FS#69389 - [libgcrypt] 1.9.0 causes gpg-agent to core dump

Attached to Project: Arch Linux
Opened by Vladimir (_v_l) - Thursday, 21 January 2021, 02:16 GMT
Last edited by Andreas Radke (AndyRTR) - Monday, 25 January 2021, 07:12 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Andreas Radke (AndyRTR)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description: as topic says, libgcrypt 1.9.0 causes gpg-agent to coredump on signing data while don't prevent decryption.


Additional info:
* gnupg: 2.2.27-1
* libgcrypt: 1.9.0-1

Steps to reproduce:
- make sure that gpg-agent is run (systemctl --user status gpg-agent.service)
- try to sign any document:
gpg -s -b file
- see message about end of file:
gpg: signing failed: End of file
- see output from systemctl --user status gpg-agent.service:
● gpg-agent.service - GnuPG cryptographic agent and passphrase cache
Loaded: loaded (/usr/lib/systemd/user/gpg-agent.service; static)
Active: failed (Result: signal) since Thu 2021-01-21 10:13:33 +08; 24s ago
TriggeredBy: ● gpg-agent.socket
● gpg-agent-ssh.socket
● gpg-agent-extra.socket
● gpg-agent-browser.socket
Docs: man:gpg-agent(1)
Process: 25312 ExecStart=/usr/bin/gpg-agent --supervised (code=killed, signal=ABRT)
Main PID: 25312 (code=killed, signal=ABRT)
CPU: 0

янв 21 10:13:26 smoon4.bkoty.ru gpg-agent[25312]: using fd 4 for ssh socket (/run/user/1000/gnupg/S.gpg-agent.ssh)
янв 21 10:13:26 smoon4.bkoty.ru gpg-agent[25312]: using fd 5 for extra socket (/run/user/1000/gnupg/S.gpg-agent.extra)
янв 21 10:13:26 smoon4.bkoty.ru gpg-agent[25312]: using fd 6 for browser socket (/run/user/1000/gnupg/S.gpg-agent.browser)
янв 21 10:13:26 smoon4.bkoty.ru gpg-agent[25312]: listening on: std=3 extra=5 browser=6 ssh=4
янв 21 10:13:26 smoon4.bkoty.ru gpg-agent[25314]: scdaemon[25314]: pcsc_establish_context failed: no service (0x8010001d)
янв 21 10:13:33 smoon4.bkoty.ru gpg-agent[25312]: free(): invalid pointer
янв 21 10:13:33 smoon4.bkoty.ru systemd-coredump[25325]: Process 25312 (gpg-agent) of user 1000 dumped core.
янв 21 10:13:33 smoon4.bkoty.ru gpg-agent[25314]: scdaemon[25314]: scdaemon (GnuPG) 2.2.27 остановлен
янв 21 10:13:33 smoon4.bkoty.ru systemd[686]: gpg-agent.service: Main process exited, code=killed, status=6/ABRT
янв 21 10:13:33 smoon4.bkoty.ru systemd[686]: gpg-agent.service: Failed with result 'signal'.

coredumpctl reports:
Thu 2021-01-21 08:13:36 +08 1418 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 08:16:49 +08 17403 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 08:35:34 +08 18482 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 08:35:59 +08 18524 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 08:37:48 +08 18745 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 08:38:36 +08 18828 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 08:43:21 +08 18918 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 10:06:45 +08 22235 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 10:13:21 +08 25276 1000 100 6 none /usr/bin/gpg-agent
Thu 2021-01-21 10:13:33 +08 25312 1000 100 6 none /usr/bin/gpg-agent

With libgcrypt 1.8.7 from core all works fine (the same configuration, only libgcrypt other).

