libpcscspy.so segfault on SCardTransmit using a bit4id module

[amreo]

Versions

• smart card reader driver name and version
  Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) (it is a ewient EW1052, usb id: 0bda:0165)
• pcsc-lite version: pcsclite 2.0.0-1 (manjaro package version)
• the output of the command /usr/sbin/pcscd --version

[amreo@amreo-manjaro-pc ~]$ pcscd --version
pcsc-lite version 2.0.0.
Copyright (C) 1999-2002 by David Corcoran <[email protected]>.
Copyright (C) 2001-2022 by Ludovic Rousseau <[email protected]>.
Copyright (C) 2003-2004 by Damien Sauveron <[email protected]>.
Report bugs to <[email protected]>.
Enabled features: Linux x86_64-pc-linux-gnu libsystemd serial usb libudev polkit usbdropdir=/usr/lib/pcsc/drivers ipcdir=/run/pcscd filter configdir=/etc/reader.conf.d
MAX_READERNAME: 128, PCSCLITE_MAX_READERS_CONTEXTS: 16

Platform

• Operating system or GNU/Linux distribution name and version: Manjaro (it is a rolling release)
• Smart card middleware name and version: libbit4id 1.4.10.542-1 (packge name: aur/bit4id-ipki)
• Smart card reader manufacturer name and reader model name: ewient EW1052
• Smart card name "Carta Nazionale dei Servizi" (by infocamere). OpenSC name is "itacns". It is a "ST microelettronics JSign3 (HealthCare)" card

Issue

• What do you do?

1. bash /usr/share/doc/pcsc-lite/install_spy.sh as root
2. pcsc-spy in another terminal
3. pkcs11-tool --module /usr/lib/bit4id/libbit4xpki.so -O

• What result do you expect?
  I expected this output from the last command

Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
  label:      CNS User Certificate
  subject:    DN: O=Camera di Commercio, <omissis>
  ID:         434e5330
Data object 1002
  label:          'PDATA'
  application:    'PDATA'
  app_id:         2.0.68.65.84.65
  flags:           modifiable
Public Key Object; RSA 1024 bits
  label:      CNS User Public Key
  ID:         434e5330
  Usage:      encrypt, verify
  Access:     none
Certificate Object; type = X.509 cert
  label:      DS User Certificate3
  subject:    DN: C=IT, <omissis>
  ID:         445333
Public Key Object; RSA 2048 bits
  label:      DS User Public Key3
  ID:         445333
  Usage:      encrypt, verify
  Access:     none

• What result do you get instead?

Using slot 0 with a present token (0x0)
Segmentation fault (created core dump)

Log

log.txt

Another info:

pcsc-spy output:

