NetBSD Problem Report #57043

From rhialto@falu.nl  Sun Oct  2 14:22:43 2022
Return-Path: <rhialto@falu.nl>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id B19561A923C
	for <gnats-bugs@gnats.NetBSD.org>; Sun,  2 Oct 2022 14:22:43 +0000 (UTC)
Message-Id: <202210021422.292EMcIC028764@murthe.falu.nl>
Date: Sun, 2 Oct 2022 16:22:38 +0200 (CEST)
From: rhialto@NetBSD.org
Reply-To: rhialto@falu.nl
To: gnats-bugs@NetBSD.org
Subject: netpgp --help crashes 
X-Send-Pr-Version: 3.95

>Number:         57043
>Category:       bin
>Synopsis:       netpgp --help crashes
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Oct 02 14:25:00 +0000 2022
>Last-Modified:  Sun Oct 02 21:05:01 +0000 2022
>Originator:     Rhialto
>Release:        NetBSD 9.3
>Organization:
>Environment:
System: NetBSD murthe.falu.nl 9.3 NetBSD 9.3 (MAXLWP8192) #0: Sat Aug 6 22:25:06 CEST 2022 rhialto@murthe.falu.nl:/mnt/scratch/scratch/NetBSD/NetBSD-9.3/source/sets/x/usr/src/sys/arch/amd64/compile/MAXLWP8192 amd64
Architecture: x86_64
Machine: amd64
>Description:
	Like in PR #57042 https://gnats.netbsd.org/57042, netpgp seems
	to want to do something with my gnupg keyring when it has no
	business doing so.  In the course of doing that, it even
	crashes.
>How-To-Repeat:
	$ netpgp --help
	Segmentation fault
	$ 

	$ gdb --args netpgp --help
	GNU gdb (GDB) 8.3
	...
	Reading symbols from netpgp...
	Reading symbols from /mnt/vol1/usr/libdata/debug//usr/bin/netpgp.debug...
	(gdb) run
	Starting program: /usr/bin/netpgp --help

	Program received signal SIGSEGV, Segmentation fault.
	0x00006fcd28028128 in cb_keyring_read (pkt=0x7f7fffe54f30, 
	    cbinfo=<optimized out>)
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/keyring.c:623
	623                     EXPAND_ARRAY(key, subsig);
	(gdb) bt
	#0  0x00006fcd28028128 in cb_keyring_read (pkt=0x7f7fffe54f30, 
	    cbinfo=<optimized out>)
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/keyring.c:623
	#1  0x00006fcd28022765 in parse_trust (stream=0x6fcd2833d000, 
	    region=0x7f7fffe50af0)
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:2214
	#2  parse_packet (stream=stream@entry=0x6fcd2833d000, 
	    pktlen=pktlen@entry=0x7f7fffe56f8c)
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:3161
	#3  0x00006fcd28024232 in pgp_parse (stream=stream@entry=0x6fcd2833d000, 
	    perrors=perrors@entry=0)
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:3286
	#4  0x00006fcd28026472 in pgp_parse_and_accumulate (
	    keyring=keyring@entry=0x6fcd28345040, parse=parse@entry=0x6fcd2833d000)
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/misc.c:203
	#5  0x00006fcd28028b6c in pgp_keyring_fileread (
	    keyring=keyring@entry=0x6fcd28345040, armour=armour@entry=0, 
	    filename=filename@entry=0x6fcd28342000 "/home/rhialto/.gnupg/pubring.gpg")
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/keyring.c:743
	#6  0x00006fcd2800d130 in readkeyring (netpgp=0x7f7fffe57630, 
	    name=0x6fcd2802cf96 "pubring")
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/netpgp.c:299
	#7  0x00006fcd2800d823 in netpgp_init (netpgp=0x7f7fffe57630)
	    at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/netpgp.c:873
	#8  0x00000000670028ba in main (argc=<optimized out>, argv=0x7f7fffe57cb8)
	    at /usr/src/crypto/external/bsd/netpgp/bin/netpgp/../../dist/src/netpgp/netpgp.c:597
	(gdb) 

	My keyring isn't small, there could be any key which causes an issue,
	or it could be the sheer number of them, given the
	"EXPAND_ARRAY(key, subsig);".
>Fix:
	I don't know.

