Skip to content

libckteec: fix integer overflow in PKCS#11 serializer#415

Open
bestminhal wants to merge 1 commit into
OP-TEE:masterfrom
bestminhal:fix/pkcs11-serializer-integer-overflow
Open

libckteec: fix integer overflow in PKCS#11 serializer#415
bestminhal wants to merge 1 commit into
OP-TEE:masterfrom
bestminhal:fix/pkcs11-serializer-integer-overflow

Conversation

@bestminhal
Copy link
Copy Markdown

@bestminhal bestminhal commented Apr 30, 2026
edited
Loading

Fix integer overflow in serialize() and serialize_ck_attribute() that could lead to heap buffer overflow via crafted PKCS#11 attributes.

jenswikl
jenswikl reviewed Apr 30, 2026
View reviewed changes
Comment thread libckteec/src/serializer.c Outdated
{
size_t nlen = *blen + len;
char *buf = realloc(*bstart, nlen);
char *buf;
Copy link
Copy Markdown
Contributor

@jenswikl jenswikl Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please initialize it to NULL here.

Copy link
Copy Markdown
Author

@bestminhal bestminhal Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — initialized buf to NULL, updated SoB to my real name, and added a Fixes tag.

@jenswikl
Copy link
Copy Markdown
Contributor

jenswikl commented Apr 30, 2026

Please use your real name in the SoB as described in https://optee.readthedocs.io/en/latest/general/contribute.html#developer-certificate-of-origin

It would also be nice with a Fixes: tag pointing at the commit that introduced the bug.

@bestminhal bestminhal force-pushed the fix/pkcs11-serializer-integer-overflow branch from dfcadc5 to 8e14cce Compare April 30, 2026 09:36
@jenswikl
Copy link
Copy Markdown
Contributor

jenswikl commented Apr 30, 2026

Looks good. @etienne-lms?

etienne-lms
etienne-lms reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@etienne-lms etienne-lms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM aside minor comments. Thanks for the fixes.

Comment thread libckteec/src/serializer.c
if (nlen < *blen)
return CKR_HOST_MEMORY;

buf = realloc(*bstart, nlen);
Copy link
Copy Markdown
Contributor

@etienne-lms etienne-lms Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nitpicking: could remove the empty line below.

Comment thread libckteec/src/serializer.c Outdated
char *buf = NULL;

if (nlen < *blen)
return CKR_HOST_MEMORY;
Copy link
Copy Markdown
Contributor

@etienne-lms etienne-lms Apr 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think CKR_ARGUMENTS_BAD would better apply here.

@bestminhal
Copy link
Copy Markdown
Author

bestminhal commented Apr 30, 2026

Good points, both fixed.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 31, 2026

This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time.

@github-actions github-actions Bot added the Stale label May 31, 2026
@jenswikl
Copy link
Copy Markdown
Contributor

jenswikl commented Jun 1, 2026

Looks good, please squash and apply:
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

@bestminhal
libckteec: fix integer overflow in PKCS#11 serializer
6ecbbf1 
Add overflow check in serialize() to prevent size_t wraparound when
computing new buffer length. A crafted ulValueLen could cause *blen + len
to wrap, leading to a small realloc followed by an out-of-bounds memcpy.

Also add a bounds check in serialize_ck_attribute() for the
CKA_ALLOWED_MECHANISMS path where n * sizeof(uint32_t) could overflow
the uint32_t pkcs11_size, resulting in an undersized malloc.

Fixes: 85a7ea7 ("libckteec: introduce helpers for serializing data")
Signed-off-by: Minghao Cheng <m@minhal.me>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
@bestminhal bestminhal force-pushed the fix/pkcs11-serializer-integer-overflow branch from 439a263 to 6ecbbf1 Compare June 1, 2026 07:05
@github-actions github-actions Bot removed the Stale label Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jenswikl jenswikl jenswikl left review comments

+1 more reviewer

@etienne-lms etienne-lms etienne-lms left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bestminhal @jenswikl @etienne-lms