1930652 – multiple programs crash in __pkcs15_create_prkey_object when yubikey is inserted

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1930652 - multiple programs crash in __pkcs15_create_prkey_object when yubikey is inserted

Summary: multiple programs crash in __pkcs15_create_prkey_object when yubikey is inserted

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	opensc
Sub Component:
Version:	34
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Jelen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException
Duplicates (1):	1931127 (view as bug list)
Depends On:
Blocks:	F34BetaFreezeException
TreeView+	depends on / blocked

Reported:	2021-02-19 11:23 UTC by Zbigniew Jędrzejewski-Szmek
Modified:	2021-03-02 04:37 UTC (History)
CC List:	18 users (show)
Fixed In Version:	opensc-0.21.0-4.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-02 04:37:34 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
'bt full' from gsd-smartcard crash (12.15 KB, text/plain) 2021-02-19 11:23 UTC, Zbigniew Jędrzejewski-Szmek	no flags	Details
View All

Description Zbigniew Jędrzejewski-Szmek 2021-02-19 11:23:16 UTC

Created attachment 1758130 [details]
'bt full' from gsd-smartcard crash

The same for evolution, firefox, a bunch of other programs. This essentially renders the graphical
session unusable, because most things don't want to start. Example strace from evolution:

           PID: 119600 (evolution)
           UID: 1000 (zbyszek)
           GID: 1000 (zbyszek)
        Signal: 11 (SEGV)
     Timestamp: Fri 2021-02-19 11:47:57 CET (18min ago)
  Command Line: evolution
    Executable: /usr/bin/evolution
 Control Group: /user.slice/user-1000.slice/user/app.slice/app-gnome-Alacritty-118290.scope
          Unit: user
     User Unit: app-gnome-Alacritty-118290.scope
         Slice: user-1000.slice
     Owner UID: 1000 (zbyszek)
       Boot ID: d5e54a15e71d41a1a68f6b0067db953e
    Machine ID: 08a5690a2eed47cf92ac0a5d2e3cf6b0
      Hostname: krowka
       Storage: /var/lib/systemd/coredump/core.evolution.1000.d5e54a15e71d41a1a68f6b0067db953e.119600.1613731677000000.zst (present)
     Disk Size: 2.7M
       Message: Process 119600 (evolution) of user 1000 dumped core.
                
                Stack trace of thread 119600:
                #0  0x00007f27a42fba6a __pkcs15_create_prkey_object (opensc-pkcs11.so + 0x18a6a)
                #1  0x00007f27a42fc00d pkcs15_create_pkcs11_objects (opensc-pkcs11.so + 0x1900d)
                #2  0x00007f27a4306751 pkcs15_create_tokens.lto_priv.0 (opensc-pkcs11.so + 0x23751)
                #3  0x00007f27a42f8217 card_detect (opensc-pkcs11.so + 0x15217)
                #4  0x00007f27a42f9de8 card_detect_all (opensc-pkcs11.so + 0x16de8)
                #5  0x00007f27a42fa5f3 C_Initialize (opensc-pkcs11.so + 0x175f3)
                #6  0x00007f27a870d8aa initialize_module_inlock_reentrant (libp11-kit.so.0 + 0x2b8aa)
                #7  0x00007f27a870dc89 managed_C_Initialize (libp11-kit.so.0 + 0x2bc89)
                #8  0x00007f27a8714019 p11_kit_modules_initialize (libp11-kit.so.0 + 0x32019)
                #9  0x00007f27a8714467 proxy_C_Initialize (libp11-kit.so.0 + 0x32467)
                #10 0x00007f27aebaa993 secmod_ModuleInit (libnss3.so + 0x48993)
                #11 0x00007f27aebab0f4 secmod_LoadPKCS11Module (libnss3.so + 0x490f4)
                #12 0x00007f27aebb8885 SECMOD_LoadModule (libnss3.so + 0x56885)
                #13 0x00007f27aebb89d0 SECMOD_LoadModule (libnss3.so + 0x569d0)
                #14 0x00007f27aeb80ee1 nss_Init (libnss3.so + 0x1eee1)
                #15 0x00007f27aeb8152c NSS_InitWithMerge (libnss3.so + 0x1f52c)
                #16 0x00007f27b365cbbd camel_init (libcamel-1.2.so.62 + 0x4abbd)
                #17 0x00007f27a4b0b9aa e_cert_db_class_intern_init (libessmime.so + 0x69aa)
                #18 0x00007f27b29e64c8 g_type_class_ref (libgobject-2.0.so.0 + 0x3a4c8)
                #19 0x00007f27b29d0078 g_object_new_with_properties (libgobject-2.0.so.0 + 0x24078)
                #20 0x00007f27b29d0a41 g_object_new (libgobject-2.0.so.0 + 0x24a41)
                #21 0x00007f27a4b0d921 e_cert_db_peek (libessmime.so + 0x8921)
                #22 0x00007f27a4b25f83 smime_component_init (libevolution-smime.so + 0xff83)
                #23 0x00007f27a47249d5 book_shell_backend_constructed (module-addressbook.so + 0xf9d5)
                #24 0x00007f27b29cf1e8 g_object_new_internal (libgobject-2.0.so.0 + 0x231e8)
                #25 0x00007f27b29d04e8 g_object_new_valist (libgobject-2.0.so.0 + 0x244e8)
                #26 0x00007f27b29d0a1d g_object_new (libgobject-2.0.so.0 + 0x24a1d)
                #27 0x00007f27b2c0953c extensible_load_extension (libedataserver-1.2.so.26 + 0x3253c)
                #28 0x00007f27b2c5f4cf e_type_traverse (libedataserver-1.2.so.26 + 0x884cf)
                #29 0x00007f27b2c5f4b6 e_type_traverse (libedataserver-1.2.so.26 + 0x884b6)
                #30 0x00007f27b2c145b2 e_extensible_load_extensions (libedataserver-1.2.so.26 + 0x3d5b2)
                #31 0x00007f27b2c14681 e_extensible_list_extensions (libedataserver-1.2.so.26 + 0x3d681)
                #32 0x00007f27b37c5793 e_shell_load_modules (libevolution-shell.so + 0x1a793)
                #33 0x0000562352b3ca9b main (evolution + 0x5a9b)
                #34 0x00007f27b2551b75 __libc_start_main (libc.so.6 + 0x27b75)
                #35 0x0000562352b3cf7e _start (evolution + 0x5f7e)
                
