Page MenuHome GnuPG

Crash in ask_for_card
Closed, ResolvedPublic

Description

I get a reproducible SEGV in 2.2.37's gpg-agent but cannot say much about the circumstances that trigger it.

The backtrace is:

#0  0x0000555c8c0d0379 in ask_for_card (ctrl=0x555c8cb7aae0, shadow_info=<optimized out>, grip=<optimized out>,
     r_kid=0x7fef839fed50) at /usr/src/debug/gnupg-2.2.37/agent/divert-scd.c:108
#1  0x0000555c8c0a8dce in divert_pkdecrypt (desc_text=<optimized out>, r_padding=0x7fef839fed1c,
     r_len=<synthetic pointer>, r_buf=<synthetic pointer>, shadow_info=0x7fef7c003620 "(16:\322v",
     grip=0x555c8cb7ab6c "\221\367hPD\350\274\065\245Yy\355+\265\030K\365p\323\313\001", cipher=<optimized out>,
     ctrl=0x555c8cb7aae0) at /usr/src/debug/gnupg-2.2.37/agent/divert-scd.c:691
#2  agent_pkdecrypt (r_padding=0x7fef839fed1c, outbuf=0x7fef839fed70, ciphertextlen=283, ciphertext=<optimized out>,
     desc_text=<optimized out>, ctrl=0x555c8cb7aae0) at /usr/src/debug/gnupg-2.2.37/agent/pkdecrypt.c:89
#3  cmd_pkdecrypt (ctx=0x7fef7c000b70, line=<optimized out>) at /usr/src/debug/gnupg-2.2.37/agent/command.c:817
#4  0x00007fef83fd3552 in ?? () from /usr/lib/libassuan.so.0
#5  0x00007fef83fd395b in assuan_process () from /usr/lib/libassuan.so.0
#6  0x0000555c8c0d5d08 in start_command_handler.constprop.0 (ctrl=ctrl@entry=0x555c8cb7aae0, fd=<optimized out>,
     listen_fd=-1) at /usr/src/debug/gnupg-2.2.37/agent/command.c:3601
#7  0x0000555c8c0a65d0 in do_start_connection_thread (ctrl=0x555c8cb7aae0)
     at /usr/src/debug/gnupg-2.2.37/agent/gpg-agent.c:2724
#8  0x00007fef83fc71cf in ?? () from /usr/lib/libnpth.so.0
#9  0x00007fef83e3e78d in start_thread (arg=<optimized out>) at pthread_create.c:442
#10 0x00007fef83ebf8e4 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:100

From looking at the variables, I think the new code in ask_for_card has invalid expectations on the outcome of agent_keymeta_from_file, as keymeta is still NULL after the call in my case but in line 108 it gets fed to nvc_lookup which does not expect that.

Happy to check / provide anything useful.

Details

Version
2.2.37

Related Objects

Event Timeline

Oh well, why do I receive such bug reports right after the next release :-(

Any hints what I kind try to replicate it. Do you have a Token: or Label: line in your private key stub file?

You are right. This due to your old binary private key (stubs). Otherwise you would at least have one item ("Key:"). I need to see what do do about the release. Maybe a tool to update the key files would we a good workaround.

You may try the above commit - if should apply cleanly to 2.2.37.

For master (2.3) the fix is not needed due to another way the code works, but having a more robust function is always good.

Applies cleanly and fixes the crash. 👍

Thanks for testing. I guess I will do a new release.