SIGSEGV in sc_pin_cmd()

[philipWendland]

Hello,

recently introduced, a segmentation fault in OpenSC when using PKCS#11 applications (in particular OpenSSL, others not tested).

OpenSSL> dgst -engine pkcs11 -sign slot_1-id_0 -keyform engine -sha1
-out signature.bin signMe.txt
engine "pkcs11" set.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6379685 in sc_pin_cmd (card=0x6972766544202620,
    data=0x7fffffffba00, tries_left=0x0) at sec.c:157
157     SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
(gdb) backtrace
#0  0x00007ffff6379685 in sc_pin_cmd (card=0x6972766544202620,
    data=0x7fffffffba00, tries_left=0x0) at sec.c:157
#1  0x00007ffff6762628 in C_GetTokenInfo (slotID=1, pInfo=0x7fffffffdd00)
    at framework-pkcs15.c:501
#2  0x00007ffff6b92093 in ?? () from /usr/lib/libp11.so.2
#3  0x00007ffff6b92acc in PKCS11_enumerate_slots () from
/usr/lib/libp11.so.2
#4  0x00007ffff6d986c3 in ?? () from /usr/lib/engines/engine_pkcs11.so
#5  0x00007ffff6d99c84 in ?? () from /usr/lib/engines/engine_pkcs11.so
#6  0x00007ffff78502ad in ENGINE_load_private_key ()
   from /usr/lib/libcrypto.so.1.0.0
#7  0x0000000000449ea9 in ?? ()
#8  0x000000000041f641 in ?? ()
#9  0x0000000000418f68 in ?? ()
#10 0x0000000000418c5c in ?? ()
#11 0x00007ffff73d6040 in __libc_start_main () from /usr/lib/libc.so.6
#12 0x0000000000418d11 in ?? ()

I could trace it back to changes to the file pkcs11/slot.c in commit 3a92bf7. The free-ing of "p11card" causes the issue. But to me it is not exactly clear why. Removing the free(p11card) again solves the issue. Maybe someone with more insight can have a look at it.

[dengert]

The free_p11card is there because line 223: p11card = slot->card;
to use an existing structure. Only if the card_detect() allocates the p11card, is it freed.

But that does not explain what is going on. The code path that fails maybe caused by how libp11
is calling OpenSC.

Or one of the routines called in card_detect save the pointer to the p11card in a slot or reader structure.

I assume you compiled and installed OpenSC, then compiled and installed libp11, then compiled
and installed engine_pkcs11. And when executing the OpenSSL, either had all the above installed in to
standard locations, or had LD_LIBRARY_PATH set in env to point the libs for the above.

An OpenSC debug log would be helpful...

On 2/6/2015 12:53 PM, philipWendland wrote:

Hello,

recently introduced, a segmentation fault in OpenSC when using PKCS#11 applications (in particular OpenSSL, others not tested).

|OpenSSL> dgst -engine pkcs11 -sign slot_1-id_0 -keyform engine -sha1
-out signature.bin signMe.txt
engine "pkcs11" set.

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff6379685 in sc_pin_cmd (card=0x6972766544202620,
data=0x7fffffffba00, tries_left=0x0) at sec.c:157
157 SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
(gdb) backtrace
#0 0x00007ffff6379685 in sc_pin_cmd (card=0x6972766544202620,
data=0x7fffffffba00, tries_left=0x0) at sec.c:157
#1 0x00007ffff6762628 in C_GetTokenInfo (slotID=1, pInfo=0x7fffffffdd00)
at framework-pkcs15.c:501
#2 0x00007ffff6b92093 in ?? () from /usr/lib/libp11.so.2
#3 0x00007ffff6b92acc in PKCS11_enumerate_slots () from
/usr/lib/libp11.so.2
#4 0x00007ffff6d986c3 in ?? () from /usr/lib/engines/engine_pkcs11.so
#5 0x00007ffff6d99c84 in ?? () from /usr/lib/engines/engine_pkcs11.so
#6 0x00007ffff78502ad in ENGINE_load_private_key ()
from /usr/lib/libcrypto.so.1.0.0
#7 0x0000000000449ea9 in ?? ()
#8 0x000000000041f641 in ?? ()
#9 0x0000000000418f68 in ?? ()
#10 0x0000000000418c5c in ?? ()
#11 0x00007ffff73d6040 in __libc_start_main () from /usr/lib/libc.so.6
#12 0x0000000000418d11 in ?? ()
|

I could trace it back to changes to the file pkcs11/slot.c in commit 3a92bf7 3a92bf7. The free-ing of "p11card" causes the
issue. But to me it is not exactly clear why. Removing the free(p11card) again solves the issue. Maybe someone with more insight can have a look at it.

—
Reply to this email directly or view it on GitHub #373.

Douglas E. Engert [email protected]

[philipWendland]

I have spend some more time in gdb - the problem is sc_pin_cmd() that is being called with a dangling pointer:

Breakpoint 1, sc_pin_cmd (card=0x6972766544202620, data=0x7fffffffba00, 
    tries_left=0x0) at sec.c:156
156     assert(card != NULL);
(gdb) p *card
Cannot access memory at address 0x6972766544202620

C_GetTokenInfo() calls slot_get_token() and passes slot->card->card, a invalid pointer, to sc_pin_cmd().

Let's continue with slot_get_token() - it calls slot_get_slot(), which in return uses a "virtual_slots" list, a global variable in pkcs11-global.c. I think this is where the p11card is supposed to be referenced.

