Problem on M1

Вопросы по работе с электронными ключами SenseLock из операционных систем с использованием различных компиляторов

Problem on M1

Сообщение Vladimir K » Пн, 01 ноя 2021 11:55

Используем ключи SenseLock EL4S-RTC64K). Рапортует мой коллега:

There is a crash in S4Enum (probably buffer overlow) when the dongle is connected via USB hub.
Here is an example running SLcheck tested on M1, with the dongle connected over a USB hub:

(lldb) r
Process 4613 launched: '/Users/tihmstar/dev/dongleprotection/Build/Products/Debug/SLcheck' (arm64)
Process 4613 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=1, subcode=0x1b9ae4b6c)
frame #0: 0x00000001b9ae4b6c libsystem_c.dylib`__chk_fail_overflow + 24
libsystem_c.dylib`__chk_fail_overflow:
-> 0x1b9ae4b6c <+24>: brk #0x1

libsystem_c.dylib`__chk_fail_overlap:
0x1b9ae4b70 <+0>: pacibsp
0x1b9ae4b74 <+4>: stp x29, x30, [sp, #-0x10]!
0x1b9ae4b78 <+8>: mov x29, sp
Target 0: (SLcheck) stopped.
(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=1, subcode=0x1b9ae4b6c)
* frame #0: 0x00000001b9ae4b6c libsystem_c.dylib`__chk_fail_overflow + 24
frame #1: 0x00000001b9a7bf0c libsystem_c.dylib`__strcpy_chk + 108
frame #2: 0x000000010000a228 SLcheck`UpdateDeviceInfo(pKeyList=0x0000000100809200, dwKeyCount=1, type=1) at utils.c:476:4 [opt]
frame #3: 0x000000010000a130 SLcheck`UpdateItokenDeviceList at utils.c:0 [opt]
frame #4: 0x000000010000e070 SLcheck`SKeyListKey(ctxList=0x0000000000000000, ctxLen=0x000000016fdff430) at itoken.c:86:2 [opt]
frame #5: 0x0000000100007fbc SLcheck`S4Enum(s4CtxList=0x0000000000000000, lpCtxListSize=0x000000016fdff430) at sense4.c:239:18 [opt]
frame #6: 0x000000010000677c SLcheck`KeyOpenAndAuthenticate(outCtx=0x000000016fdff470) at libSLcheck.c:126:12
frame #7: 0x00000001000050fc SLcheck`main(argc=1, argv=0x000000016fdff680) at main.c:30:12
frame #8: 0x00000001000450f4 dyld`start + 520

Looks like the bug is in UpdateDeviceInfo function.
Basically their DEVICE_INFO object. Has an element named char devicePath[0x104].
But if you're on M1 mac and the dongle is connected via USB hub, the DevicePath is much larger (in my instance it is 0x151 bytes).
The problem is they are calling unbounded strcpy (Or maybe they meant to call strncpy ?) which overflows the object!
But without going too much into detail on how everything should be re-writte, a (really bad) hotfix would be to make the struct element much larger (e.g. 0x1000 bytes in size).
Vladimir K
 
Сообщения: 1
Зарегистрирован: Пн, 01 ноя 2021 11:51

Вернуться в Использование SenseLock

Кто сейчас на конференции

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 1