                Stack trace of thread 119601:
                #0  0x00007f27b36069ca __futex_abstimed_wait_common64 (libpthread.so.0 + 0x159ca)
                #1  0x00007f27b3600280 pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0 + 0xf280)
                #2  0x00007f27ad675bc0 _ZNSt18condition_variable4waitERSt11unique_lockISt5mutexE (libstdc++.so.6 + 0xd3bc0)
                #3  0x00007f27ad010e32 _ZN7bmalloc9Scavenger13threadRunLoopEv (libjavascriptcoregtk-4.0.so.18 + 0x14c2e32)
                #4  0x00007f27ad0110ef _ZN7bmalloc9Scavenger16threadEntryPointEPS0_ (libjavascriptcoregtk-4.0.so.18 + 0x14c30ef)
                #5  0x00007f27ad67bce4 execute_native_thread_routine (libstdc++.so.6 + 0xd9ce4)
                #6  0x00007f27b35fa269 start_thread (libpthread.so.0 + 0x9269)
                #7  0x00007f27b262a663 __clone (libc.so.6 + 0x100663)
                
                Stack trace of thread 119602:
                #0  0x00007f27b261f9bf __poll (libc.so.6 + 0xf59bf)
                #1  0x00007f27b35642f6 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xa82f6)
                #2  0x00007f27b350e9b3 g_main_context_iteration (libglib-2.0.so.0 + 0x529b3)
                #3  0x00007f27b350ea01 glib_worker_main (libglib-2.0.so.0 + 0x52a01)
                #4  0x00007f27b353f6b2 g_thread_proxy (libglib-2.0.so.0 + 0x836b2)
                #5  0x00007f27b35fa269 start_thread (libpthread.so.0 + 0x9269)
                #6  0x00007f27b262a663 __clone (libc.so.6 + 0x100663)
                
                Stack trace of thread 119603:
                #0  0x00007f27b262511d syscall (libc.so.6 + 0xfb11d)
                #1  0x00007f27b355ed5c g_cond_wait_until (libglib-2.0.so.0 + 0xa2d5c)
                #2  0x00007f27b34e12a1 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0 + 0x252a1)
                #3  0x00007f27b35423da g_thread_pool_thread_proxy.lto_priv.0 (libglib-2.0.so.0 + 0x863da)
                #4  0x00007f27b353f6b2 g_thread_proxy (libglib-2.0.so.0 + 0x836b2)
                #5  0x00007f27b35fa269 start_thread (libpthread.so.0 + 0x9269)
                #6  0x00007f27b262a663 __clone (libc.so.6 + 0x100663)
                
                Stack trace of thread 119604:
                #0  0x00007f27b261f9bf __poll (libc.so.6 + 0xf59bf)
                #1  0x00007f27b35642f6 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xa82f6)
                #2  0x00007f27b35107a3 g_main_loop_run (libglib-2.0.so.0 + 0x547a3)
                #3  0x00007f27b2b17bba gdbus_shared_thread_func (libgio-2.0.so.0 + 0x10fbba)
                #4  0x00007f27b353f6b2 g_thread_proxy (libglib-2.0.so.0 + 0x836b2)
                #5  0x00007f27b35fa269 start_thread (libpthread.so.0 + 0x9269)
                #6  0x00007f27b262a663 __clone (libc.so.6 + 0x100663)
                
                Stack trace of thread 119605:
                #0  0x00007f27b261f9bf __poll (libc.so.6 + 0xf59bf)
                #1  0x00007f27b35642f6 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xa82f6)
                #2  0x00007f27b350e9b3 g_main_context_iteration (libglib-2.0.so.0 + 0x529b3)
                #3  0x00007f27a740c08d dconf_gdbus_worker_thread (libdconfsettings.so + 0x708d)
                #4  0x00007f27b353f6b2 g_thread_proxy (libglib-2.0.so.0 + 0x836b2)
                #5  0x00007f27b35fa269 start_thread (libpthread.so.0 + 0x9269)
                #6  0x00007f27b262a663 __clone (libc.so.6 + 0x100663)
                
                Stack trace of thread 119607:
                #0  0x00007f27b261f9bf __poll (libc.so.6 + 0xf59bf)
                #1  0x00007f27b35642f6 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xa82f6)
                #2  0x00007f27b35107a3 g_main_loop_run (libglib-2.0.so.0 + 0x547a3)
                #3  0x00007f27b2c4624f source_registry_object_manager_thread (libedataserver-1.2.so.26 + 0x6f24f)
                #4  0x00007f27b353f6b2 g_thread_proxy (libglib-2.0.so.0 + 0x836b2)
                #5  0x00007f27b35fa269 start_thread (libpthread.so.0 + 0x9269)
                #6  0x00007f27b262a663 __clone (libc.so.6 + 0x100663)

Core was generated by `evolution'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f27a42fba6a in __pkcs15_create_prkey_object (fw_data=0x562354361020, prkey=0x562354370bc0, prkey_object=0x0)
    at /usr/src/debug/opensc-0.21.0-2.fc34.x86_64/src/pkcs11/framework-pkcs15.c:785
785			object->prv_info = (struct sc_pkcs15_prkey_info *) prkey->data;

(gdb) bt
#0  0x00007f27a42fba6a in __pkcs15_create_prkey_object (fw_data=0x562354361020, prkey=0x562354370bc0, prkey_object=0x0)
    at /usr/src/debug/opensc-0.21.0-2.fc34.x86_64/src/pkcs11/framework-pkcs15.c:785
#1  0x00007f27a42fc00d in pkcs15_create_pkcs11_objects (fw_data=0x562354361020, p15_type=0, 
    p15_type@entry=257, name=0x7f27a430d5e1 "RSA private key", create=0x7f27a42fba00 <__pkcs15_create_prkey_object>)
    at /usr/src/debug/opensc-0.21.0-2.fc34.x86_64/src/pkcs11/framework-pkcs15.c:847
#2  0x00007f27a4306751 in _pkcs15_create_typed_objects (fw_data=0x562354361020)
    at /usr/src/debug/opensc-0.21.0-2.fc34.x86_64/src/pkcs11/framework-pkcs15.c:1202
#3  pkcs15_create_tokens (p11card=0x56235435fe30, app_info=0x0)
    at /usr/src/debug/opensc-0.21.0-2.fc34.x86_64/src/pkcs11/framework-pkcs15.c:1498
#4  0x00007f27a42f8217 in card_detect (reader=0x56235435ec60)
    at /usr/src/debug/opensc-0.21.0-2.fc34.x86_64/src/pkcs11/slot.c:327
#5  0x00007f27a42f9de8 in card_detect_all () at /usr/src/debug/opensc-0.21.0-2.fc34.x86_64/src/pkcs11/slot.c:420
#6  0x00007f27a42fa5f3 in C_Initialize (pInitArgs=<optimized out>)
    at /usr/src/debug/opensc-0.21.0-2.fc34.x86_64/src/pkcs11/pkcs11-global.c:323
#7  0x00007f27a870d8aa in initialize_module_inlock_reentrant (mod=0x56235434e390, init_args=0x56235434e5b0, 
    init_args@entry=0x0) at ../p11-kit/modules.c:738
#8  0x00007f27a870dc89 in managed_C_Initialize (self=0x56235434f1b0, init_args=0x0) at ../p11-kit/modules.c:1584
#9  0x00007f27a8714019 in p11_kit_modules_initialize (failure_callback=<optimized out>, modules=<optimized out>)
    at ../p11-kit/modules.c:2157
#10 p11_kit_modules_initialize (modules=0x56235434f6a0, failure_callback=failure_callback@entry=0x0)
    at ../p11-kit/modules.c:2145
#11 0x00007f27a8714467 in proxy_create (n_mappings=0, mappings=0x0, loaded=0x56235434f190, res=<synthetic pointer>)
    at ../p11-kit/proxy.c:348
#12 proxy_C_Initialize (self=0x56235435ce50, init_args=<optimized out>) at ../p11-kit/proxy.c:416
#13 0x00007f27aebaa993 in secmod_ModuleInit
    (mod=mod@entry=0x56235433df60, reload=reload@entry=0x7ffc478a5390, alreadyLoaded=alreadyLoaded@entry=0x7ffc478a529c)
    at pk11load.c:244
#14 0x00007f27aebab0f4 in secmod_LoadPKCS11Module (mod=mod@entry=0x56235433df60, oldModule=oldModule@entry=0x7ffc478a5390)
    at pk11load.c:534
#15 0x00007f27aebb8885 in SECMOD_LoadModule
    (modulespec=0x5623542bbad0 "name=\"p11-kit-proxy\" library=\"p11-kit-proxy.so\"", parent=0x562354234780, recurse=1)
    at pk11pars.c:1944
#16 0x00007f27aebb89d0 in SECMOD_LoadModule
    (modulespec=modulespec@entry=0x7f27aec592a0 "name=\"Policy File\" parameters=\"configdir='sql:/etc/crypto-policies/back-ends' secmod='nss.config' flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOn"..., parent=parent@entry=0x562353fb13e0, recurse=recurse@entry=1) at pk11pars.c:1980
#17 0x00007f27aeb80ee1 in nss_Init
    (configdir=configdir@entry=0x562354297bc0 "sql:/etc/pki/nssdb", certPrefix=certPrefix@entry=0x7f27b37139b4 "", keyPrefix=keyPrefix@entry=0x7f27b37139b4 "", secmodName=secmodName@entry=0x7f27b37045fb "secmod.db", updateDir=updateDir@entry=0x56235422d720 "/home/zbyszek/.local/share/evolution", updCertPrefix=updCertPrefix@entry=0x7f27b37139b4 "", updKeyPrefix=<optimized out>, updateID=<optimized out>, updateName=<optimized out>, initContextPtr=<optimized out>, initParams=<optimized out>, readOnly=<optimized out>, noCertDB=<optimized out>, noModDB=<optimized out>, forceOpen=<optimized out>, noRootInit=<optimized out>, optimizeSpace=<optimized out>, noSingleThreadedModules=<optimized out>, allowAlreadyInitializedModules=<optimized out>, dontFinalizeModules=<optimized out>) at nssinit.c:712
#18 0x00007f27aeb8152c in NSS_InitWithMerge
    (configdir=configdir@entry=0x562354297bc0 "sql:/etc/pki/nssdb", certPrefix=certPrefix@entry=0x7f27b37139b4 "", keyPrefix=keyPrefix@entry=0x7f27b37139b4 "", secmodName=secmodName@entry=0x7f27b37045fb "secmod.db", updateDir=updateDir@entry=0x56235422d720 "/home/zbyszek/.local/share/evolution", updCertPrefix=updCertPrefix@entry=0x7f27b37139b4 "", updKeyPrefix=0x7f27b37139b4 --Type <RET> for more, q to quit, c to continue without paging--
"", updateID=0x56235422d720 "/home/zbyszek/.local/share/evolution", updateName=0x7f27b3704605 "Evolution S/MIME", flags=0)
    at nssinit.c:930
#19 0x00007f27b365cbbd in camel_init (nss_init=1, configdir=0x562354080800 "/home/zbyszek/.local/share/evolution")
    at /usr/src/debug/evolution-data-server-3.39.2-3.fc34.x86_64/src/camel/camel.c:162
#20 camel_init (configdir=0x562354080800 "/home/zbyszek/.local/share/evolution", nss_init=nss_init@entry=1)
    at /usr/src/debug/evolution-data-server-3.39.2-3.fc34.x86_64/src/camel/camel.c:79
#21 0x00007f27a4b0b9aa in initialize_nss () at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/smime/lib/e-cert-db.c:483
#22 e_cert_db_class_init (class=0x562354261700)
    at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/smime/lib/e-cert-db.c:599
#23 e_cert_db_class_intern_init (klass=0x562354261700)
    at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/smime/lib/e-cert-db.c:89
#24 0x00007f27b29e64c8 in type_class_init_Wm (pclass=<optimized out>, node=<optimized out>) at ../gobject/gtype.c:2289
#25 g_type_class_ref (type=<optimized out>) at ../gobject/gtype.c:3004
#26 0x00007f27b29d0078 in g_object_new_with_properties
    (object_type=0x56235422e380 [None], n_properties=0, names=names@entry=0x0, values=values@entry=0x0)
    at ../gobject/gobject.c:2078
#27 0x00007f27b29d0a41 in g_object_new (object_type=<optimized out>, first_property_name=first_property_name@entry=0x0)
    at ../gobject/gobject.c:1779
#28 0x00007f27a4b0d921 in e_cert_db_peek () at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/smime/lib/e-cert-db.c:647
#29 0x00007f27a4b25f83 in smime_component_init ()
    at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/smime/gui/component.c:127
#30 smime_component_init () at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/smime/gui/component.c:120
#31 0x00007f27a47249d5 in book_shell_backend_constructed (object=0x562354227240)
    at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/modules/addressbook/e-book-shell-backend.c:462
#32 0x00007f27b29cf1e8 in g_object_new_with_custom_constructor (n_params=1, params=0x7ffc478a5a40, class=0x5623541367c0)
    at ../gobject/gobject.c:1911
#33 g_object_new_internal (class=class@entry=0x5623541367c0, params=params@entry=0x7ffc478a5a40, n_params=n_params@entry=1)
    at ../gobject/gobject.c:1937
#34 0x00007f27b29d04e8 in g_object_new_valistPython Exception <class 'TypeError'> can only concatenate str (not "NoneType") to str: 

