Bug#1043332: gcr-ssh-agent crash has been fixed upstream
Рустам Заитов
r.zaitov at gmail.com
Tue Jan 16 01:10:16 GMT 2024
Dear maintainer of gcr package,
I also have been caught by this crash of gcr-ssh-agent. I strongly believe
that this issue is attributed to gnome's gcr-ssh-agent. This issue has
already been fixed upstream. In the following I am going to provide
arguments to support my conclusion.
I can reproduce this issue when I try to test ssh connection:
```
# test rig
$ export SSH_AUTH_SOCK=/run/user/1000/gcr/ssh
$ ssh -T git at github.com
# crash confirmation
$ journalctl --no-pager -f
Jan 15 08:42:07 pc-debian systemd[629]: gcr-ssh-agent.service: Main process
exited, code=killed, status=11/SEGV
Jan 15 08:42:07 pc-debian systemd[629]: gcr-ssh-agent.service: Failed with
result 'signal'.
Jan 15 08:42:08 pc-debian systemd[629]: gcr-ssh-agent.service: Scheduled
restart job, restart counter is at 1.
Jan 15 08:42:08 pc-debian systemd[629]: Stopped gcr-ssh-agent.service - GCR
ssh-agent wrapper.
Jan 15 08:42:08 pc-debian systemd[629]: Started gcr-ssh-agent.service - GCR
ssh-agent wrapper.
```
I decided to attach a dbg to the running service in order to find the cause
of the problem.
```
$ export DEBUGINFOD_URLS="https://debuginfod.debian.net"
$ gdb /usr/libexec/gcr-ssh-agent -p <pid_of_gcr-ssh-agent>
GNU gdb (Debian 13.1-3) 13.1
...
This GDB supports auto-downloading debuginfo from the following URLs:
<https://debuginfod.debian.net>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
...
(gdb) set pagination 0
(gdb) run /run/user/1000/gcr/
Starting program: /usr/libexec/gcr-ssh-agent /run/user/1000/gcr/
Downloading separate debug info for system-supplied DSO at 0x7ffff7fc9000
...
[New Thread 0x7ffff71f66c0 (LWP 2330)]
[New Thread 0x7ffff69f56c0 (LWP 2366)]
[Detaching after fork from child process 2367]
Thread 3 "pool" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff69f56c0 (LWP 2366)]
0x00007ffff7e5ffc0 in ascii_table_data () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt
#0 0x00007ffff7e5ffc0 in ascii_table_data () at
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#1 0x000055555555b25a in handle_request
(error=0x7ffff69f4718, cancellable=0x555555574620 [GCancellable],
resp=0x7ffff69f4750, req=0x7ffff69f4720, connection=0x7fffe8006450
[GUnixConnection], self=0x555555566b60 [GcrSshAgentService])
at ../gcr/gcr-ssh-agent-service.c:197
#2 on_run (service=<optimized out>, connection=connection at entry=0x5555555814f0
[GUnixConnection], source_object=source_object at entry=0x0,
user_data=user_data at entry=0x555555566b60)
at ../gcr/gcr-ssh-agent-service.c:326
#3 0x00007ffff7bea19e in _g_cclosure_marshal_BOOLEAN__OBJECT_OBJECTv
(closure=0x555555580660, return_value=0x7ffff69f4940,
instance=<optimized out>, args=<optimized out>, marshal_data=<optimized
out>, n_params=<optimized out>, param_types=0x55555557c4c0)
at ../../../gio/gmarshal-internal.c:335
#4 0x00007ffff7d5d5a9 in _g_closure_invoke_va
(closure=closure at entry=0x555555580660,
return_value=return_value at entry=0x7ffff69f4940,
instance=instance at entry=0x5555555775d0, args=args at entry=0x7ffff69f4a10,
n_params=2, param_types=0x55555557c4c0)
at ../../../gobject/gclosure.c:895
#5 0x00007ffff7d7605e in g_signal_emit_valist (instance=0x5555555775d0,
signal_id=8, detail=<optimized out>, var_args=var_args at entry=0x7ffff69f4a10)
at ../../../gobject/gsignal.c:3456
#6 0x00007ffff7d76dbf in g_signal_emit (instance=<optimized out>,
signal_id=<optimized out>, detail=detail at entry=0) at
../../../gobject/gsignal.c:3606
#7 0x00007ffff7c1c71d in g_threaded_socket_service_func
(job_data=0x555555576400, user_data=<optimized out>) at
../../../gio/gthreadedsocketservice.c:98
#8 0x00007ffff7e256ca in g_thread_pool_thread_proxy (data=<optimized out>)
at ../../../glib/gthreadpool.c:352
#9 0x00007ffff7e24cfd in g_thread_proxy (data=0x5555555671e0) at
../../../glib/gthread.c:831
#10 0x00007ffff78dd044 in start_thread (arg=<optimized out>) at
./nptl/pthread_create.c:442
#11 0x00007ffff795d61c in clone3 () at
../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
(gdb) Quit
(gdb)
```
This have lead me to the source code of gcr-ssh-agent-service.c at line 197
https://gitlab.gnome.org/GNOME/gcr/-/blob/gcr-3-41/gcr/gcr-ssh-agent-service.c?ref_type=heads#L191
According to backtrace the crash appears at line 197, but there is an `if`
branch above with wrong comparison `op <= GCR_SSH_OP_MAX` should be `op <
GCR_SSH_OP_MAX`. I was ready to report a bug report to gcr project when I
suddenly found that this issue has been fixed already:
https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/47/diffs
I built the gcr-ssh-agent from the 4.2.0 branch and I can confirm that the
issue is resolved with the new binary.
I guess it might be possible to apply this patch to the gcr debian package
also in order to publish a new version of the package.
---
Rustam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240116/0200037e/attachment.htm>
More information about the pkg-gnome-maintainers
mailing list