Major stability issue

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Major stability issue

Andreas Schwier (ML)
Hello everyone,

I've created a patch [1] that aims at solving a major issue when
deleting PKCS#11 objects. Apparently sequence matters when private and
public key objects and related certificates are removed.

Because PKCS#11 requires OpenSC to return certain attribute only
available in public keys, the framework code maintains pointers to
related framework objects (see related_xxx in struct pkcs15_and_object).
Apparently that works only until the related object is deleted.

Because the related object's memory is overwritten with 0 and then
freed, the code most of the time works fine, as members in the
referenced structure are NULL. However, if the memory is reallocated,
then member variables contains arbitrary values and may cause all kind
of unexpected behaviour (from error to SEGV).

The general problem is, that the attributes from the deleted public key
are still needed when querying these attribute for the private key. So
solving the dereferencing problem is not sufficient, we also need the
public key's attributes after it has been deleted.

One option would be to copy all the required attributes into the private
key object. The other option is to create a copy of the related public
key and attach that to the private keys. This leaves most of the code
unchanged. The duplicate of the public key is removed when the framework
object for the private key is removed.

The issue is in particular important, as it prevents the use an OpenSC
supported card as key store with EJBCA. However this bug also affects
other applications that generate and delete keys, in particular Java
applications using the sunpkcs11 provider.

Due to the major impact of the bug, I vote to have a maintenance update
for the last stable version (0.14).

Andreas

[1] https://github.com/OpenSC/OpenSC/pull/282

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Major stability issue

Frank Morgner
Hi, Andreas!

Thanks for finding this bug! I can confirm the bug on Debian using the
PKCS#11 layer (e.g. with pkcs11-tool). I traced down the bug to where
the memory was erased and the free occurred. However, I did not find out
if this was a problem due to the card's profile or OpenSC's
implementation (I ended up commenting out free and accepting the memory
leak).

I did my best to review the patch. I agree, that a new maintenance
release should be done. (double) free corruptions have been used for
exploits in the past...

Greets, Frank.


On Wednesday, September 03 at 09:15PM, Andreas Schwier wrote:

> Hello everyone,
>
> I've created a patch [1] that aims at solving a major issue when
> deleting PKCS#11 objects. Apparently sequence matters when private and
> public key objects and related certificates are removed.
>
> Because PKCS#11 requires OpenSC to return certain attribute only
> available in public keys, the framework code maintains pointers to
> related framework objects (see related_xxx in struct pkcs15_and_object).
> Apparently that works only until the related object is deleted.
>
> Because the related object's memory is overwritten with 0 and then
> freed, the code most of the time works fine, as members in the
> referenced structure are NULL. However, if the memory is reallocated,
> then member variables contains arbitrary values and may cause all kind
> of unexpected behaviour (from error to SEGV).
>
> The general problem is, that the attributes from the deleted public key
> are still needed when querying these attribute for the private key. So
> solving the dereferencing problem is not sufficient, we also need the
> public key's attributes after it has been deleted.
>
> One option would be to copy all the required attributes into the private
> key object. The other option is to create a copy of the related public
> key and attach that to the private keys. This leaves most of the code
> unchanged. The duplicate of the public key is removed when the framework
> object for the private key is removed.
>
> The issue is in particular important, as it prevents the use an OpenSC
> supported card as key store with EJBCA. However this bug also affects
> other applications that generate and delete keys, in particular Java
> applications using the sunpkcs11 provider.
>
> Due to the major impact of the bug, I vote to have a maintenance update
> for the last stable version (0.14).
>
> Andreas
>
> [1] https://github.com/OpenSC/OpenSC/pull/282
>
> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment