gpg-agent crashes during signing: free(): invalid pointer
Closed, ResolvedPublic

Description

When trying to sign git commits (i.e. git commit --gpg-sign) in Gentoo Linux, the gpg-agent service crashes in the background after pin entry.

gpg-agent was started using the arguments --homedir ${HOME}/.gnupg --daemon.

GDB log:

(gdb) thread apply all bt

Thread 2 (Thread 0x7f0c8bd10640 (LWP 51364) "gpg-agent"):
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
#1  0x00007f0c8bd38538 in __GI_abort () at abort.c:79
#2  0x00007f0c8bd90947 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f0c8be9b3c2 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007f0c8bd9839c in malloc_printerr (str=str@entry=0x7f0c8be99593 "free(): invalid pointer") at malloc.c:5389
#4  0x00007f0c8bd99754 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:4201
#5  0x00007f0c8bf4aa05 in _gcry_free (p=0x7f0c8c065100 <_gcry_pubkey_spec_ecc>) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/src/global.c:1035
#6  0x00007f0c8bf5faa9 in _gcry_pk_util_free_encoding_ctx (ctx=ctx@entry=0x7f0c8bd0fb10) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/cipher/pubkey-util.c:651
#7  0x00007f0c8bfcf5ea in ecc_sign (r_sig=0x7f0c8bd0fc20, s_data=<optimized out>, keyparms=<optimized out>) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/cipher/ecc.c:766
#8  0x00007f0c8bf5e270 in _gcry_pk_sign (r_sig=r_sig@entry=0x7f0c8bd0fc20, s_hash=s_hash@entry=0x7f0c84003e80, s_skey=s_skey@entry=0x7f0c8c091010) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/cipher/pubkey.c:430
#9  0x00007f0c8bf47cd6 in gcry_pk_sign (result=result@entry=0x7f0c8bd0fc20, data=0x7f0c84003e80, skey=0x7f0c8c091010) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/src/visibility.c:1002
#10 0x0000558e6185b8bb in agent_pksign_do (ctrl=ctrl@entry=0x558e62cdeeb0, cache_nonce=cache_nonce@entry=0x0, desc_text=<optimized out>, signature_sexp=signature_sexp@entry=0x7f0c8bd0fcb0, cache_mode=cache_mode@entry=CACHE_MODE_NORMAL, lookup_ttl=lookup_ttl@entry=0x0, overridedata=0x0, overridedatalen=0) at pksign.c:484
#11 0x0000558e6185bf87 in agent_pksign (ctrl=ctrl@entry=0x558e62cdeeb0, cache_nonce=cache_nonce@entry=0x0, desc_text=<optimized out>, outbuf=outbuf@entry=0x7f0c8bd0fd00, cache_mode=cache_mode@entry=CACHE_MODE_NORMAL) at pksign.c:550
#12 0x0000558e6184e18a in cmd_pksign (ctx=0x7f0c84000bc0, line=<optimized out>) at command.c:776
#13 0x00007f0c8bf02a65 in dispatch_command (ctx=0x7f0c84000bc0, line=0x7f0c84000d16 "", linelen=<optimized out>) at assuan-handler.c:676
#14 0x00007f0c8bf02e59 in process_request (ctx=0x7f0c84000bc0) at assuan-handler.c:872
#15 assuan_process (ctx=0x7f0c84000bc0) at assuan-handler.c:895
#16 0x0000558e6184ff28 in start_command_handler (ctrl=ctrl@entry=0x558e62cdeeb0, listen_fd=listen_fd@entry=-1, fd=9) at command.c:3555
#17 0x0000558e618480a6 in do_start_connection_thread (ctrl=0x558e62cdeeb0) at gpg-agent.c:2712
#18 0x00007f0c8bef549e in thread_start (startup_arg=<optimized out>) at npth.c:306
#19 0x00007f0c8bedaf9e in start_thread (arg=0x7f0c8bd10640) at pthread_create.c:463
#20 0x00007f0c8be1075f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Thread 1 (Thread 0x7f0c8bd11740 (LWP 51344) "gpg-agent"):
#0  0x00007f0c8be08116 in __pselect (nfds=nfds@entry=9, readfds=readfds@entry=0x7ffdd97d5fa0, writefds=writefds@entry=0x0, exceptfds=exceptfds@entry=0x0, timeout=<optimized out>, timeout@entry=0x7ffdd97d5e00, sigmask=0x7ffdd97d5d10, sigmask@entry=0x7f0c8bef9120 <sigev_unblock>) at ../sysdeps/unix/sysv/linux/pselect.c:48
