Bug#1043332: gcr-ssh-agent crash has been fixed upstream

Рустам Заитов r.zaitov at gmail.com
Tue Jan 16 01:10:16 GMT 2024 

Dear maintainer of gcr package,

I also have been caught by this crash of gcr-ssh-agent. I strongly believe
that this issue is attributed to gnome's gcr-ssh-agent. This issue has
already been fixed upstream. In the following I am going to provide
arguments to support my conclusion.

I can reproduce this issue when I try to test ssh connection:
```
# test rig
$ export SSH_AUTH_SOCK=/run/user/1000/gcr/ssh
$ ssh -T git at github.com

# crash confirmation
$ journalctl --no-pager -f
Jan 15 08:42:07 pc-debian systemd[629]: gcr-ssh-agent.service: Main process
exited, code=killed, status=11/SEGV
Jan 15 08:42:07 pc-debian systemd[629]: gcr-ssh-agent.service: Failed with
result 'signal'.
Jan 15 08:42:08 pc-debian systemd[629]: gcr-ssh-agent.service: Scheduled
restart job, restart counter is at 1.
Jan 15 08:42:08 pc-debian systemd[629]: Stopped gcr-ssh-agent.service - GCR
ssh-agent wrapper.
Jan 15 08:42:08 pc-debian systemd[629]: Started gcr-ssh-agent.service - GCR
ssh-agent wrapper.
```

I decided to attach a dbg to the running service in order to find the cause
of the problem.
```
$ export DEBUGINFOD_URLS="https://debuginfod.debian.net"
$ gdb  /usr/libexec/gcr-ssh-agent -p <pid_of_gcr-ssh-agent>
GNU gdb (Debian 13.1-3) 13.1
...
This GDB supports auto-downloading debuginfo from the following URLs:
  <https://debuginfod.debian.net>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
...
(gdb) set pagination 0
(gdb) run /run/user/1000/gcr/
Starting program: /usr/libexec/gcr-ssh-agent /run/user/1000/gcr/
Downloading separate debug info for system-supplied DSO at 0x7ffff7fc9000
...
[New Thread 0x7ffff71f66c0 (LWP 2330)]
[New Thread 0x7ffff69f56c0 (LWP 2366)]
[Detaching after fork from child process 2367]

Thread 3 "pool" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff69f56c0 (LWP 2366)]
0x00007ffff7e5ffc0 in ascii_table_data () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) bt
#0  0x00007ffff7e5ffc0 in ascii_table_data () at
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#1  0x000055555555b25a in handle_request
    (error=0x7ffff69f4718, cancellable=0x555555574620 [GCancellable],
resp=0x7ffff69f4750, req=0x7ffff69f4720, connection=0x7fffe8006450
[GUnixConnection], self=0x555555566b60 [GcrSshAgentService])
    at ../gcr/gcr-ssh-agent-service.c:197
#2  on_run (service=<optimized out>, connection=connection at entry=0x5555555814f0
[GUnixConnection], source_object=source_object at entry=0x0,
user_data=user_data at entry=0x555555566b60)
    at ../gcr/gcr-ssh-agent-service.c:326
#3  0x00007ffff7bea19e in _g_cclosure_marshal_BOOLEAN__OBJECT_OBJECTv
    (closure=0x555555580660, return_value=0x7ffff69f4940,
instance=<optimized out>, args=<optimized out>, marshal_data=<optimized
out>, n_params=<optimized out>, param_types=0x55555557c4c0)
    at ../../../gio/gmarshal-internal.c:335
#4  0x00007ffff7d5d5a9 in _g_closure_invoke_va
    (closure=closure at entry=0x555555580660,
return_value=return_value at entry=0x7ffff69f4940,
instance=instance at entry=0x5555555775d0, args=args at entry=0x7ffff69f4a10,
n_params=2, param_types=0x55555557c4c0)
    at ../../../gobject/gclosure.c:895
#5  0x00007ffff7d7605e in g_signal_emit_valist (instance=0x5555555775d0,
signal_id=8, detail=<optimized out>, var_args=var_args at entry=0x7ffff69f4a10)
at ../../../gobject/gsignal.c:3456
#6  0x00007ffff7d76dbf in g_signal_emit (instance=<optimized out>,
signal_id=<optimized out>, detail=detail at entry=0) at
../../../gobject/gsignal.c:3606
#7  0x00007ffff7c1c71d in g_threaded_socket_service_func
(job_data=0x555555576400, user_data=<optimized out>) at
../../../gio/gthreadedsocketservice.c:98
#8  0x00007ffff7e256ca in g_thread_pool_thread_proxy (data=<optimized out>)
at ../../../glib/gthreadpool.c:352
#9  0x00007ffff7e24cfd in g_thread_proxy (data=0x5555555671e0) at
../../../glib/gthread.c:831
#10 0x00007ffff78dd044 in start_thread (arg=<optimized out>) at
./nptl/pthread_create.c:442
#11 0x00007ffff795d61c in clone3 () at
../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
(gdb) Quit
(gdb)
```

This have lead me to the source code of gcr-ssh-agent-service.c at line 197
https://gitlab.gnome.org/GNOME/gcr/-/blob/gcr-3-41/gcr/gcr-ssh-agent-service.c?ref_type=heads#L191

According to backtrace the crash appears at line 197, but there is an `if`
branch above with wrong comparison `op <= GCR_SSH_OP_MAX` should be `op <
GCR_SSH_OP_MAX`. I was ready to report a bug report to gcr project when I
suddenly found that this issue has been fixed already:
https://gitlab.gnome.org/GNOME/gnome-keyring/-/merge_requests/47/diffs

I built the gcr-ssh-agent from the 4.2.0 branch and I can confirm that the
issue is resolved with the new binary.

I guess it might be possible to apply this patch to the gcr debian package
also in order to publish a new version of the package.

---
Rustam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20240116/0200037e/attachment.htm>

More information about the pkg-gnome-maintainers mailing list