-
Notifications
You must be signed in to change notification settings - Fork 614
Expand file tree
/
Copy pathCVE-2025-66215.patch
More file actions
119 lines (103 loc) · 4.17 KB
/
CVE-2025-66215.patch
File metadata and controls
119 lines (103 loc) · 4.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
From e064e2123752613a95bff50defd27a59ad562325 Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Fri, 3 Apr 2026 14:27:41 +0000
Subject: [PATCH] Backport patches: fix stack buffer overflow by using
SC_MAX_APDU_BUFFER_SIZE for resplen, cap le to MIN and SC_MAX_APDU_RESP_SIZE,
switch magic 256 to SC_MAX_APDU_RESP_SIZE, use MIN macro, adjust response
buffer sizes to SC_MAX_APDU_RESP_SIZE, and formatting updates per upstream
patch.
Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/OpenSC/OpenSC/pull/3436.patch
---
src/libopensc/card-oberthur.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/src/libopensc/card-oberthur.c b/src/libopensc/card-oberthur.c
index 1fc40f7..4f3aa84 100644
--- a/src/libopensc/card-oberthur.c
+++ b/src/libopensc/card-oberthur.c
@@ -228,7 +228,7 @@ auth_init(struct sc_card *card)
card->caps |= SC_CARD_CAP_RNG;
card->caps |= SC_CARD_CAP_USE_FCI_AC;
- if (auth_select_aid(card)) {
+ if (auth_select_aid(card)) {
sc_log(card->ctx, "Failed to initialize %s", card->name);
rv = SC_ERROR_INVALID_CARD;
LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_INVALID_CARD, "Failed to initialize");
@@ -259,7 +259,7 @@ static void
add_acl_entry(struct sc_card *card, struct sc_file *file, unsigned int op,
unsigned char acl_byte)
{
- if ((acl_byte & 0xE0) == 0x60) {
+ if ((acl_byte & 0xE0) == 0x60) {
sc_log(card->ctx, "called; op 0x%X; SC_AC_PRO; ref 0x%X", op, acl_byte);
sc_file_add_acl_entry(file, op, SC_AC_PRO, acl_byte);
return;
@@ -590,10 +590,10 @@ auth_list_files(struct sc_card *card, unsigned char *buf, size_t buflen)
if (apdu.resplen == 0x100 && rbuf[0]==0 && rbuf[1]==0)
LOG_FUNC_RETURN(card->ctx, 0);
- buflen = buflen < apdu.resplen ? buflen : apdu.resplen;
+ buflen = MIN(buflen, apdu.resplen);
memcpy(buf, rbuf, buflen);
- LOG_FUNC_RETURN(card->ctx, buflen);
+ LOG_FUNC_RETURN(card->ctx, (int)buflen);
}
@@ -1115,9 +1115,9 @@ auth_compute_signature(struct sc_card *card, const unsigned char *in, size_t ile
apdu.datalen = ilen;
apdu.data = in;
apdu.lc = ilen;
- apdu.le = olen > 256 ? 256 : olen;
+ apdu.le = MIN(olen, SC_MAX_APDU_RESP_SIZE);
apdu.resp = resp;
- apdu.resplen = olen;
+ apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
rv = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
@@ -1161,14 +1161,14 @@ auth_decipher(struct sc_card *card, const unsigned char *in, size_t inlen,
}
_inlen = inlen;
- if (_inlen == 256) {
+ if (_inlen == SC_MAX_APDU_RESP_SIZE) {
apdu.cla |= 0x10;
apdu.data = in;
apdu.datalen = 8;
apdu.resp = resp;
apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
apdu.lc = 8;
- apdu.le = 256;
+ apdu.le = SC_MAX_APDU_RESP_SIZE;
rv = sc_transmit_apdu(card, &apdu);
sc_log(card->ctx, "rv %i", rv);
@@ -1477,7 +1477,7 @@ auth_read_component(struct sc_card *card, enum SC_CARDCTL_OBERTHUR_KEY_TYPE type
{
struct sc_apdu apdu;
int rv;
- unsigned char resp[256];
+ unsigned char resp[SC_MAX_APDU_RESP_SIZE];
LOG_FUNC_CALLED(card->ctx);
sc_log(card->ctx, "num %i, outlen %"SC_FORMAT_LEN_SIZE_T"u, type %i",
@@ -2129,7 +2129,7 @@ auth_read_binary(struct sc_card *card, unsigned int offset,
if (auth_current_ef->magic==SC_FILE_MAGIC &&
auth_current_ef->ef_structure == SC_CARDCTL_OBERTHUR_KEY_RSA_PUBLIC) {
int jj;
- unsigned char resp[256];
+ unsigned char resp[SC_MAX_APDU_RESP_SIZE];
size_t resp_len, out_len;
struct sc_pkcs15_pubkey_rsa key;
@@ -2214,14 +2214,16 @@ auth_read_record(struct sc_card *card, unsigned int nr_rec,
if (flags & SC_RECORD_BY_REC_NR)
apdu.p2 |= 0x04;
- apdu.le = count;
- apdu.resplen = count;
+ apdu.le = MIN(count, SC_MAX_APDU_BUFFER_SIZE);
+ apdu.resplen = SC_MAX_APDU_BUFFER_SIZE;
apdu.resp = recvbuf;
rv = sc_transmit_apdu(card, &apdu);
LOG_TEST_RET(card->ctx, rv, "APDU transmit failed");
if (apdu.resplen == 0)
LOG_FUNC_RETURN(card->ctx, sc_check_sw(card, apdu.sw1, apdu.sw2));
+ if (count < apdu.resplen)
+ LOG_FUNC_RETURN(card->ctx, SC_ERROR_WRONG_LENGTH);
memcpy(buf, recvbuf, apdu.resplen);
rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
--
2.45.4