    (object_type=, first_property_name=<optimized out>, var_args=var_args@entry=0x7ffc478a5d10) at ../gobject/gobject.c:2282
#35 0x00007f27b29d0a1d in g_object_new (object_type=<optimized out>, first_property_name=<optimized out>)
    at ../gobject/gobject.c:1782
#36 0x00007f27b2c0953c in extensible_load_extension(GType, EExtensible*)Python Exception <class 'TypeError'> can only concatenate str (not "NoneType") to str: 
 (extension_type=, extensible=0x5623541ca260)
    at /usr/src/debug/evolution-data-server-3.39.2-3.fc34.x86_64/src/libedataserver/e-extensible.c:93
#37 0x00007f27b2c5f4cf in e_type_traverse(GType, ETypeFunc, gpointer)
    (parent_type=<optimized out>, func=0x7f27b2c094f0 <extensible_load_extension(GType, EExtensible*)>, user_data=0x5623541ca260) at /usr/src/debug/evolution-data-server-3.39.2-3.fc34.x86_64/src/libedataserver/e-data-server-util.c:2979
#38 0x00007f27b2c5f4b6 in e_type_traverse(GType, ETypeFunc, gpointer)
    (parent_type=<optimized out>, func=0x7f27b2c094f0 <extensible_load_extension(GType, EExtensible*)>, user_data=0x5623541ca260) at /usr/src/debug/evolution-data-server-3.39.2-3.fc34.x86_64/src/libedataserver/e-data-server-util.c:2973
#39 0x00007f27b2c145b2 in e_extensible_load_extensions(EExtensible*) (extensible=0x5623541ca260)
    at /usr/src/debug/evolution-data-server-3.39.2-3.fc34.x86_64/src/libedataserver/e-extensible.c:138
#40 0x00007f27b2c14681 in e_extensible_list_extensions(EExtensible*, GType)Python Exception <class 'TypeError'> can only concatenate str (not "NoneType") to str: 
 (extensible=0x5623541ca260, extension_type=)
    at /usr/src/debug/evolution-data-server-3.39.2-3.fc34.x86_64/src/libedataserver/e-extensible.c:180
#41 0x00007f27b37c5793 in e_shell_load_modules (shell=0x5623541ca260)
    at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/shell/e-shell.c:2209
#42 0x0000562352b3ca9b in main (argc=<optimized out>, argv=<optimized out>)
    at /usr/src/debug/evolution-3.39.2-1.fc34.x86_64/src/shell/main.c:661

