From 06e64a0086ebf882f1446a28509c2217892d44ad Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Wed, 15 Aug 2018 14:15:08 +0200
Subject: [PATCH] Fix invalid memory access on proxy cleanup

---
 p11-kit-proxy-cleanup.patch | 77 +++++++++++++++++++++++++++++++++++++
 p11-kit.spec                |  6 ++-
 2 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 p11-kit-proxy-cleanup.patch

diff --git a/p11-kit-proxy-cleanup.patch b/p11-kit-proxy-cleanup.patch
new file mode 100644
index 0000000..b911e62
--- /dev/null
+++ b/p11-kit-proxy-cleanup.patch
@@ -0,0 +1,77 @@
+From 3e68b0054b82eda93b073cc7ad5d20d2158a694c Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Mon, 13 Aug 2018 15:23:03 +0200
+Subject: [PATCH] proxy: Avoid invalid memory access when unloading proxy
+ module
+
+When loading and unloading p11-kit-proxy.so with pkcs11-tool, it
+accesses already free'd memory area:
+
+$ valgrind pkcs11-tool --module p11-kit-proxy.so -L
+==25173== Invalid read of size 8
+==25173==    at 0x64BF493: p11_proxy_module_cleanup (proxy.c:1724)
+==25173==    by 0x64BD028: _p11_kit_fini (proxy-init.c:65)
+==25173==    by 0x401477C: _dl_close_worker (in /usr/lib64/ld-2.27.so)
+==25173==    by 0x4014E1D: _dl_close (in /usr/lib64/ld-2.27.so)
+==25173==    by 0x5E08C4E: _dl_catch_exception (in /usr/lib64/libc-2.27.so)
+==25173==    by 0x5E08CDE: _dl_catch_error (in /usr/lib64/libc-2.27.so)
+==25173==    by 0x58B1724: _dlerror_run (in /usr/lib64/libdl-2.27.so)
+==25173==    by 0x58B1113: dlclose (in /usr/lib64/libdl-2.27.so)
+==25173==    by 0x11E5A7: ??? (in /usr/bin/pkcs11-tool)
+==25173==    by 0x110023: ??? (in /usr/bin/pkcs11-tool)
+==25173==    by 0x5CF624A: (below main) (in /usr/lib64/libc-2.27.so)
+==25173==  Address 0x61231c8 is 552 bytes inside a block of size 584 free'd
+==25173==    at 0x4C2FDAC: free (vg_replace_malloc.c:530)
+==25173==    by 0x6548492: p11_virtual_unwrap (virtual.c:2902)
+==25173==    by 0x64BF492: p11_proxy_module_cleanup (proxy.c:1723)
+---
+ p11-kit/proxy.c | 17 ++++-------------
+ 1 file changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
+index 31b9bb2..b7fb63d 100644
+--- a/p11-kit/proxy.c
++++ b/p11-kit/proxy.c
+@@ -1720,8 +1720,8 @@ p11_proxy_module_cleanup (void)
+ 
+ 	for (; state != NULL; state = next) {
+ 		next = state->next;
+-		p11_virtual_unwrap (state->wrapped);
+ 		p11_kit_modules_release (state->loaded);
++		p11_virtual_unwrap (state->wrapped);
+ 	}
+ }
+ 
+@@ -1731,16 +1731,6 @@ p11_proxy_module_check (CK_FUNCTION_LIST_PTR module)
+ 	return (module->C_WaitForSlotEvent == module_C_WaitForSlotEvent);
+ }
+ 
+-static void
+-proxy_module_free (p11_virtual *virt)
+-{
+-	State *state = (State *)virt;
+-
+-	p11_virtual_unwrap (state->wrapped);
+-	p11_kit_modules_release (state->loaded);
+-	free (state);
+-}
+-
+ CK_RV
+ p11_proxy_module_create (CK_FUNCTION_LIST_PTR *module,
+ 			 CK_FUNCTION_LIST_PTR *modules)
+@@ -1758,9 +1748,10 @@ p11_proxy_module_create (CK_FUNCTION_LIST_PTR *module,
+ 	p11_virtual_init (&state->virt, &proxy_functions, state, NULL);
+ 	state->last_handle = FIRST_HANDLE;
+ 	state->loaded = modules_dup (modules);
+-	state->wrapped = p11_virtual_wrap (&state->virt, (p11_destroyer)proxy_module_free);
++	state->wrapped = p11_virtual_wrap (&state->virt, (p11_destroyer)p11_virtual_uninit);
+ 	if (state->wrapped == NULL) {
+-		proxy_module_free (&state->virt);
++		p11_kit_modules_release (state->loaded);
++		free (state);
+ 		return CKR_GENERAL_ERROR;
+ 	}
+ 
+-- 
+2.17.1
+
diff --git a/p11-kit.spec b/p11-kit.spec
index 625f00b..42bc3a4 100644
--- a/p11-kit.spec
+++ b/p11-kit.spec
@@ -1,6 +1,6 @@
 # This spec file has been automatically updated
 Version:	0.23.13
-Release: 1%{?dist}
+Release: 2%{?dist}
 Name:           p11-kit
 Summary:        Library for loading and sharing PKCS#11 modules
 
@@ -9,6 +9,7 @@ URL:            http://p11-glue.freedesktop.org/p11-kit.html
 Source0:        https://github.com/p11-glue/p11-kit/releases/download/%{version}/p11-kit-%{version}.tar.gz
 Source1:        trust-extract-compat
 Source2:	p11-kit-client.service
+Patch:		p11-kit-proxy-cleanup.patch
 
 BuildRequires:  gcc
 BuildRequires:  libtasn1-devel >= 2.3
@@ -145,6 +146,9 @@ fi
 
 
 %changelog
+* Wed Aug 15 2018 Daiki Ueno <dueno@redhat.com> - 0.23.13-2
+- Fix invalid memory access on proxy cleanup
+
 * Fri Aug 10 2018 Daiki Ueno <dueno@redhat.com> - 0.23.13-1
 - Update to upstream 0.23.13 release