#1  0x00007f0c8bef5bcf in npth_pselect (nfd=nfd@entry=9, rfds=rfds@entry=0x7ffdd97d5fa0, wfds=wfds@entry=0x0, efds=efds@entry=0x0, timeout=timeout@entry=0x7ffdd97d5e00, sigmask=0x7f0c8bef9120 <sigev_unblock>) at npth.c:626
#2  0x0000558e618491d6 in handle_connections (listen_fd=listen_fd@entry=3, listen_fd_extra=listen_fd_extra@entry=4, listen_fd_browser=listen_fd_browser@entry=5, listen_fd_ssh=listen_fd_ssh@entry=6) at gpg-agent.c:2995
#3  0x0000558e6184685b in main (argc=<optimized out>, argv=<optimized out>) at gpg-agent.c:1790
(gdb) bt full
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:49
        set = {__val = {18947, 7, 32, 24, 139689516335106, 16, 64, 0, 206158430210, 0, 0, 0, 511101108315, 532575944814, 0, 0}}
        pid = <optimized out>
        tid = <optimized out>
        ret = <optimized out>
#1  0x00007f0c8bd38538 in __GI_abort () at abort.c:79
        save_stage = 1
        act = {__sigaction_handler = {sa_handler = 0x1, sa_sigaction = 0x1}, sa_mask = {__val = {139691865236869, 1, 0, 139691730937744, 139691865238746, 139691862063360, 139691862063360, 1, 139691864399886, 139691862063328, 11612996636591345152, 139691862063464, 24, 139691862063360, 139691864405888, 139691730944224}}, sa_flags = -1512747520, sa_restorer = 0x1}
        sigs = {__val = {32, 139691862063184, 8, 139691864399886, 139691730937968, 2, 139691730938000, 8, 139691862063184, 139691864405888, 139691730937968, 11612996636591345152, 139691730944288, 139691730937744, 1, 139691864406304}}
#2  0x00007f0c8bd90947 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f0c8be9b3c2 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
        ap = {{gp_offset = 24, fp_offset = 32524, overflow_arg_area = 0x7f0c8bd0fa40, reg_save_area = 0x7f0c8bd0f9d0}}
        fd = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
#3  0x00007f0c8bd9839c in malloc_printerr (str=str@entry=0x7f0c8be99593 "free(): invalid pointer") at malloc.c:5389
No locals.
#4  0x00007f0c8bd99754 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:4201
        size = 0
        fb = <optimized out>
        nextchunk = <optimized out>
        nextsize = <optimized out>
        nextinuse = <optimized out>
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
        __PRETTY_FUNCTION__ = "_int_free"
#5  0x00007f0c8bf4aa05 in _gcry_free (p=0x7f0c8c065100 <_gcry_pubkey_spec_ecc>) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/src/global.c:1035
        save_errno = 2
#6  0x00007f0c8bf5faa9 in _gcry_pk_util_free_encoding_ctx (ctx=ctx@entry=0x7f0c8bd0fb10) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/cipher/pubkey-util.c:651
No locals.
#7  0x00007f0c8bfcf5ea in ecc_sign (r_sig=0x7f0c8bd0fc20, s_data=<optimized out>, keyparms=<optimized out>) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/cipher/ecc.c:766
        rc = GPG_ERR_INV_OBJ
        ctx = {op = 1657663472, nbits = 21902, encoding = PUBKEY_ENC_PKCS1_RAW, flags = 0, hash_algo = -2080359072, label = 0x7f0c8c065100 <_gcry_pubkey_spec_ecc> "\022", labellen = 0, saltlen = 139691864402437, verify_cmp = 0x558e62cdeff0, verify_arg = 0x7f0c8bf16ff8 <_gpg_err_set_errno+8>}
        data = 0x0
        sig_r = 0x0
        sig_s = 0x0
        ec = 0x0
        flags = 36864
