File pcsc-lite-CVE-2016-10109-use-after-free.patch of Package pcsc-lite.3953

Overview Repositories Revisions Requests Users Attributes Meta

File pcsc-lite-CVE-2016-10109-use-after-free.patch of Package pcsc-lite.3953

From 697fe05967af7ea215bcd5d5774be587780c9e22 Mon Sep 17 00:00:00 2001
From: Peter Wu <peter@lekensteyn.nl>
Date: Sun, 25 Dec 2016 23:31:24 +0100
Subject: [PATCH] SCardReleaseContext: prevent use-after-free of cardsList

Once MSGRemoveContext is invoked (via SCARD_RELEASE_CONTEXT),
cardsList is freed. A repeated invocation of SCARD_RELEASE_CONTEXT (with
an empty context handle) results in a use-after-free followed by a
double-free.

After MSGRemoveContext, invocation of SCardEstablishContext enable
further use-after-free of cardsList in MSGCheckHandleAssociation,
MSGRemoveContext, MSGAddHandle, MSGRemoveHandle.

To avoid this problem, destroy the list only when the client connection
is terminated.
---
 src/winscard_svc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/winscard_svc.c b/src/winscard_svc.c
index 20f2976..406030f 100644
--- a/src/winscard_svc.c
+++ b/src/winscard_svc.c
@@ -881,7 +881,6 @@ static LONG MSGRemoveContext(SCARDCONTEXT hContext, SCONTEXT * threadContext)
 		UNREF_READER(rContext)
 	}
 	(void)pthread_mutex_unlock(&threadContext->cardsList_lock);
-	list_destroy(&threadContext->cardsList);
 
 	/* We only mark the context as no longer in use.
 	 * The memory is freed in MSGCleanupCLient() */
@@ -992,6 +991,10 @@ static LONG MSGCleanupClient(SCONTEXT * threadContext)
 		(void)MSGRemoveContext(threadContext->hContext, threadContext);
 	}
 
+	(void)pthread_mutex_lock(&threadContext->cardsList_lock);
+	list_destroy(&threadContext->cardsList);
+	(void)pthread_mutex_unlock(&threadContext->cardsList_lock);
+
 	Log3(PCSC_LOG_DEBUG,
 		"Thread is stopping: dwClientID=%d, threadContext @%p",
 		threadContext->dwClientID, threadContext);
-- 
2.11.0

Places

File pcsc-lite-CVE-2016-10109-use-after-free.patch of Package pcsc-lite.3953

Places