[amreo@amreo-manjaro-pc ~]$ pcsc-spy 
SCardEstablishContext
 i dwScope: SCARD_SCOPE_USER (0x00000000)
 o hContext: 0x41DE6DB3
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.017725]
SCardListReaders
 i hContext: 0x41DE6DB3
 i mszGroups: (null)
 o pcchReaders: 0x0000005D
 o mszReaders: NULL
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000129]
SCardListReaders
 i hContext: 0x41DE6DB3
 i mszGroups: (null)
 o pcchReaders: 0x0000005D
 o mszReaders: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 o mszReaders: 
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000124]
SCardGetStatusChange
 i hContext: 0x41DE6DB3
 i dwTimeout: 0x00000000 (0)
 i cReaders: 1
 i szReader: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 i  dwCurrentState:  (0x00000000)
 i  dwEventState:  (0x00000000)
 i  Atr length: 0x00000000 (0)
 i  Atr: 
 o szReader: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 o  dwCurrentState:  (0x00000000)
 o  dwEventState: SCARD_STATE_CHANGED, SCARD_STATE_PRESENT (0x00000022)
 o  Atr length: 0x00000019 (25)
 o  Atr: 3B FF 18 00 00 81 31 FE 55 00 6B 02 09 06 03 01 01 01 43 4E 53 10 31 80 67
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000251]
SCardGetStatusChange
 i hContext: 0x41DE6DB3
 i dwTimeout: 0x00000000 (0)
 i cReaders: 1
 i szReader: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 i  dwCurrentState:  (0x00000000)
 i  dwEventState:  (0x00000000)
 i  Atr length: 0x00000000 (0)
 i  Atr: 
 o szReader: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 o  dwCurrentState:  (0x00000000)
 o  dwEventState: SCARD_STATE_CHANGED, SCARD_STATE_PRESENT (0x00000022)
 o  Atr length: 0x00000019 (25)
 o  Atr: 3B FF 18 00 00 81 31 FE 55 00 6B 02 09 06 03 01 01 01 43 4E 53 10 31 80 67
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000264]
SCardEstablishContext
 i dwScope: SCARD_SCOPE_USER (0x00000000)
 o hContext: 0x00EEA682
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.016467]
SCardGetStatusChange
 i hContext: 0x00EEA682
 i dwTimeout: 0x00000000 (0)
 i cReaders: 1
 i szReader: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 i  dwCurrentState:  (0x00000000)
 i  dwEventState:  (0x00000000)
 i  Atr length: 0x00000000 (0)
 i  Atr: 
 o szReader: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 o  dwCurrentState:  (0x00000000)
 o  dwEventState: SCARD_STATE_CHANGED, SCARD_STATE_PRESENT (0x00000022)
 o  Atr length: 0x00000019 (25)
 o  Atr: 3B FF 18 00 00 81 31 FE 55 00 6B 02 09 06 03 01 01 01 43 4E 53 10 31 80 67
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000256]
SCardConnect
 i hContext: 0x00EEA682
 i szReader Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 i dwShareMode: SCARD_SHARE_SHARED (0x00000002)
 i dwPreferredProtocols: 0x00000002 (T=1)
 i phCard 0x00000000 (0)
 i pdwActiveProtocol 0x00000000 (0)
 o phCard 0x4BFED9FD (1274993149)
 o dwActiveProtocol: T=1 (0x00000002)
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.154687]
SCardStatus
 i hCard: 0x4BFED9FD
 i pcchReaderLen 0x00000100 (256)
 i pcbAtrLen 0x00000024 (36)
 o cchReaderLen 0x0000005C (92)
 o mszReaderName Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 o dwState 0x00000034 (52)
 o dwProtocol 0x00000002 (2)
 o bAtrLen 0x00000019 (25)
 o bAtr 3B FF 18 00 00 81 31 FE 55 00 6B 02 09 06 03 01 01 01 43 4E 53 10 31 80 67
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000405]
SCardStatus
 i hCard: 0x4BFED9FD
 i pcchReaderLen 0x00000100 (256)
 i pcbAtrLen 0x00000024 (36)
 o cchReaderLen 0x0000005C (92)
 o mszReaderName Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 o dwState 0x00000034 (52)
 o dwProtocol 0x00000002 (2)
 o bAtrLen 0x00000019 (25)
 o bAtr 3B FF 18 00 00 81 31 FE 55 00 6B 02 09 06 03 01 01 01 43 4E 53 10 31 80 67
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000227]
SCardStatus
 i hCard: 0x4BFED9FD
 i pcchReaderLen 0x00000100 (256)
 i pcbAtrLen 0x00000024 (36)
 o cchReaderLen 0x0000005C (92)
 o mszReaderName Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
 o dwState 0x00000034 (52)
 o dwProtocol 0x00000002 (2)
 o bAtrLen 0x00000019 (25)
 o bAtr 3B FF 18 00 00 81 31 FE 55 00 6B 02 09 06 03 01 01 01 43 4E 53 10 31 80 67
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000223]
SCardBeginTransaction
 i hCard: 0x4BFED9FD
 => Command successful. (SCARD_S_SUCCESS [0x00000000])  [0.000066]
SCardTransmit
 i hCard: 0x4BFED9FD
 i pioSendPci.dwProtocol: 0x00000002
 i pioSendPci.cbPciLength: 0x00000010
 i bSendLength 0x00000011 (17)
 i bSendBuffer
 i  0000 00 A4 04 00 0C A0 00 00 00 95 01 00 4D 00 00 00 ............M...
 i  0010 01                                              .

