opensc/opensc-CVE-2023-40661-5of12.patch

From dd138d0600a1acd7991989127f36827e5836b24e Mon Sep 17 00:00:00 2001
From: "Ingo Struck (git commits)" <gitlab@ingostruck.de>
Date: Thu, 16 Mar 2023 22:12:49 +0100
Subject: [PATCH] Fixed loop in sc_hsm_write_ef, handle offset into buf and
 into EF separately

---
 src/libopensc/card-sc-hsm.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c
index 1b707f08df..c100a87c2a 100644
--- a/src/libopensc/card-sc-hsm.c
+++ b/src/libopensc/card-sc-hsm.c
@@ -782,7 +782,7 @@ static int sc_hsm_logout(sc_card_t * card)
 }
 
 
-
+/* NOTE: idx is an offset into the card's file, not into buf */
 static int sc_hsm_read_binary(sc_card_t *card,
 			       unsigned int idx, u8 *buf, size_t count,
 			       unsigned long flags)
@@ -823,7 +823,7 @@ static int sc_hsm_read_binary(sc_card_t *card,
 }
 
 
-
+/* NOTE: idx is an offset into the card's file, not into buf */
 static int sc_hsm_write_ef(sc_card_t *card,
 			       int fid,
 			       unsigned int idx, const u8 *buf, size_t count)
@@ -848,7 +848,8 @@ static int sc_hsm_write_ef(sc_card_t *card,
 	// 8 bytes are required for T54(4) and T53(4)
 	size_t blk_size = card->max_send_size - 8;
 	size_t to_send = 0;
-	size_t offset = (size_t) idx;
+	size_t file_offset = (size_t) idx;
+	size_t offset = 0;
 	do {
 		len = 0;
 		to_send = bytes_left >= blk_size ? blk_size : bytes_left;
@@ -856,8 +857,8 @@ static int sc_hsm_write_ef(sc_card_t *card,
 		// ASN1 0x54 offset
 		*p++ = 0x54;
 		*p++ = 0x02;
-		*p++ = (offset >> 8) & 0xFF;
-		*p++ = offset & 0xFF;
+		*p++ = (file_offset >> 8) & 0xFF;
+		*p++ = file_offset & 0xFF;
 		// ASN1 0x53 to_send
 		*p++ = 0x53;
 		if (to_send < 128) {
@@ -890,6 +891,7 @@ static int sc_hsm_write_ef(sc_card_t *card,
 
 		bytes_left -= to_send;
 		offset += to_send;
+		file_offset += to_send;
 	} while (0 < bytes_left);
 
 err:
Accepting request 1116477 from home:ohollmann:branches:security:chipcard - Security Fix: [CVE-2023-40661, bsc#1215761] * opensc: multiple memory issues with pkcs15-init (enrollment tool) * Add patches: - opensc-CVE-2023-40661-1of12.patch - opensc-CVE-2023-40661-2of12.patch - opensc-CVE-2023-40661-3of12.patch - opensc-CVE-2023-40661-4of12.patch - opensc-CVE-2023-40661-5of12.patch - opensc-CVE-2023-40661-6of12.patch - opensc-CVE-2023-40661-7of12.patch - opensc-CVE-2023-40661-8of12.patch - opensc-CVE-2023-40661-9of12.patch - opensc-CVE-2023-40661-10of12.patch - opensc-CVE-2023-40661-11of12.patch - opensc-CVE-2023-40661-12of12.patch - Security Fix: [CVE-2023-4535, bsc#1215763] * Add patches: - opensc-CVE-2023-4535.patch - opensc-NULL_pointer_fix.patch - Security Fix: [CVE-2023-40660, bsc#1215762] * opensc: PIN bypass when card tracks its own login state * Add patches: - opensc-CVE-2023-40660-1of2.patch - opensc-CVE-2023-40660-2of2.patch OBS-URL: https://build.opensuse.org/request/show/1116477 OBS-URL: https://build.opensuse.org/package/show/security:chipcard/opensc?expand=0&rev=75 2023-10-10 14:49:01 +02:00			`From dd138d0600a1acd7991989127f36827e5836b24e Mon Sep 17 00:00:00 2001`
			`From: "Ingo Struck (git commits)" <gitlab@ingostruck.de>`
			`Date: Thu, 16 Mar 2023 22:12:49 +0100`
			`Subject: [PATCH] Fixed loop in sc_hsm_write_ef, handle offset into buf and`
			`into EF separately`

			`---`
			`src/libopensc/card-sc-hsm.c \| 12 +++++++-----`
			`1 file changed, 7 insertions(+), 5 deletions(-)`

			`diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c`
			`index 1b707f08df..c100a87c2a 100644`
			`--- a/src/libopensc/card-sc-hsm.c`
			`+++ b/src/libopensc/card-sc-hsm.c`
			`@@ -782,7 +782,7 @@ static int sc_hsm_logout(sc_card_t * card)`
			`}`


			`-`
			`+/* NOTE: idx is an offset into the card's file, not into buf */`
			`static int sc_hsm_read_binary(sc_card_t *card,`
			`unsigned int idx, u8 *buf, size_t count,`
			`unsigned long flags)`
			`@@ -823,7 +823,7 @@ static int sc_hsm_read_binary(sc_card_t *card,`
			`}`


			`-`
			`+/* NOTE: idx is an offset into the card's file, not into buf */`
			`static int sc_hsm_write_ef(sc_card_t *card,`
			`int fid,`
			`unsigned int idx, const u8 *buf, size_t count)`
			`@@ -848,7 +848,8 @@ static int sc_hsm_write_ef(sc_card_t *card,`
			`// 8 bytes are required for T54(4) and T53(4)`
			`size_t blk_size = card->max_send_size - 8;`
			`size_t to_send = 0;`
			`- size_t offset = (size_t) idx;`
			`+ size_t file_offset = (size_t) idx;`
			`+ size_t offset = 0;`
			`do {`
			`len = 0;`
			`to_send = bytes_left >= blk_size ? blk_size : bytes_left;`
			`@@ -856,8 +857,8 @@ static int sc_hsm_write_ef(sc_card_t *card,`
			`// ASN1 0x54 offset`
			`*p++ = 0x54;`
			`*p++ = 0x02;`
			`- *p++ = (offset >> 8) & 0xFF;`
			`- *p++ = offset & 0xFF;`
			`+ *p++ = (file_offset >> 8) & 0xFF;`
			`+ *p++ = file_offset & 0xFF;`
			`// ASN1 0x53 to_send`
			`*p++ = 0x53;`
			`if (to_send < 128) {`
			`@@ -890,6 +891,7 @@ static int sc_hsm_write_ef(sc_card_t *card,`

			`bytes_left -= to_send;`
			`offset += to_send;`
			`+ file_offset += to_send;`
			`} while (0 < bytes_left);`

			`err:`