NetBSD Problem Report #57043
From rhialto@falu.nl Sun Oct 2 14:22:43 2022
Return-Path: <rhialto@falu.nl>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id B19561A923C
for <gnats-bugs@gnats.NetBSD.org>; Sun, 2 Oct 2022 14:22:43 +0000 (UTC)
Message-Id: <202210021422.292EMcIC028764@murthe.falu.nl>
Date: Sun, 2 Oct 2022 16:22:38 +0200 (CEST)
From: rhialto@NetBSD.org
Reply-To: rhialto@falu.nl
To: gnats-bugs@NetBSD.org
Subject: netpgp --help crashes
X-Send-Pr-Version: 3.95
>Number: 57043
>Category: bin
>Synopsis: netpgp --help crashes
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sun Oct 02 14:25:00 +0000 2022
>Last-Modified: Sun Oct 02 21:05:01 +0000 2022
>Originator: Rhialto
>Release: NetBSD 9.3
>Organization:
>Environment:
System: NetBSD murthe.falu.nl 9.3 NetBSD 9.3 (MAXLWP8192) #0: Sat Aug 6 22:25:06 CEST 2022 rhialto@murthe.falu.nl:/mnt/scratch/scratch/NetBSD/NetBSD-9.3/source/sets/x/usr/src/sys/arch/amd64/compile/MAXLWP8192 amd64
Architecture: x86_64
Machine: amd64
>Description:
Like in PR #57042 https://gnats.netbsd.org/57042, netpgp seems
to want to do something with my gnupg keyring when it has no
business doing so. In the course of doing that, it even
crashes.
>How-To-Repeat:
$ netpgp --help
Segmentation fault
$
$ gdb --args netpgp --help
GNU gdb (GDB) 8.3
...
Reading symbols from netpgp...
Reading symbols from /mnt/vol1/usr/libdata/debug//usr/bin/netpgp.debug...
(gdb) run
Starting program: /usr/bin/netpgp --help
Program received signal SIGSEGV, Segmentation fault.
0x00006fcd28028128 in cb_keyring_read (pkt=0x7f7fffe54f30,
cbinfo=<optimized out>)
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/keyring.c:623
623 EXPAND_ARRAY(key, subsig);
(gdb) bt
#0 0x00006fcd28028128 in cb_keyring_read (pkt=0x7f7fffe54f30,
cbinfo=<optimized out>)
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/keyring.c:623
#1 0x00006fcd28022765 in parse_trust (stream=0x6fcd2833d000,
region=0x7f7fffe50af0)
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:2214
#2 parse_packet (stream=stream@entry=0x6fcd2833d000,
pktlen=pktlen@entry=0x7f7fffe56f8c)
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:3161
#3 0x00006fcd28024232 in pgp_parse (stream=stream@entry=0x6fcd2833d000,
perrors=perrors@entry=0)
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:3286
#4 0x00006fcd28026472 in pgp_parse_and_accumulate (
keyring=keyring@entry=0x6fcd28345040, parse=parse@entry=0x6fcd2833d000)
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/misc.c:203
#5 0x00006fcd28028b6c in pgp_keyring_fileread (
keyring=keyring@entry=0x6fcd28345040, armour=armour@entry=0,
filename=filename@entry=0x6fcd28342000 "/home/rhialto/.gnupg/pubring.gpg")
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/keyring.c:743
#6 0x00006fcd2800d130 in readkeyring (netpgp=0x7f7fffe57630,
name=0x6fcd2802cf96 "pubring")
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/netpgp.c:299
#7 0x00006fcd2800d823 in netpgp_init (netpgp=0x7f7fffe57630)
at /usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/netpgp.c:873
#8 0x00000000670028ba in main (argc=<optimized out>, argv=0x7f7fffe57cb8)
at /usr/src/crypto/external/bsd/netpgp/bin/netpgp/../../dist/src/netpgp/netpgp.c:597
(gdb)
My keyring isn't small, there could be any key which causes an issue,
or it could be the sheer number of them, given the
"EXPAND_ARRAY(key, subsig);".
>Fix:
I don't know.