gsd-smartcard:
                Stack trace of thread 127214:
                #0  0x00007f4250e92a6a __pkcs15_create_prkey_object (opensc-pkcs11.so + 0x18a6a)
                #1  0x00007f4250e9300d pkcs15_create_pkcs11_objects (opensc-pkcs11.so + 0x1900d)
                #2  0x00007f4250e9d751 pkcs15_create_tokens.lto_priv.0 (opensc-pkcs11.so + 0x23751)
                #3  0x00007f4250e8f217 card_detect (opensc-pkcs11.so + 0x15217)
                #4  0x00007f4250e90de8 card_detect_all (opensc-pkcs11.so + 0x16de8)
                #5  0x00007f4250e915f3 C_Initialize (opensc-pkcs11.so + 0x175f3)
                #6  0x00007f4250a3c8aa initialize_module_inlock_reentrant (p11-kit-proxy.so + 0x2b8aa)
                #7  0x00007f4250a3cc89 managed_C_Initialize (p11-kit-proxy.so + 0x2bc89)
                #8  0x00007f4250a43019 p11_kit_modules_initialize (p11-kit-proxy.so + 0x32019)
                #9  0x00007f4250a43467 proxy_C_Initialize (p11-kit-proxy.so + 0x32467)
                #10 0x00007f425371f993 secmod_ModuleInit (libnss3.so + 0x48993)
                #11 0x00007f42537200f4 secmod_LoadPKCS11Module (libnss3.so + 0x490f4)
                #12 0x00007f425372d885 SECMOD_LoadModule (libnss3.so + 0x56885)
                #13 0x00007f425372d9d0 SECMOD_LoadModule (libnss3.so + 0x569d0)
                #14 0x00007f42536f5ee1 nss_Init (libnss3.so + 0x1eee1)
                #15 0x00007f42536f6470 NSS_InitContext (libnss3.so + 0x1f470)
                #16 0x000055c71f4d70d6 load_nss (gsd-smartcard + 0xc0d6)
                #17 0x000055c71f4d79bc gsd_smartcard_manager_idle_cb (gsd-smartcard + 0xc9bc)
                #18 0x00007f42538624fb g_idle_dispatch (libglib-2.0.so.0 + 0x514fb)
                #19 0x00007f42538660bf g_main_context_dispatch (libglib-2.0.so.0 + 0x550bf)
                #20 0x00007f42538b9358 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xa8358)
                #21 0x00007f42538657a3 g_main_loop_run (libglib-2.0.so.0 + 0x547a3)
                #22 0x000055c71f4d323a main (gsd-smartcard + 0x823a)
                #23 0x00007f42534cfb75 __libc_start_main (libc.so.6 + 0x27b75)
                #24 0x000055c71f4d335e _start (gsd-smartcard + 0x835e)


I'll attach 'bt full'.
This only happens if the usb key is inserted. Actually (as I discovered when writing the first
version of this bug report), it also causes firefox to crash when inserted after the program
is already running ;(

Version-Release number of selected component (if applicable):
opensc-0.21.0-2.fc34.x86_64
p11-kit-0.23.22-3.fc34.x86_64
p11-kit-0.23.22-3.fc34.i686
gnome-settings-daemon-40~beta-2.fc34.x86_64

How reproducible:
100%.

Steps to Reproduce:
1. insert key, launch program
or
2. launch program, insert key

Comment 1 Jakub Jelen 2021-02-19 12:29:06 UTC

Hmm ... the code in __pkcs15_create_prkey_object is mostly uchanged since 2003. The whole package is the same as in Fedora 33. The same for p11-kit and I think also NSS. Nothing else should have significant effect on what is going on there.

It could theoretically be related to https://github.com/OpenSC/OpenSC/issues/2199 but I do not see the same traces.

Can you reproduce the crash with pkcs11-tool only? For example

  pkcs11-tool -L

or only with p11-kit proxy such as

  pkcs11-tool -L --module /usr/lib64/p11-kit-proxy.so

Or is the NSS involvement needed? Does the following crash too?

  certutil -L -d sql:/etc/pki/nssdb/ -h all

Comment 2 Zbigniew Jędrzejewski-Szmek 2021-02-21 11:51:54 UTC

(In reply to Jakub Jelen from comment #1)
> Hmm ... the code in __pkcs15_create_prkey_object is mostly uchanged since
> 2003. The whole package is the same as in Fedora 33. The same for p11-kit
> and I think also NSS. Nothing else should have significant effect on what is
> going on there.

FWIW, I use this particular device almost every day, and this started happening immediately after the upgrade to F34.

I now tested this with other keys I had lying around, and it also occurs.
(Not with "1050:0120 Yubico.com Yubikey Touch U2F Security Key", but with
two other "real" yubikeys.)

> Can you reproduce the crash with pkcs11-tool only? For example
> 
>   pkcs11-tool -L
Yes. 

>   pkcs11-tool -L --module /usr/lib64/p11-kit-proxy.so
Also yes.