>Audit-Trail:
From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: rhialto@falu.nl
Subject: Re: bin/57043: netpgp --help crashes
Date: Sun, 2 Oct 2022 17:26:18 +0200

 It goes without saying that "netpgpkeys --list-sigs" crashes in the
 same way as in the initial report.

 It seems that it is not this particular key (from they key variable)
 which causes the crash.

 So probably it's caused by the size of my keyring as a whole
 (6.226.915 bytes; gpg --list-keys|wc -l is 2136 lines, of which 384
 lines start with "pub", indicating a public key).

 I managed to identify the key in the crash. I extracted it with gpg, and
 then listing it with netpgpkeys showed no problem:

 (gdb) print /x key->sigfingerprint
 $6 = {fingerprint = {0x3e, 0xa9, 0x4c, 0x2c, 0x38, 0xa9, 0x64, 0xd2, 0x62, 
     0xbf, 0x70, 0x3b, 0x90, 0x39, 0xa0, 0xbf, 0xd1, 0x39, 0xcc, 0x4c}, 
   length = 0x14, hashtype = 0x0}
 (gdb) print /x key->sigid         
 $7 = {0x90, 0x39, 0xa0, 0xbf, 0xd1, 0x39, 0xcc, 0x4c}

 $ gpg --export 9039a0bfd139cc4c >/tmp/badkey.gpg

 $ netpgpkeys --list-keys --keyring /tmp/badkey.pgp 1 key found
 "pub" 1024/"DSA" "9039a0bfd139cc4c" 1998-04-25 [EXPIRED 2000-05-16]
 Key fingerprint: "3ea9 4c2c 38a9 64d2 62bf 703b 9039 a0bf d139 cc4c "
 uid              "Brian Warner (home) <warner@lothar.com>" ""
 uid              "expired (this key has expired. please use my current one) <warner@lothar.com>" ""
 encryption 2048/"Elgamal (Encrypt-Only)" "6af6cdc8be4e32ce" 1998-04-25

 It is the first key as shown by "gpg --list-keys", so we can't deduce
 from this which limit is being passed.

From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: rhialto@falu.nl
Subject: Re: bin/57043: netpgp --help crashes
Date: Sun, 2 Oct 2022 23:01:29 +0200

 The quoted source line comes from -current source, not from 9.3.
 This is a bit deceptive...

 /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/keyring.c:623 
         623                     EXPAND_ARRAY(key, subsig);                      

 I found that 9.3 contains
      $NetBSD: keyring.c,v 1.56 2018/11/13 14:52:30 mlelstv Exp $
 and there is this patch to 1.57:
 http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/netpgp/dist/src/lib/keyring.c.diff?r1=1.56&r2=1.57&only_with_tag=MAIN&f=h
 which inserts that exact line. Without it, no space would be allocated
 for the subsig which is added here.

 However I am now wondering why just looking at the crashing key on its
 own did not crash, since the above suggests that the data in the key is
 what triggers the crash: only packets of PGP_PTAG_CT_TRUST would crash.

 I tried building a -current version of netpgp (I'm not sure if I did it
 right since it didn't seem to respect my objdirs), and it seems it
 doesn't crash on my keyring. It does however complain a lot like

 Can't read pubring /home/rhialto/.gnupg/pubring.gpg
 /mnt/vol1/rhialto/cvs/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:2095: PGP_E_ALG_UNSUPPORTED_SIGNATURE_ALG, Bad v4 signature key algorithm (Unknown)
 /mnt/vol1/rhialto/cvs/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:1284: PGP_E_ALG_UNSUPPORTED_PUBLIC_KEY_ALG, Unsupported Public Key algorithm (Reserved for Elliptic Curve)
 /mnt/vol1/rhialto/cvs/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:1284:
 PGP_E_ALG_UNSUPPORTED_PUBLIC_KEY_ALG, Unsupported Public Key algorithm
 (Unknown)
 ...

 It is a bit useless to complain about keys if you don't know which key
 it concerns...

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2022 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.