Bug 735967

Summary: gpg-agent segfaults via ..., pth_mutex_acquire, __pth_ring_append
Product: [Fedora] Fedora Reporter: Jim Meyering <meyering>
Component: gnupg2Assignee: Rex Dieter <rdieter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 16CC: bcl, nalin, rdieter, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnupg2-2.0.18-1.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-09-30 19:28:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jim Meyering 2011-09-06 10:27:11 UTC 
Description of problem: this command always segfaults:
gpg-agent --enable-ssh-support --use-standard-socket --daemon
(at least when you have the MALLOC_PERTURB_  envvar set to nonzero)

Version-Release number of selected component (if applicable):
gnupg2-2.0.17-2.fc16.i686

How reproducible: every time

Steps to Reproduce:

  1. env -i MALLOC_PERTURB_=23 \
    gpg-agent --enable-ssh-support --use-standard-socket --daemon

Actual results:

  Program received signal SIGSEGV, Segmentation fault

Expected results:

  exit 0

Additional info:

This happens only when MALLOC_PERTURB_ is nonzero.
That suggests use of pointer to freed or uninitialized heap memory.
This is *not* a problem with x86_64 rawhide's gnupg2-2.0.18-1.fc17.x86_64.
I haven't tested on i686 rawhide or on x86_64 F16.

Note that in the log below, r->f_hook is obviously an invalid
(freed?) pointer.  Considering that this failure is in the guts of pth
code, I compared pth versions.  Both are pth-2.0.7-10.

$ env -i MALLOC_PERTURB_=23 \
  gdb --args gpg-agent --enable-ssh-support --use-standard-socket --daemon
(gdb) r
Starting program: /usr/bin/gpg-agent --enable-ssh-support --use-standard-socket --daemon
Detaching after fork from child process 21634.
GPG_AGENT_INFO=/home/meyering/.gnupg/S.gpg-agent:21634:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/home/meyering/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
SSH_AGENT_PID=21634; export SSH_AGENT_PID;

Program received signal SIGSEGV, Segmentation fault.
__pth_ring_append (r=0x809a730, rn=0x8089ba8) at pth_ring.c:166
166             rn->rn_prev = r->r_hook->rn_prev;
(gdb) p *r
$1 = {
  r_hook = 0x8e8e8e8e,
  r_nodes = 2391707278
}
(gdb) bt
#0  __pth_ring_append (r=0x809a730, rn=0x8089ba8) at pth_ring.c:166
#1  0x462418f9 in pth_mutex_acquire (ev_extra=<optimized out>,
    tryonly=<optimized out>, mutex=<optimized out>) at pth_sync.c:101
#2  pth_mutex_acquire (mutex=0x8089ba8, tryonly=0, ev_extra=0x0)
    at pth_sync.c:45
#3  0x0806eafe in es_list_iterate (iterator=<optimized out>) at estream.c:391
#4  es_fflush (stream=0x0) at estream.c:2682
#5  0x0806eb60 in es_deinit () at estream.c:444
#6  0x460c9111 in __run_exit_handlers (status=0, listp=0x46233324,
    run_list_atexit=true) at exit.c:78
#7  0x460c919d in __GI_exit (status=0) at exit.c:100
#8  0x0804e1d3 in main (argc=Cannot access memory at address 0x8e8e8e8e) at gpg-agent.c:1200
Comment 1 Jim Meyering 2011-09-19 19:30:15 UTC 
I've set priority to "HIGH".
Anything that can make a security-sensitive tool like gpg segfault
is important enough to fix ASAP.
Comment 2 Tomas Mraz 2011-09-19 21:11:53 UTC 
Can you please try this build:
http://koji.fedoraproject.org/koji/buildinfo?buildID=264361

At least for me it fixed the crashing and the related code (estream.c) is touched in the upstream update.
Comment 3 Jim Meyering 2011-09-20 06:14:58 UTC 
Thanks.  With that, it no longer segfaults for me, either.
Comment 4 Fedora Update System 2011-09-20 15:12:11 UTC 
gnupg2-2.0.18-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/gnupg2-2.0.18-1.fc16
Comment 5 Fedora Update System 2011-09-20 19:03:04 UTC 
Package gnupg2-2.0.18-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnupg2-2.0.18-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/gnupg2-2.0.18-1.fc16
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2011-09-30 19:28:13 UTC 
gnupg2-2.0.18-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.