$ valgrind pkcs11-tool -L --module /usr/lib64/p11-kit-proxy.so
==257577== Memcheck, a memory error detector
==257577== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==257577== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==257577== Command: pkcs11-tool -L --module /usr/lib64/p11-kit-proxy.so
==257577== 
==257577== Invalid write of size 8
==257577==    at 0x4863A6A: __pkcs15_create_prkey_object (framework-pkcs15.c:785)
==257577==    by 0x486400C: pkcs15_create_pkcs11_objects (framework-pkcs15.c:847)
==257577==    by 0x486E750: UnknownInlinedFun (framework-pkcs15.c:1202)
==257577==    by 0x486E750: pkcs15_create_tokens.lto_priv.0 (framework-pkcs15.c:1498)
==257577==    by 0x4860216: card_detect (slot.c:327)
==257577==    by 0x4861DE7: card_detect_all (slot.c:420)
==257577==    by 0x48625F2: C_Initialize (pkcs11-global.c:323)
==257577==    by 0x53A78A9: initialize_module_inlock_reentrant (modules.c:738)
==257577==    by 0x53A7C88: managed_C_Initialize (modules.c:1584)
==257577==    by 0x53AE018: UnknownInlinedFun (modules.c:2157)
==257577==    by 0x53AE018: p11_kit_modules_initialize (modules.c:2145)
==257577==    by 0x53AE466: UnknownInlinedFun (proxy.c:348)
==257577==    by 0x53AE466: proxy_C_Initialize (proxy.c:416)
==257577==    by 0x10FC47: main (pkcs11-tool.c:982)
==257577==  Address 0x48 is not stack'd, malloc'd or (recently) free'd
==257577== 
==257577== 
==257577== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==257577==  Access not within mapped region at address 0x48
==257577==    at 0x4863A6A: __pkcs15_create_prkey_object (framework-pkcs15.c:785)
==257577==    by 0x486400C: pkcs15_create_pkcs11_objects (framework-pkcs15.c:847)
==257577==    by 0x486E750: UnknownInlinedFun (framework-pkcs15.c:1202)
==257577==    by 0x486E750: pkcs15_create_tokens.lto_priv.0 (framework-pkcs15.c:1498)
==257577==    by 0x4860216: card_detect (slot.c:327)
==257577==    by 0x4861DE7: card_detect_all (slot.c:420)
==257577==    by 0x48625F2: C_Initialize (pkcs11-global.c:323)
==257577==    by 0x53A78A9: initialize_module_inlock_reentrant (modules.c:738)
==257577==    by 0x53A7C88: managed_C_Initialize (modules.c:1584)
==257577==    by 0x53AE018: UnknownInlinedFun (modules.c:2157)
==257577==    by 0x53AE018: p11_kit_modules_initialize (modules.c:2145)
==257577==    by 0x53AE466: UnknownInlinedFun (proxy.c:348)
==257577==    by 0x53AE466: proxy_C_Initialize (proxy.c:416)
==257577==    by 0x10FC47: main (pkcs11-tool.c:982)
==257577==  If you believe this happened as a result of a stack
==257577==  overflow in your program's main thread (unlikely but
==257577==  possible), you can try to increase the size of the
==257577==  main thread stack using the --main-stacksize= flag.
==257577==  The main thread stack size used in this run was 8388608.
==257577== 
==257577== HEAP SUMMARY:
==257577==     in use at exit: 188,790 bytes in 2,930 blocks
==257577==   total heap usage: 3,311 allocs, 381 frees, 319,867 bytes allocated
==257577== 
==257577== LEAK SUMMARY:
==257577==    definitely lost: 0 bytes in 0 blocks
==257577==    indirectly lost: 0 bytes in 0 blocks
==257577==      possibly lost: 0 bytes in 0 blocks
==257577==    still reachable: 188,790 bytes in 2,930 blocks
==257577==         suppressed: 0 bytes in 0 blocks
==257577== Rerun with --leak-check=full to see details of leaked memory
==257577== 
==257577== For lists of detected and suppressed errors, rerun with: -s
==257577== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[2]    257577 segmentation fault (core dumped)  valgrind pkcs11-tool -L --module /usr/lib64/p11-kit-proxy.so

> Or is the NSS involvement needed? Does the following crash too?
> 
>   certutil -L -d sql:/etc/pki/nssdb/ -h all
Same.

Comment 3 Jakub Jelen 2021-02-22 15:35:32 UTC

Thanks for checking it is reproducible with bare opensc. I will check with Fedora 34 if I can get some more information from this. The valgrind report is also useful, but it is not more clear to me what is going on there.

Comment 4 Jakub Jelen 2021-02-23 09:04:47 UTC

The silence does not mean that there is nothing going on :) I can reproduce also with different card types while the crash looks the same. The valgrind nor gdb helps much to figure out what is wrong there. I can reproduce the same with locally rebuilt package.

I can NOT reproduce it with the OpenSC built from upstream repository (master nor 0.21.0) with clang and address sanitizer nor with the original fedora package rebuilt with clang so I assume this is some issue with compiler flags, gcc, glibc or down there. I will investigate further as this needs to be resolved before GA.

Comment 5 Jakub Jelen 2021-02-23 10:29:57 UTC

Manually downloading and installing opensc-0.21.0-1.fc33 from koji [1] also prevents the crash. This is the same code as current and was built with gcc-10 before update to gcc-11 so I assume it is an issue of gcc or some related package. Unfortunately, we do not have more isolated reproducer than this huge package. Reassigning to GCC for now.

Reproducible with either yubikey or with the following test from Fedora CI (with virtual smart card):

https://src.fedoraproject.org/rpms/opensc/blob/rawhide/f/tests/pkcs11-tool

Let me know if there is some more info that can help to resolve the issues.