This task depends upon

Closed by  Andreas Radke (AndyRTR)
Monday, 25 January 2021, 07:12 GMT
Reason for closing:  Fixed
Comment by Vladimir (_v_l) - Thursday, 21 January 2021, 06:11 GMT
This is my gpg-agent.conf

pinentry-program /usr/bin/pinentry-curses
pinentry-timeout 60
# no-grab
allow-loopback-pinentry
allow-emacs-pinentry
default-cache-ttl 5400
default-cache-ttl-ssh 5400
max-cache-ttl 10800
max-cache-ttl-ssh 10800
enable-ssh-support
ssh-fingerprint-digest SHA256

It's very simple and I don't think it could lead to gpg-agent core dumps with new libgcrypt.
Comment by Andreas Radke (AndyRTR) - Thursday, 21 January 2021, 06:11 GMT
https://www.gnupg.org/download/git.html -> Please do a local debug build to catch the segfault and then report a gdb BT to the
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel list (I'm subscribed).
Comment by Vladimir (_v_l) - Thursday, 21 January 2021, 06:56 GMT
Hi.

Could you give some hints how to do that? How I should make debug build? I tried to build gnupg locally with additional option --enable-npth-debug (the only one in configure with debug in it), rest are the same as in PKGBUILD, copied gpg-agent and gpg into /usr/bin and ran

gdb gpg-agent
(gdb) run

(in other terminal window)

gpg -s --clearsign -b COPYING

but got nothing. In gdb I see

(gdb) run
Starting program: /usr/bin/gpg-agent
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
gpg-agent[87090]: no gpg-agent running in this session
[Inferior 1 (process 87090) exited with code 02]
(gdb) run
Starting program: /usr/bin/gpg-agent
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
gpg-agent[87094]: no gpg-agent running in this session
[Inferior 1 (process 87094) exited with code 02]

so I assume it doesn't run under gdb, for gpg I see

gpg: NOTE: THIS IS A DEVELOPMENT VERSION!
gpg: It is only intended for test purposes and should NOT be
gpg: used in a production environment or with production keys!
gpg: Warning: using insecure memory!
gpg: using "647A5683B8913D2B" as default secret key for signing
gpg: signing failed: End of file
gpg: COPYING: clear-sign failed: End of file

Comment by Andreas Radke (AndyRTR) - Thursday, 21 January 2021, 07:25 GMT
https://wiki.archlinux.org/index.php/Debug_-_Getting_Traces#Compilation_settings

Build a local package libgcrypt and maybe also gnugp with these debug options.
Then try to reproduce the segfault from within gdb and cat the BT. Post the "bt full"
output to the gcrypt-devel mailing list.
"free(): invalid pointer" should be fixed in libgcrypt. The backtrace should show the
source.
Comment by Vladimir (_v_l) - Thursday, 21 January 2021, 10:08 GMT
I'm afraid that didn't help. I built libgcrypt and gnupg in that order with options 'debug', '!strip' but I didn't see any difference.

To be sure I tried to figure out how gpg-agent is run. I remembered that when I want to sign a file I have to enter password in pinentry-curse program only once, the next file is signed without asking a password. Now I see pinentry-curses window every time and gpg couldn't sign a file.

Before to run gpg-agent in gdb I checked that it isn't run already

$ ps aux | grep gpg | grep -v grep

Then I run gpg-agent in gdb:

$ LANG=en_US.UTF-8 gdb /usr/bin/gpg-agent
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/gpg-agent...
(gdb) run
Starting program: /usr/bin/gpg-agent
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
gpg-agent[313185]: no gpg-agent running in this session
[Inferior 1 (process 313185) exited with code 02]
(gdb)

I see that gpg-agent is run under gdb:

$ ps aux | grep gpg | grep -v grep
vladimir 313159 0.2 0.1 1074632 49700 pts/2 Sl+ 17:54 0:00 gdb /usr/bin/gpg-agent

Now I run gpg on a file

$ LANG=en_US.UTF-8 gpg -s --clearsign -b PKGBUILD
gpg: Warning: using insecure memory!
gpg: using "647A5683B8913D2B" as default secret key for signing
gpg: signing failed: End of file
gpg: PKGBUILD: clear-sign failed: End of file