Thus, it might be that p11card is not free'd and 3a92bf7 from a few days ago should be partially reverted. Maybe this was a false positive memory leak from coverity.

slot_get_slot (id=1, slot=0x7fffffffdcc8) at slot.c:368
368     if (context == NULL)
(gdb) n
371     *slot = list_seek(&virtual_slots, &id); /* FIXME: check for null? */
(gdb) n
372     if (!*slot)
(gdb) p *slot->card
$2 = {reader = 0x656b636573656947, card = 0x6972766544202620, 
  framework = 0x48626d4720746e65, fws_data = {0x6769537261745320, 
    0x6f7470797243206e, 0x6b6f542042535520, 0x3331305128206e65}, 
  mechanisms = 0x3030303033303430, nmechanisms = 0}

Remember the address from "card".

501         r = sc_pin_cmd(slot->card->card, &data, NULL);
(gdb) p *slot->card
$4 = {reader = 0x656b636573656947, card = 0x6972766544202620, 
  framework = 0x48626d4720746e65, fws_data = {0x6769537261745320, 
    0x6f7470797243206e, 0x6b6f542042535520, 0x3331305128206e65}, 
  mechanisms = 0x3030303033303430, nmechanisms = 0}
(gdb) s

Breakpoint 1, sc_pin_cmd (card=0x6972766544202620, data=0x7fffffffba00, 
    tries_left=0x0) at sec.c:156
156     assert(card != NULL);
(gdb) n
157     SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
(gdb) 

Program received signal SIGSEGV, Segmentation fault.

I need to observe the "allocation side" tomorrow and try to find out how the pointer finds it way to virtual_slots. Will also post OpenSC logs. Sorry that I have not done so already, need to get AFK ASAP.

P.S. this is not limited to engine_pkcs11 or libp11:

[philip@philip-pc ~]$ gdb pkcs11-tool
GNU gdb (GDB) 7.8.2
(...)
(gdb) run -M --module /usr/local/lib/opensc-pkcs11.so
Starting program: /usr/local/bin/pkcs11-tool -M --module /usr/local/lib/opensc-pkcs11.so
warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Using slot 1 with a present token (0x1)
Supported mechanisms:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff69d0acc in slot_token_removed (id=1) at slot.c:427
427             slot->card->framework != NULL && slot->card->framework->release_token != NULL)
(gdb) backtrace
#0  0x00007ffff69d0acc in slot_token_removed (id=1) at slot.c:427
#1  0x00007ffff69cfb01 in card_removed (reader=0x634090) at slot.c:156
#2  0x00007ffff69ca250 in C_Finalize (pReserved=0x0) at pkcs11-global.c:298
#3  0x0000000000403ffe in main (argc=4, argv=0x7fffffffe838)
    at pkcs11-tool.c:874

This SIGSEGV does also not appear when not free'ing p11card.

[viktorTarasov]

@philipWendland thanks for analyse, I will revert or partially revert some of the recent commits

[philipWendland]

232         p11card = (struct sc_pkcs11_card *)calloc(1, sizeof(struct sc_pkcs11_card));
(gdb) 
233         if (!p11card)
(gdb) p p11card
$4 = (struct sc_pkcs11_card *) 0x6c2100
(gdb) awatch *0x6c2100
Hardware access (read/write) watchpoint 4: *0x6c2100

(...)

(gdb) c
Continuing.
Hardware read watchpoint 3: *0x6c2100

Value = 7080320
Hardware access (read/write) watchpoint 4: *0x6c2100

Value = 7080320
0x00007ffff675d6e9 in slot_allocate (slot=0x7fffffffda10, card=0x6c2100) at slot.c:354
354         if (tmp_slot->reader == card->reader && tmp_slot->card == NULL)
(gdb) backtrace
#0  0x00007ffff675d6e9 in slot_allocate (slot=0x7fffffffda10, card=0x6c2100) at slot.c:354
#1  0x00007ffff6763b57 in pkcs15_create_slot (p11card=0x6c2100, fw_data=0x6c2c10, auth=0x6c6d90, app_info=0x6c2ae0, out=0x7fffffffdc58) at framework-pkcs15.c:1000
#2  0x00007ffff6764c08 in pkcs15_create_tokens (p11card=0x6c2100, app_info=0x6c2ae0, first_slot=0x7fffffffdcd8) at framework-pkcs15.c:1306
#3  0x00007ffff675d4cf in card_detect (reader=0x6c0980) at slot.c:312       #### frameworks[i]->create_tokens(p11card, ...
#4  0x00007ffff675c9f8 in initialize_reader (reader=0x6c0980) at slot.c:134
#5  0x00007ffff675d627 in card_detect_all () at slot.c:338
#6  0x00007ffff6757549 in C_GetSlotList (tokenPresent=0 '\000', pSlotList=0x0, pulCount=0x7fffffffde48) at pkcs11-global.c:390
#7  0x00007ffff6b92998 in PKCS11_enumerate_slots () from /usr/lib/libp11.so.2
#8  0x00007ffff6d986c3 in ?? () from /usr/lib/engines/engine_pkcs11.so
#9  0x00007ffff6d99c84 in ?? () from /usr/lib/engines/engine_pkcs11.so
#10 0x00007ffff78502ad in ENGINE_load_private_key () from /usr/lib/libcrypto.so.1.0.0
#11 0x0000000000449ea9 in ?? ()
#12 0x000000000041f641 in ?? ()
#13 0x0000000000418f68 in ?? ()
#14 0x0000000000418c5c in ?? ()
#15 0x00007ffff73d6040 in __libc_start_main () from /usr/lib/libc.so.6
#16 0x0000000000418d11 in ?? ()

I think this is it:

slot.c
360 tmp_slot->card = card;
Creates a reference to the p11card allocated (and free'd...) earlier.

[viktorTarasov]

3a92bf7 is partially reverted in 08eb700

[philipWendland]

Thanks, the issue is solved with 08eb700.