Ubuntu 17.10 - opencryptoki 3.7.0 segmentation fault on pkcsconf -t
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
High
|
Dimitri John Ledkov | ||
opencryptoki (Ubuntu) |
Fix Released
|
Undecided
|
Skipper Bug Screeners | ||
Artful |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Skipper Bug Screeners | ||
Cosmic |
Fix Released
|
Undecided
|
Skipper Bug Screeners |
Bug Description
[Impact]
* Impossible to use multiple different token types in opencryptoki.
[Test Case]
* Ensure one has a system with multiple tokens configured. E.g. s390x with ICA and SoftTok.
* Execute $ pkcsconf -t
* The model for two tokens should be different e.g.:
$ pkcsconf -t | grep Model
Model: IBM ICA
Model: IBM SoftTok
On broken systems, whichever token is loaded first is repeated for all subsequent tokens.
[Regression Potential]
* No code changes are done. It appears that the code relies on dynamically loading and rebinding functions, yet that is not possible to do with distribution default linker flag -Wl,-Bsymbolic-
[Other Info]
* The fix for this issue is similar to what has been employed previously. E.g. in https:/
[Original Bug report]
Running Ubuntu 17.10 on a zVM s390x environment with opencryptoki 3.7 installed via apt, the command pkcsconf -t gives a segmentation fault.
We did some tests (all on a zVM):
1. On a debian testing installation: the opencryptoki 3.7.0+dfsg-4 package works as expected.
2. On a ubuntu 17.04 installation: the opencryptoki (3.6.2+dfsg-1 that is available on the repo) package works as expected.
3. On a ubuntu 17.10 installation: opencryptoki 3.7.0+dfsg-4 gives segmentation fault (pkcsconf -t)
4. On a ubuntu 17.10 installation: downloading building opencryptoki 3.7.0 from Github manually and installing it, works as expected.
5. On a ubuntu 17.10 installation: installing opencryptoki 3.7.0+dfsg-4 package from debian testing repository, work as expected.
It seems that opencryptoki 3.7.0+dfsg-4 package from Ubuntu was built differently compared to Debian. We believe that the build was done incorrectly and is causing the pkcsconf -t command to segfault.
Could you guys verify how the package is being built and compare it to debian's opencryptoki package?
Machine Type = zVM s390x
---Steps to Reproduce---
#apt-get install opencryptoki
#pkcsconf -t
Segmentation fault
---Patches Installed---
na
---uname output---
Linux 4.13.0-16-generic #19-Ubuntu SMP Wed Oct 11 18:33:05 UTC 2017 s390x s390x s390x GNU/Linux
---Debugger---
A debugger is not configured
Userspace tool common name: opencryptoki
Userspace rpm: opencryptoki_
The userspace tool has the following bit modes: 64-bit
Userspace tool obtained from project website: na
-Attach ltrace and strace of userspace application.
tags: | added: architecture-s39064 bugnameltc-160151 severity-high targetmilestone-inin1710 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → opencryptoki (Ubuntu) |
Changed in ubuntu-z-systems: | |
importance: | Undecided → High |
assignee: | nobody → Dimitri John Ledkov (xnox) |
Changed in opencryptoki (Ubuntu): | |
status: | New → Confirmed |
Changed in ubuntu-z-systems: | |
status: | New → Confirmed |
tags: | added: regression-release |
tags: | added: artful |
Changed in opencryptoki (Ubuntu Bionic): | |
status: | Confirmed → Fix Released |
Changed in ubuntu-z-systems: | |
status: | Confirmed → In Progress |
tags: | added: id-5a7c406f0e36154d1ca6f7e6 |
description: | updated |
Changed in opencryptoki (Ubuntu Bionic): | |
status: | Confirmed → In Progress |
Changed in opencryptoki (Ubuntu Artful): | |
status: | Confirmed → In Progress |
Changed in ubuntu-z-systems: | |
status: | Confirmed → In Progress |
Changed in opencryptoki (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
------- Comment From <email address hidden> 2017-10-20 09:58 EDT-------
Hello Frank,
you might want to run 'id' to see if your user is member of the pkcs11 group. Further ensure the pkcsslotd is started.
Thanks,
Christian