Thread 1/1
Results sorted by total execution time
total time: 0.191690 sec
0.154687 sec (  1 calls) 80.70% SCardConnect
0.034192 sec (  2 calls) 17.84% SCardEstablishContext
0.000855 sec (  3 calls)  0.45% SCardStatus
0.000771 sec (  3 calls)  0.40% SCardGetStatusChange
0.000253 sec (  2 calls)  0.13% SCardListReaders
0.000066 sec (  1 calls)  0.03% SCardBeginTransaction

According to dmesg, the segfault happens in the libpcscspy.so.0.0.0, and not in the bit4id lib.

[LudovicRousseau]

Try to run pkcs11-tool --module /usr/lib/bit4id/libbit4xpki.so -O inside gdb to get a backtrace.

[amreo]

gef➤  run
Starting program: /usr/bin/pkcs11-tool --module /usr/lib/bit4id/libbit4xpki.so -O
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Using slot 0 with a present token (0x0)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7122899 in SCardTransmit () from /usr/lib/libpcsclite.so.1

[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────── registers ────
$rax   : 0x0               
$rbx   : 0x007ffff7124069  →  0x586c3830257830 ("0x%08lX"?)
$rcx   : 0x8010000b        
$rdx   : 0x0               
$rsp   : 0x007fffffffc160  →  0x007fffffffc5b0  →  0x0000000000000002
$rbp   : 0x0               
$rsi   : 0x0               
$rdi   : 0x00555555593c10  →  0x0000000000000000
$rip   : 0x007ffff7122899  →  <SCardTransmit+201> mov rsi, QWORD PTR [rbp+0x0]
$r8    : 0x0               
$r9    : 0x0               
$r10   : 0x4000            
$r11   : 0x246             
$r12   : 0x007ffff7124250  →  0x0000000000000002
$r13   : 0x00555555adee98  →  0x0000a00c0004a400
$r14   : 0x11              
$r15   : 0x007fffffffc5b0  →  0x0000000000000002
$eflags: [zero carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00 
───────────────────────────────────────────────────────────────────── stack ────
0x007fffffffc160│+0x0000: 0x007fffffffc5b0  →  0x0000000000000002	 ← $rsp
0x007fffffffc168│+0x0008: 0x007ffff7122877  →  <SCardTransmit+167> sub rsp, 0x8
0x007fffffffc170│+0x0010: 0x007fffffffc250  →  0x007fffffff826a  →  0x0000000000000000
0x007fffffffc178│+0x0018: 0x000000007d4ab37d
0x007fffffffc180│+0x0020: 0x000000006512dba7
0x007fffffffc188│+0x0028: 0x0000000000058ca6
0x007fffffffc190│+0x0030: 0x0000000000000011
0x007fffffffc198│+0x0038: 0x9cf5a81076f38d00
─────────────────────────────────────────────────────────────── code:x86:64 ────
   0x7ffff712288b <SCardTransmit+187> mov    rdx, r13
   0x7ffff712288e <SCardTransmit+190> mov    rdi, QWORD PTR [rsp+0x18]
   0x7ffff7122893 <SCardTransmit+195> call   QWORD PTR [rip+0x37df]        # 0x7ffff7126078
 → 0x7ffff7122899 <SCardTransmit+201> mov    rsi, QWORD PTR [rbp+0x0]
   0x7ffff712289d <SCardTransmit+205> mov    rdi, rbx
   0x7ffff71228a0 <SCardTransmit+208> mov    r12, rax
   0x7ffff71228a3 <SCardTransmit+211> pop    rax