#8  0x00007f0c8bf5e270 in _gcry_pk_sign (r_sig=r_sig@entry=0x7f0c8bd0fc20, s_hash=s_hash@entry=0x7f0c84003e80, s_skey=s_skey@entry=0x7f0c8c091010) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/cipher/pubkey.c:430
        rc = <optimized out>
        spec = 0x7f0c8c065100 <_gcry_pubkey_spec_ecc>
        keyparms = 0x7f0c84003d60
#9  0x00007f0c8bf47cd6 in gcry_pk_sign (result=result@entry=0x7f0c8bd0fc20, data=0x7f0c84003e80, skey=0x7f0c8c091010) at /var/tmp/portage/dev-libs/libgcrypt-1.9.0/work/libgcrypt-1.9.0/src/visibility.c:1002
No locals.
#10 0x0000558e6185b8bb in agent_pksign_do (ctrl=ctrl@entry=0x558e62cdeeb0, cache_nonce=cache_nonce@entry=0x0, desc_text=<optimized out>, signature_sexp=signature_sexp@entry=0x7f0c8bd0fcb0, cache_mode=cache_mode@entry=CACHE_MODE_NORMAL, lookup_ttl=lookup_ttl@entry=0x0, overridedata=0x0, overridedatalen=0) at pksign.c:484
        dsaalgo = <optimized out>
        err = 0
        s_skey = 0x7f0c8c091010
        s_sig = 0x0
        s_hash = 0x7f0c84003e80
        s_pkey = 0x0
        shadow_info = 0x0
        data = 0x558e62cdeef4 "\370\225\346\035\244\253\342.ڶ\375\025\065\252\274Ѫ\246\336A\251\321Ai\326e\222\360\217.\302<"
        datalen = <optimized out>
        check_signature = 0
#11 0x0000558e6185bf87 in agent_pksign (ctrl=ctrl@entry=0x558e62cdeeb0, cache_nonce=cache_nonce@entry=0x0, desc_text=<optimized out>, outbuf=outbuf@entry=0x7f0c8bd0fd00, cache_mode=cache_mode@entry=CACHE_MODE_NORMAL) at pksign.c:550
        err = <optimized out>
        s_sig = 0x0
        buf = 0x0
        len = 0
        __FUNCTION__ = "agent_pksign"
#12 0x0000558e6184e18a in cmd_pksign (ctx=0x7f0c84000bc0, line=<optimized out>) at command.c:776
        err = <optimized out>
        cache_mode = CACHE_MODE_NORMAL
        ctrl = 0x558e62cdeeb0
        outbuf = {len = 0, size = 512, buf = 0x7f0c84001fd0 "\001@\310\360\a", out_of_core = 0}
        cache_nonce = 0x0
        p = <optimized out>
#13 0x00007f0c8bf02a65 in dispatch_command (ctx=0x7f0c84000bc0, line=0x7f0c84000d16 "", linelen=<optimized out>) at assuan-handler.c:676
        err = <optimized out>
        p = <optimized out>
        s = <optimized out>
        shift = 6
        i = <optimized out>
#14 0x00007f0c8bf02e59 in process_request (ctx=0x7f0c84000bc0) at assuan-handler.c:872
        rc = 0
        rc = <optimized out>
#15 assuan_process (ctx=0x7f0c84000bc0) at assuan-handler.c:895
        rc = <optimized out>
#16 0x0000558e6184ff28 in start_command_handler (ctrl=ctrl@entry=0x558e62cdeeb0, listen_fd=listen_fd@entry=-1, fd=9) at command.c:3555
        client_pid = <optimized out>
        rc = <optimized out>
        ctx = 0x7f0c84000bc0
#17 0x0000558e618480a6 in do_start_connection_thread (ctrl=0x558e62cdeeb0) at gpg-agent.c:2712
No locals.
#18 0x00007f0c8bef549e in thread_start (startup_arg=<optimized out>) at npth.c:306
        startup = <optimized out>
        start_routine = 0x558e618487a0 <start_connection_thread_std>
        arg = 0x558e62cdeeb0
        result = <optimized out>
#19 0x00007f0c8bedaf9e in start_thread (arg=0x7f0c8bd10640) at pthread_create.c:463
        ret = <optimized out>
        pd = 0x7f0c8bd10640
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {139691862066752, -3528773724256371730, 140728252324910, 140728252324911, 0, 8396800, 3539355827841760238, 3539355577167608814}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = 0
#20 0x00007f0c8be1075f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
No locals.

