Ubuntu 17.10 - opencryptoki 3.7.0 segmentation fault on pkcsconf -t

Bug #1725250 reported by bugproxy on 2017-10-20
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu on IBM z Systems
Dimitri John Ledkov
opencryptoki (Ubuntu)
Status tracked in Bionic
Skipper Bug Screeners

Bug Description

Running Ubuntu 17.10 on a zVM s390x environment with opencryptoki 3.7 installed via apt, the command pkcsconf -t gives a segmentation fault.

We did some tests (all on a zVM):
1. On a debian testing installation: the opencryptoki 3.7.0+dfsg-4 package works as expected.
2. On a ubuntu 17.04 installation: the opencryptoki (3.6.2+dfsg-1 that is available on the repo) package works as expected.
3. On a ubuntu 17.10 installation: opencryptoki 3.7.0+dfsg-4 gives segmentation fault (pkcsconf -t)
4. On a ubuntu 17.10 installation: downloading building opencryptoki 3.7.0 from Github manually and installing it, works as expected.
5. On a ubuntu 17.10 installation: installing opencryptoki 3.7.0+dfsg-4 package from debian testing repository, work as expected.

It seems that opencryptoki 3.7.0+dfsg-4 package from Ubuntu was built differently compared to Debian. We believe that the build was done incorrectly and is causing the pkcsconf -t command to segfault.

Could you guys verify how the package is being built and compare it to debian's opencryptoki package?

Machine Type = zVM s390x

---Steps to Reproduce---
 #apt-get install opencryptoki

#pkcsconf -t
Segmentation fault

---Patches Installed---

---uname output---
Linux 4.13.0-16-generic #19-Ubuntu SMP Wed Oct 11 18:33:05 UTC 2017 s390x s390x s390x GNU/Linux

A debugger is not configured

Userspace tool common name: opencryptoki

Userspace rpm: opencryptoki_3.7.0+dfsg-4

The userspace tool has the following bit modes: 64-bit

Userspace tool obtained from project website: na

-Attach ltrace and strace of userspace application.

bugproxy (bugproxy) on 2017-10-20
tags: added: architecture-s39064 bugnameltc-160151 severity-high targetmilestone-inin1710
Changed in ubuntu:
assignee: nobody → Skipper Bug Screeners (skipper-screen-team)
affects: ubuntu → opencryptoki (Ubuntu)
Changed in ubuntu-z-systems:
importance: Undecided → High
assignee: nobody → Dimitri John Ledkov (xnox)
Changed in opencryptoki (Ubuntu):
status: New → Confirmed
Changed in ubuntu-z-systems:
status: New → Confirmed
tags: added: regression-release
tags: added: artful

------- Comment From <email address hidden> 2017-10-20 09:58 EDT-------
Hello Frank,

you might want to run 'id' to see if your user is member of the pkcs11 group. Further ensure the pkcsslotd is started.


Frank Heimes (frank-heimes) wrote :

Hi, yepp - in between I followed the steps of the crypto paper ...

Frank Heimes (frank-heimes) wrote :

after initial install and config of pkcs11:

$ sudo apt install opencryptoki libtspi1

$ sudo usermod -aG pkcs11 ubuntu

$ grep pkcs11 /etc/group

$ sudo systemctl enable pkcsslotd.service
Synchronizing state of pkcsslotd.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable pkcsslotd

$ sudo systemctl start pkcsslotd.service

$ sudo pkcsconf
usage: pkcsconf [-itsmIupPh] [-c slotnumber -U userPIN -S SOPin -n newpin]
 -i display PKCS11 info
 -t display token info
 -s display slot info
 -m display mechanism list
 -l display slot description
 -I initialize token
 -u initialize user PIN
 -p set the user PIN
 -P set the SO PIN
 -h show this help

$ sudo pkcsconf -t
Segmentation fault

$ sudo pkcsconf -i
PKCS#11 Info
 Version 2.20
 Manufacturer: IBM
 Flags: 0x0
 Library Description: Meta PKCS11 LIBRARY
 Library Version 3.7
Segmentation fault

$ sudo pkcsconf -s
Slot #1 Info
 Description: Linux
 Manufacturer: IBM
 Flags: 0x1 (TOKEN_PRESENT)
 Hardware Version: 0.0
 Firmware Version: 0.0
Slot #2 Info
 Description: Linux
 Manufacturer: IBM
 Flags: 0x1 (TOKEN_PRESENT)
 Hardware Version: 0.0
 Firmware Version: 0.0
Slot #3 Info
 Description: Linux
 Manufacturer: IBM
 Flags: 0x1 (TOKEN_PRESENT)
 Hardware Version: 0.0
 Firmware Version: 0.0
Segmentation fault

Frank Heimes (frank-heimes) wrote :

16.04.3 and 17.04 are not affected

Dimitri John Ledkov (xnox) wrote :

18.04 has 3.8.1+dfsg-3 now, does that one work ok? And thus is this fix released in 18.04 bionic?

Frank Heimes (frank-heimes) wrote :

pkcsconf on bionic works - see attachment
so a no-change rebuild on artful should be fine

Changed in opencryptoki (Ubuntu Bionic):
status: Confirmed → Fix Released
Changed in ubuntu-z-systems:
status: Confirmed → In Progress
Dimitri John Ledkov (xnox) wrote :

Could you please if upgrading Artful to this PPA https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3083 resolves the issue for you on Artful too?

Changed in opencryptoki (Ubuntu Artful):
status: New → In Progress
Frank Heimes (frank-heimes) wrote :

unfortunately I still get the segfault with the package from the PPA
for details see attached file

Frank Heimes (frank-heimes) wrote :
tags: added: id-5a7c406f0e36154d1ca6f7e6
Frank Heimes (frank-heimes) wrote :

bisect required from 3.7.0 to 3.8.1 to identify when the fix got introduced.

Default Comment by Bridge

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers