Resolves: RHEL-42492, SAST

This commit is contained in:
Than Ngo 2024-06-18 13:24:52 +02:00
parent d1348bb71c
commit 2686b4a4a4
3 changed files with 138 additions and 1 deletions

View File

@ -0,0 +1,59 @@
commit f40e5b09ebcab4986dd3b1d52f0d8fd39aa5e3ca
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Thu Jun 13 11:20:43 2024 +0200
COMMON: Fix errors reported by covscan
Closes: https://github.com/opencryptoki/opencryptoki/issues/782
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/common/loadsave.c b/usr/lib/common/loadsave.c
index b7e1f78e..fc88cbad 100644
--- a/usr/lib/common/loadsave.c
+++ b/usr/lib/common/loadsave.c
@@ -2848,6 +2848,14 @@ CK_RV load_public_token_objects(STDLL_TokData_t *tokdata)
continue;
}
+ /* size can not be negative if treated as signed int */
+ if (size >= 0x80000000) {
+ fclose(fp2);
+ OCK_SYSLOG(LOG_ERR, "Size is invalid in header of token object %s "
+ "(ignoring it)\n", fname);
+ continue;
+ }
+
buf = (CK_BYTE *) malloc(size);
if (!buf) {
fclose(fp2);
diff --git a/usr/lib/common/mech_rng.c b/usr/lib/common/mech_rng.c
index 71402700..4bc19814 100644
--- a/usr/lib/common/mech_rng.c
+++ b/usr/lib/common/mech_rng.c
@@ -45,6 +45,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes)
if (ranfd >= 0) {
do {
rlen = read(ranfd, output + totallen, bytes - totallen);
+ if (rlen <= 0) {
+ close(ranfd);
+ return CKR_FUNCTION_FAILED;
+ }
totallen += rlen;
} while (totallen < bytes);
close(ranfd);
diff --git a/usr/lib/common/pkcs_utils.c b/usr/lib/common/pkcs_utils.c
index 04edc76f..7421d1c5 100644
--- a/usr/lib/common/pkcs_utils.c
+++ b/usr/lib/common/pkcs_utils.c
@@ -185,6 +185,10 @@ CK_RV local_rng(CK_BYTE *output, CK_ULONG bytes)
if (ranfd >= 0) {
do {
rlen = read(ranfd, output + totallen, bytes - totallen);
+ if (rlen <= 0) {
+ close(ranfd);
+ return CKR_FUNCTION_FAILED;
+ }
totallen += rlen;
} while (totallen < bytes);
close(ranfd);

View File

@ -0,0 +1,73 @@
commit d2d0e451aa62f91b5e935d8a6c08285fcb44fd02
Author: Ingo Franzki <ifranzki@linux.ibm.com>
Date: Mon Jun 17 09:03:36 2024 +0200
ICSF: Fix covscan findings on potential integer overflows
Fix covscan warnings on cases like 'if (a - b > 0)' where both 'a' and 'b'
are unsigned types. In case 'b' is larger than 'a', then the subtraction
result may overflow because the result is also treated as unsigned type.
Fix this by using 'if (a > b)' instead.
Note that in the changed places 'a' is always larger or equal than 'b',
so the overflow does not happen. Still, changing the code to be less
error-prone is a good thing.
Closes: https://github.com/opencryptoki/opencryptoki/issues/782
Suggested-by: Than Ngo <than@redhat.com>
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
diff --git a/usr/lib/icsf_stdll/icsf.c b/usr/lib/icsf_stdll/icsf.c
index c3479cf8..1deb129c 100644
--- a/usr/lib/icsf_stdll/icsf.c
+++ b/usr/lib/icsf_stdll/icsf.c
@@ -148,7 +148,7 @@ static void strpad(char *dest, const char *orig, size_t len, int padding_char)
str_len = len;
memcpy(dest, orig, str_len);
- if ((len - str_len) > 0)
+ if (len > str_len)
memset(dest + str_len, ' ', len - str_len);
}
diff --git a/usr/lib/icsf_stdll/icsf_specific.c b/usr/lib/icsf_stdll/icsf_specific.c
index c617f1e6..6f16ca5e 100644
--- a/usr/lib/icsf_stdll/icsf_specific.c
+++ b/usr/lib/icsf_stdll/icsf_specific.c
@@ -2766,7 +2766,7 @@ CK_RV icsftok_encrypt_update(STDLL_TokData_t * tokdata,
goto done;
}
memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len);
- if (input_part_len - remaining > 0)
+ if (input_part_len > remaining)
memcpy(buffer + multi_part_ctx->used_data_len, input_part,
input_part_len - remaining);
@@ -3309,7 +3309,7 @@ CK_RV icsftok_decrypt_update(STDLL_TokData_t * tokdata,
goto done;
}
memcpy(buffer, multi_part_ctx->data, multi_part_ctx->used_data_len);
- if (input_part_len - remaining > 0)
+ if (input_part_len > remaining)
memcpy(buffer + multi_part_ctx->used_data_len, input_part,
input_part_len - remaining);
@@ -4420,7 +4420,7 @@ CK_RV icsftok_sign_update(STDLL_TokData_t * tokdata,
}
memcpy(buffer, multi_part_ctx->data,
multi_part_ctx->used_data_len);
- if (out_len - multi_part_ctx->used_data_len > 0)
+ if (out_len > multi_part_ctx->used_data_len)
memcpy(buffer + multi_part_ctx->used_data_len,
(char *)in_data,
out_len - multi_part_ctx->used_data_len);
@@ -5020,7 +5020,7 @@ CK_RV icsftok_verify_update(STDLL_TokData_t * tokdata,
}
memcpy(buffer, multi_part_ctx->data,
multi_part_ctx->used_data_len);
- if (out_len - multi_part_ctx->used_data_len > 0)
+ if (out_len > multi_part_ctx->used_data_len)
memcpy(buffer + multi_part_ctx->used_data_len,
(char *)in_data,
out_len - multi_part_ctx->used_data_len);

View File

@ -1,7 +1,7 @@
Name: opencryptoki
Summary: Implementation of the PKCS#11 (Cryptoki) specification v3.0
Version: 3.23.0
Release: 3%{?dist}
Release: 4%{?dist}
License: CPL-1.0
URL: https://github.com/opencryptoki/opencryptoki
Source0: https://github.com/opencryptoki/%{name}/archive/v%{version}/%{name}-%{version}.tar.gz
@ -21,6 +21,8 @@ Patch105: opencryptoki-3.23-SEC2356-backport-06.patch
Patch106: opencryptoki-3.23-SEC2356-backport-07.patch
Patch107: opencryptoki-3.23-SEC2356-backport-08.patch
Patch108: opencryptoki-3.23-SEC2356-backport-09.patch
Patch109: opencryptoki-3.23-covcan-part1.patch
Patch110: opencryptoki-3.23-covcan-part2.patch
Requires(pre): coreutils
Requires: (selinux-policy >= 34.9-1 if selinux-policy-targeted)
@ -358,6 +360,9 @@ fi
%changelog
* Tue Jun 18 2024 Than Ngo <than@redhat.com> - 3.23.0-4
- Resolves: RHEL-42492, SAST
* Wed May 22 2024 Than Ngo <than@redhat.com> - 3.23.0-3
- Related: RHEL-24038, backport - ep11 token: support protected keys for extractable keys