25366898 pcsclite SCardReleaseContext can result in a double-free of the "cardsList" s11u3-sru
authorJohn Ojemann <john.ojemann@oracle.com>
Tue, 24 Jan 2017 04:39:14 -0800
branchs11u3-sru
changeset 7597 21897c6862f7
parent 7595 a454f5e35b4c
child 7602 d86d5487437f
25366898 pcsclite SCardReleaseContext can result in a double-free of the "cardsList"
components/pcsc-lite/patches/S11-scardrelease_context.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/pcsc-lite/patches/S11-scardrelease_context.patch	Tue Jan 24 04:39:14 2017 -0800
@@ -0,0 +1,39 @@
+Upstream patch/fix that was included in the next release of pcsclite:
+https://anonscm.debian.org/cgit/pcsclite/PCSC.git/patch/?id=697fe05967af7ea215bcd5d5774be587780c9e22
+patch by Peter Wu <[email protected]> 2016-12-25 22:31:24 (GMT)
+committed by Ludovic Rousseau <[email protected]> 2016-12-30 16:18:39 (GMT)
+
+Once MSGRemoveContext is invoked (via SCARD_RELEASE_CONTEXT), cardsList is freed. 
+A repeated invocation of SCARD_RELEASE_CONTEXT (with an empty context handle) 
+results in a use-after-free followed by a double-free. After MSGRemoveContext, 
+invocation of SCardEstablishContext enable further use-after-free of cardsList in 
+MSGCheckHandleAssociation, MSGRemoveContext, MSGAddHandle, MSGRemoveHandle. 
+
+To avoid this problem, destroy the list only when the client connection is terminated.
+
+This patch was based on the above and modified to work with our v1.8.14 of the pcsc-lite source code 
+and named accordingly to build with our existing Solaris pcsc-lite userland patch layout.
+
+--- a/src/winscard_svc.c	2017-01-09 14:27:56.897972773 -0500
++++ b/src/winscard_svc.c	2017-01-09 14:26:46.043849006 -0500
[email protected]@ -868,7 +868,6 @@
+ 		UNREF_READER(rContext)
+ 	}
+ 	(void)pthread_mutex_unlock(&threadContext->cardsList_lock);
+-	list_destroy(&threadContext->cardsList);
+ 
+ 	/* We only mark the context as no longer in use.
+ 	 * The memory is freed in MSGCleanupCLient() */
[email protected]@ -979,6 +978,11 @@
+ 		(void)MSGRemoveContext(threadContext->hContext, threadContext);
+ 	}
+ 
++       
++	(void)pthread_mutex_lock(&threadContext->cardsList_lock);
++	list_destroy(&threadContext->cardsList);
++	(void)pthread_mutex_unlock(&threadContext->cardsList_lock);
++
+ 	Log3(PCSC_LOG_DEBUG,
+ 		"Thread is stopping: dwClientID=%d, threadContext @%p",
+ 		threadContext->dwClientID, threadContext);
+