Description of problem:
Tried to add a recovery key to a LUKS2 volume. systemd-cryptenroll died with SIGABRT:

# systemd-cryptenroll --recovery-key /dev/nvme0n1p8 
🔐 Please enter current passphrase for disk /dev/nvme0n1p8: ************            
*** buffer overflow detected ***: terminated
Aborted (core dumped)

ABRT (as usual at the moment) claimed the core dump was of 'low informational value'. Nevertheless from coredumpctl debug we have (with paranoid redactions):


#0  0x00007f371569f2a2 in raise () from /lib64/libc.so.6
#1  0x00007f37156888a4 in abort () from /lib64/libc.so.6
#2  0x00007f37156e1a97 in __libc_message () from /lib64/libc.so.6
#3  0x00007f3715771c8a in __fortify_fail () from /lib64/libc.so.6
#4  0x00007f3715770566 in __chk_fail () from /lib64/libc.so.6
#5  0x00007f3715771c35 in __explicit_bzero_chk () from /lib64/libc.so.6
#6  0x00007f3715d3de08 in explicit_bzero (__len=<optimized out>, __dest=0xREMOVED) at /usr/include/bits/string_fortified.h:72
#7  explicit_bzero_safe (l=<optimized out>, p=0xREMOVED) at ../src/basic/memory-util.h:77
#8  erase_and_free (p=0xREMOVED) at ../src/basic/memory-util.h:92
#9  erase_and_freep (p=<synthetic pointer>) at ../src/basic/memory-util.h:97
#10 make_recovery_key (ret=0xREMOVED) at ../src/basic/recovery-key.c:76
#11 0x000055e2368d2118 in enroll_recovery (volume_key_size=64, volume_key=0xREMOVED, cd=0xREMOVED)
    at ../src/cryptenroll/cryptenroll-recovery.c:28
#12 run (argv=<optimized out>, argc=<optimized out>) at ../src/cryptenroll/cryptenroll.c:481
#13 main (argc=<optimized out>, argv=<optimized out>) at ../src/cryptenroll/cryptenroll.c:518


Version-Release number of selected component (if applicable):
systemd-248.3-1.fc34.x86_64

How reproducible:
Consistently.