Page MenuHome GnuPG
Create Task
Maniphest T2107

dirmngr crash when searching keyservers on OpenBSD
Closed, ResolvedPublic
Actions

Description

Hi,

I was trying to figure out why I could not use the sks pools on my OpenBSD
machine when I found that dirmngr is crashing with an assertion failure:

wilfred:edd> gdb dirmngr
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-unknown-openbsd5.8"...
(gdb) b  ks-engine-hkp.c:179
Breakpoint 1 at 0x1e048: file ks-engine-hkp.c, line 179.
(gdb) cond 1 (a < 0) || (a >= hosttable_size)
(gdb) run
Starting program: /usr/local/bin/dirmngr 
Breakpoint 1 at 0x12fee4a1e048: file ks-engine-hkp.c, line 179.
dirmngr[28794.0]: permanently loaded certificates: 0
dirmngr[28794.0]:     runtime cached certificates: 0
# Home: ~/.gnupg
# Config: /home/edd/.gnupg/dirmngr.conf
OK Dirmngr 2.1.8 at your service
KEYSERVER --clear hkp://pool.sks-keyservers.net
OK
KS_SEARCH blah@sometesst.ext
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'c-75-75-
183-132.hsd1.pa.comcast.net'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'openpgp.us'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'pgp.h-
ix.net'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'mira.cbaines.net'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'keys02.fedoraproject.org'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'sks.mrball.net'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'astrath.net'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'104.131.30.118'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'pgpkeys.co.uk'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'haze.blupill.com'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'mira.cbaines.net' [already known]
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2a01:4f8:190:22a4::2]'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'itunix.eu'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'hufu.ki.iif.hu'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'tyo1.sks.reimu.io'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:bc8:3d90:103::]'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'pgpkeys.urown.net'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'svcs4.riverwillow.net.au'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'keyserver.kjsl.org'
dirmngr[28794.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'gpg.spline.inf.fu-berlin.de'

Breakpoint 1, sort_hostpool (xa=0x1301a38a1e00, xb=0x1301a38a1e24)
    at ks-engine-hkp.c:179
179       assert (a >= 0 && a < hosttable_size);
(gdb) a
Ambiguous command "a": actions, add-shared-symbol-files, add-symbol-file, 
advance, aliases, append, apropos, assf...
(gdb) p a
$1 = -538976289
(gdb) p hosttable_size
$2 = 20
(gdb) bt
#0  sort_hostpool (xa=0x1301a38a1e00, xb=0x1301a38a1e24) at ks-engine-hkp.c:179
#1  0x0000130117efc9ba in *_libc_qsort (aa=Variable "aa" is not available.
)
    at /usr/src/lib/libc/stdlib/qsort.c:78
#2  0x000012fee4a1f7fd in make_host_part (ctrl=0x13014eb5d640, 
    scheme=0x12fee4b407b3 "http", 
    host=0x13014971c4c6 "pool.sks-keyservers.net", port=Variable "port" is not 
available.
)
    at ks-engine-hkp.c:515
#3  0x000012fee4a2032a in ks_hkp_search (ctrl=0x13014eb5d640, 
    uri=0x13014971c480, pattern=0x13014eb5d08c "blah@sometesst.ext", 
    r_fp=0x7f7ffffe2bb8) at ks-engine-hkp.c:1182
#4  0x000012fee4a1de36 in ks_action_search (ctrl=Variable "ctrl" is not 
available.
) at ks-action.c:177
#5  0x000012fee4a0fdf7 in cmd_ks_search (ctx=0x1301038c5140, 
    line=0x1301038c52ac "") at server.c:1796
#6  0x00001301dc2ee156 in dispatch_command ()
   from /usr/local/lib/libassuan.so.1.1
#7  0x00001301dc2ee34e in assuan_process ()
   from /usr/local/lib/libassuan.so.1.1
#8  0x000012fee4a0db2f in start_command_handler (fd=Variable "fd" is not 
available.
) at server.c:2249
#9  0x000012fee4a0c20f in main (argc=0, argv=0x7f7ffffe31a0) at dirmngr.c:1043

I have no malloc.conf installed.

If we can get a patch I can apply it the the OpenBSD port.