[1] https://koji.fedoraproject.org/koji/buildinfo?buildID=1645345

Comment 6 Florian Weimer 2021-02-23 10:51:07 UTC

Code looks dodgy:

	struct pkcs15_prkey_object *object = NULL;
[…]
	rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object,
			prkey, &pkcs15_prkey_ops, sizeof(struct pkcs15_prkey_object));

A write to a struct pkcs15_any_object * object cannot change a struct pkcs15_prkey_object * object under strict aliasing rules.

Please check if the issue goes away when building with -fno-strict-aliasing.

Comment 7 Jakub Jelinek 2021-02-23 11:24:06 UTC

Yeah.  And if -fno-strict-aliasing helps, perhaps even just -fno-ipa-modref could help, GCC 11 has added interprocedural optimization which can make incorrect but previously working code stop working.
Previously one would often run into problems only when inlining happened, but with the IPA modref optimization it can trigger only if the function definition and callers are visible to the compiler at the same time (and with LTO that is the case quite often).
Anyway, if that helps, it would be better to fix the code rather than find workarounds.

Comment 8 Jakub Jelen 2021-02-23 16:15:14 UTC

*** Bug 1931127 has been marked as a duplicate of this bug. ***

Comment 9 Florian Weimer 2021-02-23 16:21:47 UTC

So looking at this code as an example:

static int
__pkcs15_create_prkey_object(struct pkcs15_fw_data *fw_data,
	struct sc_pkcs15_object *prkey, struct pkcs15_any_object **prkey_object)
{
	struct pkcs15_prkey_object *object = NULL;
	int rv;

	rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object,
			prkey, &pkcs15_prkey_ops, sizeof(struct pkcs15_prkey_object));
	if (rv >= 0)
		object->prv_info = (struct sc_pkcs15_prkey_info *) prkey->data;

	if (prkey_object != NULL)
		*prkey_object = (struct pkcs15_any_object *) object;

	return rv;
}

It should probably be written like this:

static int
__pkcs15_create_prkey_object(struct pkcs15_fw_data *fw_data,
	struct sc_pkcs15_object *prkey, struct pkcs15_any_object **prkey_object)
{
	struct pkcs15_any_object *any_object = NULL;
	struct pkcs15_prkey_object *object;
	int rv;

	rv = __pkcs15_create_object(fw_data, &any_object,
			prkey, &pkcs15_prkey_ops, sizeof(struct pkcs15_prkey_object));
        object = (struct pkcs15_any_object *) any_object;
	if (rv >= 0)
		object->prv_info = (struct sc_pkcs15_prkey_info *) prkey->data;

	if (prkey_object != NULL)
		*prkey_object = any_object;

	return rv;
}

So change the pointer type to what is being written by the called function, and cast the pointer value afterwards to the expected type. This avoids the immediate aliasing violation.

Comment 10 Jakub Jelen 2021-02-23 18:45:20 UTC

Thank you for the pointers. I am afraid there are many places like that in opensc that would need some love. As already said, this code is mostly untouched since 2003. If it is invalid construct, would it make sense to have some check/warning/error to simplify detection of these? If I am right, I did not see any in the builds using previous versions nor with the current version of gcc so the crashes come out of the blue.

I tried with -fno-strict-aliasing but without any improvement (not sure if I managed to override the rpms defaults though). Trying to pass -fno-ipa-modref to LDFLAGS did not look like helping either. Hoping I passed it correctly to the build:

libtool: install: (cd /tmp/tmp.fW2f0RJCAp/opensc/opensc-0.21.0/src/pkcs11; /bin/sh "/tmp/tmp.fW2f0RJCAp/opensc/opensc-0.21.0/libtool"  --tag CC --mode=relink gcc -DMODULE_APP_NAME=\"onepin-opensc-pkcs11\" -pthread -DPKCS11_THREAD_LOCKING -Wall -Wextra -Wno-unused-parameter -Werror -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -export-symbols ./pkcs11.exports -module -shared -avoid-version -no-undefined -fno-ipa-modref -o onepin-opensc-pkcs11.la -rpath /usr/lib64 onepin_opensc_pkcs11_la-pkcs11-global.lo onepin_opensc_pkcs11_la-pkcs11-session.lo onepin_opensc_pkcs11_la-pkcs11-object.lo onepin_opensc_pkcs11_la-misc.lo onepin_opensc_pkcs11_la-slot.lo onepin_opensc_pkcs11_la-mechanism.lo onepin_opensc_pkcs11_la-openssl.lo onepin_opensc_pkcs11_la-framework-pkcs15.lo onepin_opensc_pkcs11_la-framework-pkcs15init.lo onepin_opensc_pkcs11_la-debug.lo onepin_opensc_pkcs11_la-pkcs11-display.lo ../../src/libopensc/libopensc.la ../../src/common/libscdl.la ../../src/common/libcompat.la -lcrypto -ldl -inst-prefix-dir /root/rpmbuild/BUILDROOT/opensc-0.21.0-2.fc35.x86_64)

Indeed, application of the variation of the patch provided by florian allows the code execution to continue letting it crash a bit further on similar construct:

diff -up opensc-0.21.0/src/pkcs11/framework-pkcs15.c.gcc11 opensc-0.21.0/src/pkcs11/framework-pkcs15.c
--- opensc-0.21.0/src/pkcs11/framework-pkcs15.c.gcc11	2021-02-23 18:35:19.563000000 +0000
+++ opensc-0.21.0/src/pkcs11/framework-pkcs15.c	2021-02-23 18:36:49.075000000 +0000
@@ -776,16 +776,18 @@ static int
 __pkcs15_create_prkey_object(struct pkcs15_fw_data *fw_data,
 	struct sc_pkcs15_object *prkey, struct pkcs15_any_object **prkey_object)
 {
+	struct pkcs15_any_object *any_object = NULL;
 	struct pkcs15_prkey_object *object = NULL;
 	int rv;
 