Valgrind output:

==51164== Parent PID: 51162
==51164== 
==51164== Thread 2:
==51164== Conditional jump or move depends on uninitialised value(s)
==51164==    at 0x488F9B3: _gcry_free (global.c:1025)
==51164==    by 0x49145E9: ecc_sign (ecc.c:766)
==51164==    by 0x48A326F: _gcry_pk_sign (pubkey.c:430)
==51164==    by 0x488CCD5: gcry_pk_sign (visibility.c:1002)
==51164==    by 0x1288BA: agent_pksign_do (pksign.c:484)
==51164==    by 0x128F86: agent_pksign (pksign.c:550)
==51164==    by 0x11B189: cmd_pksign (command.c:776)
==51164==    by 0x49DCA64: dispatch_command.isra.0 (assuan-handler.c:676)
==51164==    by 0x49DCE58: process_request (assuan-handler.c:872)
==51164==    by 0x49DCE58: assuan_process (assuan-handler.c:895)
==51164==    by 0x11CF27: start_command_handler (command.c:3555)
==51164==    by 0x1150A5: do_start_connection_thread (gpg-agent.c:2712)
==51164==    by 0x49EC49D: thread_start (npth.c:306)
==51164==  Uninitialised value was created by a stack allocation
==51164==    at 0x49144A0: ecc_sign (ecc.c:682)
==51164== 
==51164== 
==51164== HEAP SUMMARY:
==51164==     in use at exit: 55,660 bytes in 72 blocks
==51164==   total heap usage: 343 allocs, 271 frees, 193,647 bytes allocated
==51164== 
==51164== Thread 1:
==51164== 34 bytes in 1 blocks are definitely lost in loss record 32 of 58
==51164==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==51164==    by 0x488F00D: do_malloc.constprop.0.isra.0 (global.c:920)
==51164==    by 0x48905A4: _gcry_malloc (global.c:942)
==51164==    by 0x48905A4: _gcry_realloc_core (global.c:996)
==51164==    by 0x49B3D6C: _gpgrt_realloc (init.c:247)
==51164==    by 0x49B3D6C: _gpgrt_strdup (init.c:348)
==51164==    by 0x49C64A7: _gpgrt_argparser (argparse.c:1672)
==51164==    by 0x1129A5: main (gpg-agent.c:1163)
==51164== 
==51164== 39 bytes in 1 blocks are definitely lost in loss record 36 of 58
==51164==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==51164==    by 0x488F00D: do_malloc.constprop.0.isra.0 (global.c:920)
==51164==    by 0x48905A4: _gcry_malloc (global.c:942)
==51164==    by 0x48905A4: _gcry_realloc_core (global.c:996)
==51164==    by 0x49B3D6C: _gpgrt_realloc (init.c:247)
==51164==    by 0x49B3D6C: _gpgrt_strdup (init.c:348)
==51164==    by 0x49C4231: _gpgrt_argparse.part.0 (argparse.c:1237)
==51164==    by 0x49C5DAF: _gpgrt_argparse (argparse.c:968)
==51164==    by 0x49C5DAF: _gpgrt_argparser (argparse.c:1809)
==51164==    by 0x1129A5: main (gpg-agent.c:1163)
==51164== 
==51164== LEAK SUMMARY:
==51164==    definitely lost: 73 bytes in 2 blocks
==51164==    indirectly lost: 0 bytes in 0 blocks
==51164==      possibly lost: 0 bytes in 0 blocks
==51164==    still reachable: 55,587 bytes in 70 blocks
==51164==         suppressed: 0 bytes in 0 blocks

Output of emerge -qpv --nodeps glibc libgcrypt gnupg:

[ebuild   R   ] sys-libs/glibc-2.32-r5  USE="caps (crypt) doc multiarch profile (ssp) (static-libs) -audit (-cet) -compile-locales -custom-cflags -gd -headers-only (-multilib) -nscd (-selinux) -static-pie -suid -systemtap -test (-vanilla)" 
[ebuild   R   ] dev-libs/libgcrypt-1.9.0  USE="asm doc static-libs -o-flag-munging" 
[ebuild   R   ] app-crypt/gnupg-2.2.27  USE="bzip2 doc readline smartcard ssl tools usb -ldap -nls -scd-shared-access (-selinux) -tofu -user-socket -wks-server"

Details

Version
2.2.27