Page MenuHome GnuPG

SCardListReaders: Conditional jump or move depends on uninitialised value(s)
Closed, ResolvedPublic

Description

GnuPG is not using the PC/SC API correctly. With the function SCardListReaders() the last parameter (size of the readers buffer) is a in/out parameter. i.e. the value MUST be initialized before calling.

According to the API documentation https://pcsclite.apdu.fr/api/group__API.html#ga93b07815789b3cf2629d439ecf20f0d9

LONG SCardListReaders     (
       SCARDCONTEXT      hContext,
       LPCSTR      mszGroups,
       LPSTR      mszReaders,
       LPDWORD      pcchReaders
   )

If *pcchReaders is equal to SCARD_AUTOALLOCATE then the function will allocate itself the needed memory. Use SCardFreeMemory() to release it.

In the GnuPG code the value of pcchReaders is not initialized and that generates a log reported by valgrind:

==35605== Thread 2:
==35605== Conditional jump or move depends on uninitialised value(s)
==35605==    at 0x58BCFAE: SCardListReaders (in /usr/lib64/libpcsclite.so.1.0.0)
==35605==    by 0x11D78A: apdu_dev_list_start (apdu.c:2031)
==35605==    by 0x1245EF: select_application (app.c:817)
==35605==    by 0x117AFF: open_card_with_request (command.c:281)
==35605==    by 0x117AFF: cmd_serialno (command.c:358)
==35605==    by 0x4A20839: ??? (in /usr/lib64/libassuan.so.0.8.5)
==35605==    by 0x4A20C28: assuan_process (in /usr/lib64/libassuan.so.0.8.5)
==35605==    by 0x11854C: scd_command_handler (command.c:2521)
==35605==    by 0x114C03: start_connection_thread (scdaemon.c:1202)
==35605==    by 0x4A2F49D: ??? (in /usr/lib64/libnpth.so.0.1.2)
==35605==    by 0x4ABD3E9: start_thread (pthread_create.c:442)
==35605==    by 0x4B3F0DF: clone (clone.S:100)
==35605==

The patch is very simple:

diff --git a/scd/apdu.c b/scd/apdu.c
index 574697cc1..e83815ba5 100644
--- a/scd/apdu.c
+++ b/scd/apdu.c
@@ -2015,7 +2015,7 @@ apdu_dev_list_start (const char *portstr, struct dev_list **l_p)
  #endif
      { /* PC/SC readers.  */
        long r;
-      pcsc_dword_t nreader;
+      pcsc_dword_t nreader = 0;
        char *p = NULL;

        if (!pcsc.context)

I found the problem because of https://github.com/LudovicRousseau/PCSC/issues/125 and https://dev.gnupg.org/T5963

Thanks

Event Timeline

ludovic created this object in space S1 Public.
werner triaged this task as High priority.May 13 2022, 2:36 PM
werner added projects: scd, gnupg (gpg22).
werner added a subscriber: werner.

Thanks for opening a ticket.

gniibe edited projects, added gnupg, backport; removed gnupg (gpg22).
gniibe added a subscriber: gniibe.

The bug was there when it was initially written. It was in 2003, which introduced PC/SC in rG1bcf8ef9dea1: Cleanups, fixes and PC/SC support

Pushed the change to master.
Backported to 2.2.

To detect these kinds of bugs, possibly, we can use new GCC option: -ftrivial-auto-var-init=0xFEFEFEFE.
https://gcc.gnu.org/gcc-12/changes.html#uninitialized

gniibe removed a project: Testing.