After that I see only gpg-agent

$ ps aux | grep gpg | grep -v grep
vladimir 313159 0.0 0.1 1074632 49700 pts/2 Sl+ 17:54 0:00 gdb /usr/bin/gpg-agent

While entering password in pinentry-curses window in other terminal I ran

$ ps aux | grep gpg | grep -v grep
vladimir 313159 0.1 0.1 1074632 49700 pts/2 Sl+ 17:54 0:00 gdb /usr/bin/gpg-agent
vladimir 313229 0.0 0.0 11612 5352 pts/3 S+ 17:57 0:00 gpg -s --clearsign -b PKGBUILD
vladimir 313232 0.0 0.0 81096 236 ? Ssl 17:57 0:00 gpg-agent --homedir /home/vladimir/.gnupg --use-standard-socket --daemo

If I try to run gpg again I would be asked to enter password again. That makes me feel that I see the same problem though I don't see coredump in gdb and bt and bt full returns "No stack".

As gpg-agent is run by systemd with --supervised option I tried that as well

$ gdb /usr/bin/gpg-agent
GNU gdb (GDB) 10.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/gpg-agent...
(gdb) run --supervised
Starting program: /usr/bin/gpg-agent --supervised
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
gpg-agent (GnuPG) 2.2.27 starting in supervised mode.
no LISTEN_PID environment variable found in --supervised mode (ignoring)
no LISTEN_FDS or LISTEN_FDNAMES environment variables found in --supervised mode (assuming 1 active descriptor)
Fatal: file descriptor 3 must be valid in --supervised mode if LISTEN_FDNAMES is not set
[Inferior 1 (process 313322) exited with code 02]
(gdb)

but got the same result.

I run all tests in a container, systemd-nspawn, if that matters.
Comment by Andreas Radke (AndyRTR) - Thursday, 21 January 2021, 12:32 GMT
For me gpg-agent doens't segfault here.

Try as user or root "gdb"
"exec /usr/bin/gpg-agent --supervised"
after the crash "bt full" should shot the backtrace with helpfull output.

You will probably get faster help posting to the devel mailing list.
Comment by Vladimir (_v_l) - Friday, 22 January 2021, 05:58 GMT
Hello.

Yes, that frustrating, I don't know why gpg-agent is working that way (it "crashes" but I only see this in systemctl log, I couldn't make it works under gdb or don't detach itself from terminal). I could imagine that might be somehow connected with the fact that my hosts running linux-ck kernel (ok, not all, two running linux-zen kernels but these are VPSes) but I don't understand why it works fine with old version of libgcrypt. I would suspect that 1.9.0 version introduces some incompatibility (despite the fact that news message says about API and ABI compatibility).

Besides, when I ran

$ gdb exec /usr/bin/gpg-agent --supervised

gdb said it didn't recognize '--supervised' option (as I understand, all options to a program must be passed to 'run' command in gdb). Without '--supervised' gdb says that it doesn't know what 'exec' is (no wonder, it is shell builtin).

I finally managed to subscribe to gcrypt-devel ML and will continue there. I'll report any findings here.
Comment by Vladimir (_v_l) - Monday, 25 January 2021, 06:13 GMT
Hi.

NIIBE Yutaka on libgcrypt-devel mailing list provided a patch for libgcrypt. After applying it and rebuilding both libgcrypt and gnupg (in that order) I now have working gnupg.
Comment by Andreas Radke (AndyRTR) - Monday, 25 January 2021, 06:24 GMT
Applied the proposed upstream patch from mailing list to 1.9.0-2 - please test if gnupg-agent now works or if gnupg requires a rebuild.
Comment by Vladimir (_v_l) - Monday, 25 January 2021, 07:00 GMT
It works! I tested on one of my "work" hosts and gnupg signed file successfully.

P.S. Seems that I screwed up a bit on other host where I tested libgcrypt with applied patch because I had to rebuild and gnupg too.

Loading...