-	rv = __pkcs15_create_object(fw_data, (struct pkcs15_any_object **) &object,
+	rv = __pkcs15_create_object(fw_data, &any_object,
 			prkey, &pkcs15_prkey_ops, sizeof(struct pkcs15_prkey_object));
+	object = (struct pkcs15_prkey_object *) any_object;
 	if (rv >= 0)
 		object->prv_info = (struct sc_pkcs15_prkey_info *) prkey->data;
 
 	if (prkey_object != NULL)
-		*prkey_object = (struct pkcs15_any_object *) object;
+		*prkey_object = any_object;
 
 	return rv;
 }


Let me hunt the issues down, but my concern is that there might be dozens of packages in fedora that will segfault on something like this completely silently and unexpectedly.

Comment 11 Florian Weimer 2021-02-23 18:58:42 UTC

Both flags are compiler flags, not linker flags. But I guess with LTO, it doesn't hurt to repeat the flags in both places. (libtool may strip them, though.)

This should inject the flags into configure:

diff --git a/opensc.spec b/opensc.spec
index 786b307..285aa1b 100644
--- a/opensc.spec
+++ b/opensc.spec
@@ -73,6 +73,9 @@ autoreconf -fvi
 sed -i -e 's/opensc.conf/opensc-%{_arch}.conf/g' src/libopensc/Makefile.in
 %endif
 sed -i -e 's|"/lib /usr/lib\b|"/%{_lib} %{_libdir}|' configure # lib64 rpaths
+%set_build_flags
+CFLAGS="$CFLAGS -fno-strict-aliasing"
+LDFLAGS="$LDFLAGS -fno-strict-aliasing"
 %configure  --disable-static \
   --disable-autostart-items \
   --disable-notify \

See: https://src.fedoraproject.org/rpms/redhat-rpm-config//blob/rawhide/f/buildflags.md

Comment 12 Jakub Jelen 2021-02-23 19:04:51 UTC

I tried exactly that (oh .. forgot the %set_build_flags) but configure choked on this in CFLAGS for some reason.

So far testing with the following changes looks like working, at least for basic use case so I will update opensc with these changes if I will not find some other issues in the further testing.

https://github.com/OpenSC/OpenSC/pull/2241

Comment 13 Jakub Jelinek 2021-02-23 19:06:03 UTC

Both -f{,no-}strict-aliasing and -f{,no-}ipa-modref options are Optimization options, so for LTO
don't need to be repeated on the link line (can be, but will have no effect there).
If there is any C++ code, it would need to add it to CXXFLAGS too.
As for warning option, GCC has -Wstrict-aliasing{,=1,=2,=3} options, those don't warn on where the actual bug is (reading or writing an object through different effective type from its dynamic type), but warn on pointer casts that could be problematic.
E.g. the above code even without the patch could be just fine if __pkcs15_create_object cast it back to the struct pkcs15_prkey_object ** type and stored through that pointer.
But if it (expectedly) stores through the type of the argument (i.e. just *pobject), then it will be invalid.

Comment 14 Jakub Jelen 2021-02-23 20:30:07 UTC

The build and basic tests seems to work fine [1] so I am building update for rawhide and f34.

Is there something else we would like to do in this bugzilla on gcc side or should I move it back to opensc and close?

[1] https://src.fedoraproject.org/rpms/opensc/pull-request/11

Comment 15 Fedora Update System 2021-02-23 22:36:50 UTC

FEDORA-2021-c8d58d8c39 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-c8d58d8c39

Comment 16 Fedora Blocker Bugs Application 2021-02-24 07:55:11 UTC

Proposed as a Freeze Exception for 34-beta by Fedora user zbyszek using the blocker tracking app because:

 Breaks basic functionality of the system (firefox, evolution, …) with certain hardware (fairly common yubikey types).

Comment 17 Jakub Jelinek 2021-02-24 10:26:33 UTC

Just checked and it is -Wstrict-aliasing=2 level that is needed, -Wstrict-aliasing=3 (included in -Wall) doesn't warn about the cast.

Comment 18 Fedora Update System 2021-02-24 19:17:17 UTC

FEDORA-2021-c8d58d8c39 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-c8d58d8c39`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-c8d58d8c39

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 19 Vít Ondruch 2021-02-24 19:34:57 UTC

It seems that opensc-0.21.0-3.fc35.x86_64 fixed the issues for me on Fedora Rawhide. Thx.

Comment 20 Adam Williamson 2021-02-25 01:53:54 UTC

+3 in https://pagure.io/fedora-qa/blocker-review/issue/251 , marking accepted.

Comment 21 Jakub Jelen 2021-02-25 19:34:20 UTC

Jakub, can you have a look to the upstream discussion of this issue? I tried to introduce the -Wstrict-aliasing=2 to our CI in upstream, but it is hugely outdated, running some old gcc 5 and reporting some issues that I do not understand. These issues are not reported by either gcc 10 nor 11 I tried for building current versions of opensc in Fedora.

https://github.com/OpenSC/OpenSC/pull/2241#issuecomment-786148183

Comment 22 Fedora Update System 2021-02-25 19:46:40 UTC

FEDORA-2021-a2d338ffb5 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-a2d338ffb5

Comment 23 Fedora Update System 2021-02-25 23:45:51 UTC

FEDORA-2021-a2d338ffb5 has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-a2d338ffb5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-a2d338ffb5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 24 Fedora Update System 2021-03-02 04:37:34 UTC

FEDORA-2021-a2d338ffb5 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.