Crash on ssh-add
Closed, ResolvedPublic

Description

When using ssh-add to add an ssh key (RSA 2048) with no other keys present in
the database gpg-agent crashes with the message

segfault at 7f013db34050 ip 0000000000414796 sp 00007f013ca44d40 error 7 in

gpg-agent[400000+5f000]

Though no other keys were present, the agent did first connect to a gpg smart
card (yubikey neo)

Arch Linux, kernel 4.1.6

% gpg --version
gpg (GnuPG) 2.1.8
libgcrypt 1.6.4
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,

CAMELLIA128, CAMELLIA192, CAMELLIA256

Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Details

Version
2.1.8
dangersalad set Version to 2.1.8.Sep 25 2015, 1:33 PM
dangersalad added projects: gnupg, Bug Report.
dangersalad added a subscriber: dangersalad.

It seems this is related to T2096 but the key in question here is rsa, not
ed25519. Downgrading to 2.1.7 worked for me as well.

Here is a gdb backtrace of the segfault

GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/bin/gpg-agent...done.
[New LWP 7934]
[New LWP 7066]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `/usr/bin/gpg-agent --daemon --debug-level 99
--enable-ssh-support --log-file /h'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 ssh_identity_register (confirm=0, ttl=0, key=0x7f9a398ee800,
spec=0x7f9a38804db0, ctrl=0x11fdda0) at command-ssh.c:3114
3114 command-ssh.c: No such file or directory.
[Current thread is 1 (Thread 0x7f9a38805700 (LWP 7934))]
(gdb) bt
#0 ssh_identity_register (confirm=0, ttl=0, key=0x7f9a398ee800,
spec=0x7f9a38804db0, ctrl=0x11fdda0) at command-ssh.c:3114
#1 ssh_handler_add_identity (ctrl=0x11fdda0, request=<optimized out>,
response=0x7f9a34004d20) at command-ssh.c:3249
#2 0x0000000000417948 in ssh_request_process (stream_sock=0x7f9a340009c0,
ctrl=0x11fdda0) at command-ssh.c:3515
#3 start_command_handler_ssh (ctrl=ctrl@entry=0x11fdda0, sock_client=<optimized
out>) at command-ssh.c:3621
#4 0x0000000000409c3b in start_connection_thread_ssh (arg=0x11fdda0) at
gpg-agent.c:2278
#5 0x00007f9a38dc8e5c in ?? () from /usr/lib/libnpth.so.0
#6 0x00007f9a38bb14a4 in start_thread () from /usr/lib/libpthread.so.0
#7 0x00007f9a388ef13d in clone () from /usr/lib/libc.so.6

backtrace without the arch patch, for RSA key

#0 ssh_identity_register (confirm=0, ttl=0, key=0x7ff366864800,
spec=0x7ff36577adb0, ctrl=0x14e0da0) at command-ssh.c:3112
#1 ssh_handler_add_identity (ctrl=0x14e0da0, request=<optimized out>,
response=0x7ff360004d20) at command-ssh.c:3247
#2 0x0000000000417948 in ssh_request_process (stream_sock=0x7ff3600009c0,
ctrl=0x14e0da0) at command-ssh.c:3513
#3 start_command_handler_ssh (ctrl=ctrl@entry=0x14e0da0, sock_client=<optimized
out>) at command-ssh.c:3619
#4 0x0000000000409c3b in start_connection_thread_ssh (arg=0x14e0da0) at
gpg-agent.c:2278
#5 0x00007ff365d3ee5c in ?? () from /usr/lib/libnpth.so.0
#6 0x00007ff365b274a4 in start_thread () from /usr/lib/libpthread.so.0
#7 0x00007ff36586513d in clone () from /usr/lib/libc.so.6

gniibe added a subscriber: gniibe.Sep 28 2015, 10:30 AM

Thank you for the bug report with the trace.

I think that the code has been buggy and the change since 2.1.7 reveals the bug.
Here is the possible fix. It's the pointer calculation error.

gniibe claimed this task.Sep 28 2015, 10:30 AM

Sorry, the patch of yesterday was wrong.
Please test attached new patch of gpg-ssh-agent-20150929.diff.

Sorry, I spoke too soon on that last message, the bug was still there, I was
just running the agent at version 2.1.7... not awake yet.

Anyway, your patch solved the issue of not being able to add new keys to the
agent via ssh-add, though it may have raised another issue.

I successfully added a new key to the agent, then I removed it from the
ssh-control file and added it again. When trying to readd it after restarting
the agent, it did not show a password prompt to set the password. Instead it
returned a successful message without actually adding the key to the agent.

% ssh-add foo
Identity added: foo (foo)

Thank you for testing.

ssh-add'ing your key, you have .gnupg/private-keys-v1.d/<KEYGRIP>.key registered.
Removing an entry in .gnupg/sshcontrol manually doesn't remove the file, and it
results inconsistent state.
Please remove the file.

I admit that current UI set for SSH is not enough; we need improvement here.

werner added a subscriber: werner.Oct 2 2015, 11:11 AM

What I have in mind is to create a meta data file for each key file. This file
can then be used for things like confirm flags. Tehre is for example a request
to adda confirm flag for OpenPGP keys if used with --extra-socket. Maybe we can
even fade out sshcontrol and use such a meta data file instead.

Then it would be really useful to have a GUI to edit these files.

werner lowered the priority of this task from Unbreak Now! to Normal.Oct 28 2015, 5:24 PM
werner closed this task as Resolved.

The problem itself has been fixed. Please open another bug for the UX problem.