Cheers

Details

Version
2.1.8

Related Objects

Event Timeline

vext01 added projects: dirmngr, Bug Report.Sep 22 2015, 9:19 PM
vext01 set Version to 2.1.8.
vext01 added a subscriber: vext01.
vext01 added a comment.Sep 22 2015, 9:32 PM

FWIW, after setting MALLOC_FLAGS="s", I get:

dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'openpgp.us'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'jupiter.zaledia.com'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'schluesselbruecke.de'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'keys-
02.licoho.de'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'host-
550b4a17.sileman.net.pl'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'keyserver.mattrude.com'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'dreamcoat.che.uct.ac.za'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'194.94.127.122'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'RESISP-
209-135-211-141.smf.ragingwire.net'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'pkqs.net'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'openpgp-
keyserver.de'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:4d88:1ffc:477::7]'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:67c:2050:1000::3:4]'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2a01:a500:385:1::9:1]'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'mira.cbaines.net'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:bc8:3d90:103::]'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:470:b2a7:1:225:90ff:fe93:e9fc]'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:1488:ac15:fffe::4]'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2a00:b9c0:e::4]'
dirmngr[16846.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2604:a880:800:10::688:e001]'
dirmngr[16846.0]: can't connect to '2001:470:b2a7:1:225:90ff:fe93:e9fc': No 
route to host
dirmngr[16846.0]: error connecting to 
'http://[2001:470:b2a7:1:225:90ff:fe93:e9fc]:11371': No route to host
dirmngr[16846.0]: command 'KS_SEARCH' failed: No route to host
ERR 167804970 No route to host <Dirmngr>

I ran again and got:

KEYSERVER --clear hkp://pool.sks-keyservers.net
KS_SEARCH blah@sometesst.ext
OK
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'RESISP-
209-135-211-141.smf.ragingwire.net'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'dreamcoat.che.uct.ac.za'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'pkqs.net'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'host-
550b4a17.sileman.net.pl'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'keys-
02.licoho.de'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'jupiter.zaledia.com'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'194.94.127.122'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'schluesselbruecke.de'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'openpgp.us'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'keyserver.mattrude.com'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2604:a880:800:10::688:e001]'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2a00:b9c0:e::4]'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:470:b2a7:1:225:90ff:fe93:e9fc]'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 'openpgp-
keyserver.de'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:4d88:1ffc:477::7]'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'mira.cbaines.net'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:1488:ac15:fffe::4]'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:67c:2050:1000::3:4]'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2a01:a500:385:1::9:1]'
dirmngr[16131.0]: getnameinfo returned for 'pool.sks-keyservers.net': 
'[2001:bc8:3d90:103::]'
dirmngr[16131.0]: error accessing 'http://194.94.127.122:11371/pks/lookup?
op=index&options=mr&search=blah%40sometesst%2Eext': http status 404
dirmngr[16131.0]: command 'KS_SEARCH' failed: No data
ERR 167772218 No data <Dirmngr>

Seems like it doesn't crash with malloc flags on (which is weird). I'm not sure
how dirmngr is supposed to work, but from what i gather the SKS pool has loads
of broken hosts. I've not gotten a working one yet. Surely this can't be right?

vext01 added a comment.Sep 29 2015, 8:33 PM

OK, I think the crash is a use-after free, caused by a realloc followed by a use
of the old dangling pointer.

The following patch fixes this. Can someone on the GPG team review and commit
this for me? I can deal with fixing this in the OpenBSD ports tree. Thanks.

  • dirmngr/ks-engine-hkp.c.orig Tue Sep 29 15:05:02 2015

+++ dirmngr/ks-engine-hkp.c Tue Sep 29 15:05:26 2015
@@ -512,7 +512,7 @@ map_host (ctrl_t ctrl, const char *name, int force_res

  xfree (reftbl);
  return err;
}
  • qsort (reftbl, refidx, sizeof *reftbl, sort_hostpool);

+ qsort (hi->pool, refidx, sizeof *reftbl, sort_hostpool);

  }
else
  xfree (reftbl);
vext01 added a comment.Sep 29 2015, 8:34 PM

The unusable hosts is a separate issue. I don't have IPv6 connectivity. I can
work around this by using the ipv4 sks pool.

werner added a subscriber: werner.Oct 2 2015, 11:46 AM

Thanks for debugging the problem. I have pushed the fix which will go into 2.1.9.

(I neglected to implement an autogrow of reftbl and instead decided to set an
upper limit and shrink the table at the end.)

The common way to solve the v6 problems would be to add an --v4-only and
-v6-only option to dirmngr. However, it would be better to detect a non-working
v6 connectivity and disable v6.

werner added a project: Restricted Project.Oct 2 2015, 11:46 AM
vext01 added a comment.Oct 2 2015, 12:02 PM

No problem!

Regarding ipv6. It's not that my OS doesn't support it, it's that the network I
am currently connected to (on my laptop) is not providing IPv6. There's nothing
to say that I won't move to another network that does.

Detecting IPv6 capability would be useful, but (I think) difficult. Especially
since I can move between networks in the lifetime of a single dirmngr. If I move
from a network *without* IPv6 to a network *with* IPv6, should dirmngr realise
and re-enable IPv6?

Anyway, we should open a new bug for this?

P.S.

The fix is applied to OpenBSD ports 2.1.8.

Cheers

werner added a project: gnupg.Jan 22 2016, 1:16 PM
werner closed this task as Resolved.May 6 2016, 8:23 PM
werner claimed this task.
werner removed a project: Restricted Project.
werner added a project: Duplicate.

Duplicate of T2348