Bug 735967 - gpg-agent segfaults via ..., pth_mutex_acquire, __pth_ring_append
Summary: gpg-agent segfaults via ..., pth_mutex_acquire, __pth_ring_append
Alias: None
Product: Fedora
Classification: Fedora
Component: gnupg2
Version: 16
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2011-09-06 10:27 UTC by Jim Meyering
Modified: 2016-04-26 21:22 UTC (History)
4 users (show)

Fixed In Version: gnupg2-2.0.18-1.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-09-30 19:28:19 UTC
Type: ---

Attachments (Terms of Use)

Description Jim Meyering 2011-09-06 10:27:11 UTC
Description of problem: this command always segfaults:
gpg-agent --enable-ssh-support --use-standard-socket --daemon
(at least when you have the MALLOC_PERTURB_  envvar set to nonzero)

Version-Release number of selected component (if applicable):

How reproducible: every time

Steps to Reproduce:

  1. env -i MALLOC_PERTURB_=23 \
    gpg-agent --enable-ssh-support --use-standard-socket --daemon

Actual results:

  Program received signal SIGSEGV, Segmentation fault

Expected results:

  exit 0

Additional info:

This happens only when MALLOC_PERTURB_ is nonzero.
That suggests use of pointer to freed or uninitialized heap memory.
This is *not* a problem with x86_64 rawhide's gnupg2-2.0.18-1.fc17.x86_64.
I haven't tested on i686 rawhide or on x86_64 F16.

Note that in the log below, r->f_hook is obviously an invalid
(freed?) pointer.  Considering that this failure is in the guts of pth
code, I compared pth versions.  Both are pth-2.0.7-10.

$ env -i MALLOC_PERTURB_=23 \
  gdb --args gpg-agent --enable-ssh-support --use-standard-socket --daemon
(gdb) r
Starting program: /usr/bin/gpg-agent --enable-ssh-support --use-standard-socket --daemon
Detaching after fork from child process 21634.
GPG_AGENT_INFO=/home/meyering/.gnupg/S.gpg-agent:21634:1; export GPG_AGENT_INFO;
SSH_AUTH_SOCK=/home/meyering/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

Program received signal SIGSEGV, Segmentation fault.
__pth_ring_append (r=0x809a730, rn=0x8089ba8) at pth_ring.c:166
166             rn->rn_prev = r->r_hook->rn_prev;
(gdb) p *r
$1 = {
  r_hook = 0x8e8e8e8e,
  r_nodes = 2391707278
(gdb) bt
#0  __pth_ring_append (r=0x809a730, rn=0x8089ba8) at pth_ring.c:166
#1  0x462418f9 in pth_mutex_acquire (ev_extra=<optimized out>,
    tryonly=<optimized out>, mutex=<optimized out>) at pth_sync.c:101
#2  pth_mutex_acquire (mutex=0x8089ba8, tryonly=0, ev_extra=0x0)
    at pth_sync.c:45
#3  0x0806eafe in es_list_iterate (iterator=<optimized out>) at estream.c:391
#4  es_fflush (stream=0x0) at estream.c:2682
#5  0x0806eb60 in es_deinit () at estream.c:444
#6  0x460c9111 in __run_exit_handlers (status=0, listp=0x46233324,
    run_list_atexit=true) at exit.c:78
#7  0x460c919d in __GI_exit (status=0) at exit.c:100
#8  0x0804e1d3 in main (argc=Cannot access memory at address 0x8e8e8e8e) at gpg-agent.c:1200

Comment 1 Jim Meyering 2011-09-19 19:30:15 UTC
I've set priority to "HIGH".
Anything that can make a security-sensitive tool like gpg segfault
is important enough to fix ASAP.

Comment 2 Tomas Mraz 2011-09-19 21:11:53 UTC
Can you please try this build:

At least for me it fixed the crashing and the related code (estream.c) is touched in the upstream update.

Comment 3 Jim Meyering 2011-09-20 06:14:58 UTC
Thanks.  With that, it no longer segfaults for me, either.

Comment 4 Fedora Update System 2011-09-20 15:12:11 UTC
gnupg2-2.0.18-1.fc16 has been submitted as an update for Fedora 16.

Comment 5 Fedora Update System 2011-09-20 19:03:04 UTC
Package gnupg2-2.0.18-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnupg2-2.0.18-1.fc16'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-09-30 19:28:13 UTC
gnupg2-2.0.18-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.