 
+                if (data_len - 1 < size)
+                        LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
 		data += size_size + 1;
 		data_len = size;
 		sc_log(ctx,
 		       "IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %"SC_FORMAT_LEN_SIZE_T"u",
 		       size, size_size);
 
+                if (data_len < 3)
+                        LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+
 		if (*data != IASECC_SDO_TAG_HEADER)
 			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
 
@@ -757,6 +766,8 @@ iasecc_sdo_parse(struct sc_card *card, u
 	int rv;
 
 	LOG_FUNC_CALLED(ctx);
+	if (data == NULL || data_len < 2)
+		LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
 
 	if (*data == IASECC_SDO_TEMPLATE_TAG)   {
 		size_size = iasecc_parse_size(data + 1, data_len - 1, &size);
Sync from SUSE:SLFO:Main opensc revision afd720d3dea3186095bb8f49807fc961 2024-10-18 15:42:40 +02:00			`commit a1bcc6516f43d570899820d259b71c53f8049168`
			`Author: Veronika Hanulíková <vhanulik@redhat.com>`
			`Date: Thu Jul 18 09:23:20 2024 +0200`

			`pkcs15-starcos: Check length of file to be non-zero`

			`Thanks Matteo Marini for report`
			`https://github.com/OpenSC/OpenSC/security/advisories/GHSA-p3mx-7472-h3j8`

			`fuzz_pkcs15init/20`

			`Index: opensc-0.24.0/src/pkcs15init/pkcs15-starcos.c`
			`===================================================================`
			`--- opensc-0.24.0.orig/src/pkcs15init/pkcs15-starcos.c`
			`+++ opensc-0.24.0/src/pkcs15init/pkcs15-starcos.c`
			`@@ -670,6 +670,8 @@ static int starcos_write_pukey(sc_profil`
			`return r;`
			`len = tfile->size;`
			`sc_file_free(tfile);`
			`+ if (len == 0)`
			`+ return SC_ERROR_INTERNAL;`
			`buf = malloc(len);`
			`if (!buf)`
			`return SC_ERROR_OUT_OF_MEMORY;`
			`@@ -684,7 +686,7 @@ static int starcos_write_pukey(sc_profil`
			`if (num_keys == 0xff)`
			`num_keys = 0;`
			`/* encode public key */`
			`- keylen = starcos_encode_pukey(rsa, NULL, kinfo);`
			`+ keylen = starcos_encode_pukey(rsa, NULL, kinfo);`
			`if (!keylen) {`
			`free(buf);`
			`return SC_ERROR_INTERNAL;`
			`Index: opensc-0.24.0/src/libopensc/iasecc-sdo.c`
			`===================================================================`
			`--- opensc-0.24.0.orig/src/libopensc/iasecc-sdo.c`
			`+++ opensc-0.24.0/src/libopensc/iasecc-sdo.c`
			`@@ -317,16 +317,25 @@ iasecc_se_parse(struct sc_card *card, un`

			`LOG_FUNC_CALLED(ctx);`

			`+ if (data_len < 1)`
			`+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);`
			`+`
			`if (*data == IASECC_SDO_TEMPLATE_TAG) {`
			`size_size = iasecc_parse_size(data + 1, data_len - 1, &size);`
			`LOG_TEST_RET(ctx, size_size, "parse error: invalid size data of IASECC_SDO_TEMPLATE");`

			`+ if (data_len - 1 < size)`
			`+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);`
			`+`
			`data += size_size + 1;`
			`data_len = size;`
			`sc_log(ctx,`
			`"IASECC_SDO_TEMPLATE: size %"SC_FORMAT_LEN_SIZE_T"u, size_size %"SC_FORMAT_LEN_SIZE_T"u",`
			`size, size_size);`

			`+ if (data_len < 3)`
			`+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);`
			`+`
			`if (*data != IASECC_SDO_TAG_HEADER)`
			`LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);`

			`@@ -757,6 +766,8 @@ iasecc_sdo_parse(struct sc_card *card, u`
			`int rv;`

			`LOG_FUNC_CALLED(ctx);`
			`+ if (data == NULL \|\| data_len < 2)`
			`+ LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);`

			`if (*data == IASECC_SDO_TEMPLATE_TAG) {`
			`size_size = iasecc_parse_size(data + 1, data_len - 1, &size);`