failed to build S-Exp (off=0): Cannot allocate memory
Closed, ResolvedPublic

Description

I am getting frequent failures to run gpg -d using gpg-connect-agent to manage keys.

I am using Arch Linux with GnuPG 2.2.3-1. The output in journalctl is

failed to build S-Exp (off=0): Cannot allocate memory
failed to read the secret key
command 'PKDECRYPT' failed: Cannot allocate memory <gcrypt>
Ohhhh jeeee: ... this is a bug (sexp.c:1460:do_vsexp_sscan)

I have found related issues, e.g. here and here, though these apply to previous versions, and appear to have been closed as fixed.

It is possible that about 3-4 instances of gpg are trying to decrypt simultaneously.

Please let me know if i can provide more useful information. Thanks.

Details

Version
2.2.3
werner added a subscriber: werner.

Which libgcrypt version are you using (gpg --version shows it)

Version 1.8.1. The full output is

$ gpg --version
gpg (GnuPG) 2.2.3
libgcrypt 1.8.1
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/matt/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

The fatal bug you reported can happen if the process is running out of secure memory. In general it should return an error but there is one place where we assumed the allocation would always succeed. This has meanwhile changed in the repo and will go into 1.8.2 However, this is not the real problem you have but just a wrong error behaviour.

With several connections using large keys, gpg-agent may indeed run out of memory. See T3530 for the solution we implemented. Will go into Libgcrypt 1.8.2 and GnuPG 2.2.4 to be released next week.

werner triaged this task as Normal priority.Dec 12 2017, 9:11 AM

Great, many thanks.

werner closed this task as Resolved.Dec 12 2018, 8:30 AM
werner claimed this task.

T3530 describes the solution. In short: Put "auto-expand-secmem" into gpg-agent.conf.