7195480 : (smartcardio) javax.smartcardio does not detect cards on Mac OS X

Yonathan yonathan at gmail.com
Mon Mar 11 16:01:42 PDT 2013


aka 7200271 : javax.smartcardio.CardTerminal.isCardPresent always returns false

Dear security,

The underlying cause of this issue is silly. The signature of
SCardGetStatusChange is wrong on OS X; the JRE code expects DWORD to
be uint64_t, but in the OS X system library it’s actually uint32_t.
Note that the code is only wrong in OS X; on Linux the PCSC library
uses 64-bit longs. The simplest solution is to just not use your own
winscard.h, since it’s included with OS X. Alternatively, you could
check in a header that declares different types for Linux and OS X[1].

This meant that the following functions returned incorrect values or
crashed if you called them too often:
TerminalImpl.isCardPresent()
TerminalImpl.waitForCard(boolean, long)
PCSCTerminals.list()
PCSCTerminals.waitForChange(long)

I previously submitted a bug report on 2012-12-03 (internal review ID
of 2396490) but haven’t heard back so perhaps this is a better forum.
Example segfault when you run the attached program:
#  SIGSEGV (0xb) at pc=0x000000015deb166e
#
# JRE version: 7.0_17-b02
# Java VM: Java HotSpot(TM) 64-Bit Server VM (23.7-b01 mixed mode
bsd-amd64 compressed oops)
# Problematic frame:
# C  [libj2pcsc.dylib+0x166e]  pcsc_multi2jstring+0x11

[1]: http://anonscm.debian.org/viewvc/pcsclite/trunk/PCSC/src/PCSC/wintypes.h?revision=5869&view=markup

I hope this can be fixed soon as it makes using smartcard very delicate.

Yonathan Randolph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pcsc.patch
Type: application/octet-stream
Size: 617 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/security-dev/attachments/20130311/355bfd37/pcsc.patch 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Sandbox.java
Type: application/octet-stream
Size: 456 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/security-dev/attachments/20130311/355bfd37/Sandbox.java 


More information about the security-dev mailing list