   0x7ffff71228a4 <SCardTransmit+212> xor    eax, eax
   0x7ffff71228a6 <SCardTransmit+214> pop    rdx
─────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "pkcs11-tool", stopped 0x7ffff7122899 in SCardTransmit (), reason: SIGSEGV
───────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff7122899 → SCardTransmit()
[#1] 0x7ffff6e32342 → mov r12, rax
[#2] 0x7ffff6e529c5 → cdqe 
[#3] 0x7ffff6e5c613 → test rax, rax
[#4] 0x7ffff6e52e90 → jmp 0x7ffff6e52e0c
[#5] 0x7ffff6e525d7 → mov rax, QWORD PTR [rsp+0x20]
[#6] 0x7ffff6e52702 → test eax, eax
[#7] 0x7ffff6e4eda2 → mov rbx, QWORD PTR [rsp+0x10]
[#8] 0x7ffff6e47f68 → xor esi, esi
[#9] 0x7ffff6e529c5 → cdqe 
────────────────────────────────────────────────────────────────────────────────
gef➤  backtrace
#0  0x00007ffff7122899 in SCardTransmit () at /usr/lib/libpcsclite.so.1
#1  0x00007ffff6e32342 in  () at /usr/lib/bit4id/libbit4xpki.so
#2  0x00007ffff6e529c5 in  () at /usr/lib/bit4id/libbit4xpki.so
#3  0x00007ffff6e5c613 in  () at /usr/lib/bit4id/libbit4xpki.so
#4  0x00007ffff6e52e90 in  () at /usr/lib/bit4id/libbit4xpki.so
#5  0x00007ffff6e525d7 in  () at /usr/lib/bit4id/libbit4xpki.so
#6  0x00007ffff6e52702 in  () at /usr/lib/bit4id/libbit4xpki.so
#7  0x00007ffff6e4eda2 in  () at /usr/lib/bit4id/libbit4xpki.so
#8  0x00007ffff6e47f68 in  () at /usr/lib/bit4id/libbit4xpki.so
#9  0x00007ffff6e529c5 in  () at /usr/lib/bit4id/libbit4xpki.so
#10 0x00007ffff6e5c613 in  () at /usr/lib/bit4id/libbit4xpki.so
#11 0x00007ffff6e52e90 in  () at /usr/lib/bit4id/libbit4xpki.so
#12 0x00007ffff6e5ac74 in  () at /usr/lib/bit4id/libbit4xpki.so
#13 0x00007ffff6e5af5e in  () at /usr/lib/bit4id/libbit4xpki.so
#14 0x00007ffff6e5cc28 in  () at /usr/lib/bit4id/libbit4xpki.so
#15 0x00007ffff6e52e90 in  () at /usr/lib/bit4id/libbit4xpki.so
#16 0x00007ffff6e525d7 in  () at /usr/lib/bit4id/libbit4xpki.so
#17 0x00007ffff6e52702 in  () at /usr/lib/bit4id/libbit4xpki.so
#18 0x00007ffff6e4eda2 in  () at /usr/lib/bit4id/libbit4xpki.so
#19 0x00007ffff6e47f68 in  () at /usr/lib/bit4id/libbit4xpki.so
#20 0x00007ffff6e529c5 in  () at /usr/lib/bit4id/libbit4xpki.so
#21 0x00007ffff6e5c613 in  () at /usr/lib/bit4id/libbit4xpki.so
#22 0x00007ffff6e52e90 in  () at /usr/lib/bit4id/libbit4xpki.so
#23 0x00007ffff6e525d7 in  () at /usr/lib/bit4id/libbit4xpki.so
#24 0x00007ffff6e52702 in  () at /usr/lib/bit4id/libbit4xpki.so
#25 0x00007ffff6e4eda2 in  () at /usr/lib/bit4id/libbit4xpki.so
#26 0x00007ffff6e1270f in  () at /usr/lib/bit4id/libbit4xpki.so
#27 0x00007ffff6e15c07 in IC_OpenSession () at /usr/lib/bit4id/libbit4xpki.so
#28 0x000055555555bbd3 in  ()
#29 0x00007ffff763acd0 in  () at /usr/lib/libc.so.6
#30 0x00007ffff763ad8a in __libc_start_main () at /usr/lib/libc.so.6
#31 0x000055555555e225 in  ()

[LudovicRousseau]

Apply patch 52670e5 and try again.

[amreo]

Thank you. It fixes the bug