>Audit-Trail:
From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: rhialto@falu.nl
Subject: Re: bin/57043: netpgp --help crashes
Date: Sun, 2 Oct 2022 17:26:18 +0200
It goes without saying that "netpgpkeys --list-sigs" crashes in the
same way as in the initial report.
It seems that it is not this particular key (from they key variable)
which causes the crash.
So probably it's caused by the size of my keyring as a whole
(6.226.915 bytes; gpg --list-keys|wc -l is 2136 lines, of which 384
lines start with "pub", indicating a public key).
I managed to identify the key in the crash. I extracted it with gpg, and
then listing it with netpgpkeys showed no problem:
(gdb) print /x key->sigfingerprint
$6 = {fingerprint = {0x3e, 0xa9, 0x4c, 0x2c, 0x38, 0xa9, 0x64, 0xd2, 0x62,
0xbf, 0x70, 0x3b, 0x90, 0x39, 0xa0, 0xbf, 0xd1, 0x39, 0xcc, 0x4c},
length = 0x14, hashtype = 0x0}
(gdb) print /x key->sigid
$7 = {0x90, 0x39, 0xa0, 0xbf, 0xd1, 0x39, 0xcc, 0x4c}
$ gpg --export 9039a0bfd139cc4c >/tmp/badkey.gpg
$ netpgpkeys --list-keys --keyring /tmp/badkey.pgp 1 key found
"pub" 1024/"DSA" "9039a0bfd139cc4c" 1998-04-25 [EXPIRED 2000-05-16]
Key fingerprint: "3ea9 4c2c 38a9 64d2 62bf 703b 9039 a0bf d139 cc4c "
uid "Brian Warner (home) <warner@lothar.com>" ""
uid "expired (this key has expired. please use my current one) <warner@lothar.com>" ""
encryption 2048/"Elgamal (Encrypt-Only)" "6af6cdc8be4e32ce" 1998-04-25
It is the first key as shown by "gpg --list-keys", so we can't deduce
from this which limit is being passed.
From: Rhialto <rhialto@falu.nl>
To: gnats-bugs@netbsd.org
Cc: rhialto@falu.nl
Subject: Re: bin/57043: netpgp --help crashes
Date: Sun, 2 Oct 2022 23:01:29 +0200
The quoted source line comes from -current source, not from 9.3.
This is a bit deceptive...
/usr/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/keyring.c:623
623 EXPAND_ARRAY(key, subsig);
I found that 9.3 contains
$NetBSD: keyring.c,v 1.56 2018/11/13 14:52:30 mlelstv Exp $
and there is this patch to 1.57:
http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/external/bsd/netpgp/dist/src/lib/keyring.c.diff?r1=1.56&r2=1.57&only_with_tag=MAIN&f=h
which inserts that exact line. Without it, no space would be allocated
for the subsig which is added here.
However I am now wondering why just looking at the crashing key on its
own did not crash, since the above suggests that the data in the key is
what triggers the crash: only packets of PGP_PTAG_CT_TRUST would crash.
I tried building a -current version of netpgp (I'm not sure if I did it
right since it didn't seem to respect my objdirs), and it seems it
doesn't crash on my keyring. It does however complain a lot like
Can't read pubring /home/rhialto/.gnupg/pubring.gpg
/mnt/vol1/rhialto/cvs/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:2095: PGP_E_ALG_UNSUPPORTED_SIGNATURE_ALG, Bad v4 signature key algorithm (Unknown)
/mnt/vol1/rhialto/cvs/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:1284: PGP_E_ALG_UNSUPPORTED_PUBLIC_KEY_ALG, Unsupported Public Key algorithm (Reserved for Elliptic Curve)
/mnt/vol1/rhialto/cvs/src/crypto/external/bsd/netpgp/lib/netpgp/../../dist/src/lib/packet-parse.c:1284:
PGP_E_ALG_UNSUPPORTED_PUBLIC_KEY_ALG, Unsupported Public Key algorithm
(Unknown)
...
It is a bit useless to complain about keys if you don't know which key
it concerns...
(Contact us)
$NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2022
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.