-
Notifications
You must be signed in to change notification settings - Fork 713
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
framework-pkcs15: Fix use after free issue #2558
Conversation
Can you clarify what variable was used after free in your case. I am afraid this way you will leak some memory. |
I entercountered a strange bug when using Here is the backtrace:
And the logic of determining whether the secret key object can be destroy in a RO session is to check if property By the way, I also noticed that the value of Reference: |
can you try to run your code with opensc under valgrind to see if there are some invalid memory access? Do you use latest upstream or v0.22.0? Do you have a backtrace from the use-after free crash? I still do not understand what is going on there and how the proposed patch is solving that. |
Here is valgrind result:
I'm using OpenSC master branch. |
Thank you. I went through the code and through the #1393 and it still looks like there is some problem with memory management. I think the But your change skips the But let me check with @hhonkanen if it makes sense, as he is the author of this code. |
Looked at the code and history. Let's see two possible cases:
Would it work better like this:
We might not need the temp_object flag at all though. I may have added it because of thinking that we should free key_obj also on rv == CKR_OK or it would leak, not understanding that it must remain in memory as part of key_any_obj. // Edit Jakuje: Added formatting of the code block to improve readability. |
Thanks for your clarification. Since I am not familiar to the code base, I have a question, should we free the key_obj created by pkcs15init if rv is not CKR_OK? |
Thank you for having a look into this. I came to similar conclusion as @hhonkanen . I think the |
@MkfsSion I looked at sc_pkcs15init_store_secret_key. If an error occurs there, it does cleanup there. If it returns rv other than CKR_OK, it frees the object if it was already created, and key_obj is NULL when it returns. Please feel free to make the changes and commit. I don't currently have an OpenSC development environment ready to work with, so I'm happy if you can do it. |
* Newly created pkcs15 secret key object is freed upon success, * which maybe used if user calls other PKCS11 functions * (like C_DestroyObject) and causes use after free issue. Co-authored-by: Hannu Honkanen <[email protected]> Signed-off-by: MkfsSion <[email protected]>
Thank you for the contribution, investigation and patience with review! |
Newly created pkcs15 secret key object is freed upon success, which maybe used if user calls other PKCS11 functions (like C_DestroyObject) and causes use after free issue.
Signed-off-by: MkfsSion [email protected]
Card:
Checklist