Since revision 1016, I believe the function hsm_get_slot_id, contained
in libhsm.c, can lead to memory corruption and potentially to undefined
behavior because of an unchecked malloc call and trust in C_GetSlotList
slotCount return value.
slotCount is defined as a CK_ULONG.
CK_ULONG is a typedef for "unsigned long int".
slotCount maximum value is therefore (2^X) - 1, where X is the maximum
register size.
In the meantime CK_SLOT_ID is a typedef/define for a "unsigned long" and
sizeof CK_SLOT_ID is therefore 4 on x86 systems or 8 on x64 systems.
When they are multiplied together, the result may exceed SIZE_MAX and an
integer overflow may happen.
This potentially overflowed integer is used as an argument to malloc,
which may allocate less memory than expected, because of the integer
overflow. For instance, on x86 systems, if slotCount equals 1073741825,
then malloc will allocate only 4 bytes of memory on the heap.
The allocated memory is then used in a C_GetSlotList call, which may
allow memory corruption and a heap buffer overflow.
This vulnerability could be exploited by an attacker providing a
misbehaving PKCS#11 API, a misbehaving HSM or an attacker exploiting a
vulnerability in the communication channel between the PKCS#11 API and
the HSM (e.g. a network HSM).
I believe the following patch fixes the vulnerability.
Index: libhsm.c
===================================================================
— libhsm.c (revision 7530)
+++ libhsm.c (working copy)
@@ -440,9 +440,18 @@
hsm_ctx_set_error(ctx, HSM_ERROR, "hsm_get_slot_id()",
"No slots found in HSM");
return HSM_ERROR;
+ } else if (SIZE_MAX / sizeof(CK_SLOT_ID) < slotCount)
slotIds = malloc(sizeof(CK_SLOT_ID) * slotCount);
+ if(NULL == slotIds)
rv = pkcs11_functions->C_GetSlotList(CK_TRUE, slotIds, &slotCount);
if (hsm_pkcs11_check_error(ctx, rv, "get slot list")) {
return HSM_ERROR;
- clones
-
OPENDNSSEC-533 Possible memory corruption in hsm_get_slot_id
-
- Closed
-