OpenSC Out-of-Bounds Read Vulnerability in Compact-TLV Parsing

A vulnerability exists in OpenSC versions prior to 0.27.0 within the `sc_compacttlv_find_tag` function, part of the libopensc library. This function improperly validates the length of values in a compact-TLV buffer, allowing for out-of-bounds pointer returns when untrusted data is processed. Such behavior can lead to memory corruption if the dereferenced pointer is accessed, potentially causing crashes or unexpected application behavior. The issue can be exploited by crafting a malicious Answer to Reset (ATR) that includes invalid Compact-TLV encoding, which is then read by the OpenSC tools or through the PKCS#11 module.

Impact

Exploitation of this vulnerability can cause memory corruption by allowing out-of-bounds reads that lead to dereferencing invalid pointers. This could result in a crash or unpredictable behavior in applications using OpenSC.

Reproduction

The vulnerability can be reproduced by using a crafted USB device or smart card that returns a malicious ATR with an improperly encoded Compact-TLV element. The `sc_compacttlv_find_tag` function will then return a pointer that exceeds the buffer's bounds, along with a length that does not correspond to the actual data available, creating the potential for memory corruption when the pointer is accessed.

Remediation

Users should update OpenSC to version 0.27.0 or later, where this vulnerability has been patched.