__trace_attributes() walks a client-supplied attribute array, advancing by the
client-controlled stride sizeof(pkcs11_attribute_head) + pkcs11_ref.size, and
reads each attribute value without bounding the access against the end of the
buffer. The unconditional 4-byte data_u32 read and the id2str_attr_value() read
at cur + sizeof(pkcs11_ref) run past the end of the heap-allocated client
template when the last attribute header is within a few bytes of the end. The
helper is reachable on the error path of sanitize_class_and_type() (it dumps a
rejected "bad-template"), so a malformed C_CreateObject template makes it
over-read; a KASAN build faults the TA.
This was reported privately and triaged as a normal hardening bug (no observable
security impact in a production build: the over-read stays within the mapped TA
heap and the bytes are never returned to the client). Submitting as a regular PR
as requested.
Require a full attribute header before each iteration, clamp the value reads to
the bytes remaining before end, read the traced value from the already-bounded
local copy instead of the raw buffer, and only recurse into the
WRAP/UNWRAP/DERIVE_TEMPLATE dump when a nested object head still fits.
__trace_attributes() walks a client-supplied attribute array, advancing by the
client-controlled stride sizeof(pkcs11_attribute_head) + pkcs11_ref.size, and
reads each attribute value without bounding the access against the end of the
buffer. The unconditional 4-byte data_u32 read and the id2str_attr_value() read
at cur + sizeof(pkcs11_ref) run past the end of the heap-allocated client
template when the last attribute header is within a few bytes of the end. The
helper is reachable on the error path of sanitize_class_and_type() (it dumps a
rejected "bad-template"), so a malformed C_CreateObject template makes it
over-read; a KASAN build faults the TA.
This was reported privately and triaged as a normal hardening bug (no observable
security impact in a production build: the over-read stays within the mapped TA
heap and the bytes are never returned to the client). Submitting as a regular PR
as requested.
Require a full attribute header before each iteration, clamp the value reads to
the bytes remaining before end, read the traced value from the already-bounded
local copy instead of the raw buffer, and only recurse into the
WRAP/UNWRAP/DERIVE_TEMPLATE dump when a nested object head still fits.