GnuPG gpg-agent KEYTOCARD Invalid time (memory overwritten)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnupg2 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
OS: Ubuntu 24.04 LTS
HW: Raspberry Pi Arm64
Related packages:
- gnupg2 2.4.4-2ubuntu17
- libassuan0:arm64 2.5.6-1build1
When I am trying to fully generate and transfer a new set of GPG private keys to my new YubiKey 5 security key, following this guide: https:/
```
gpg: KEYTOCARD failed: Invalid time
```
After some digging around, attaching gdb to the running `gpg-agent` process. I found that after the function call to `agent_
```
(gdb) bt
#0 agent_key_from_file (ctrl=0xaaab192
grip=
shadow_
r_timestamp
#1 0x0000aaaae369a538 in cmd_keytocard (ctx=0xffff7c02
#2 0x0000ffff8471a288 in dispatch_command (ctx=ctx@
line=
linelen=
#3 0x0000ffff8471a8e0 in process_request (ctx=0xffff7c02
#4 assuan_process (ctx=0xffff7c02
#5 0x0000aaaae36bcfb8 in start_command_
at ../../agent/
#6 0x0000aaaae368da70 in do_start_
#7 0x0000ffff846e1bf4 in thread_start (startup_
#8 0x0000ffff8455597c in start_thread (arg=0xffff8489
#9 0x0000ffff845bba4c in thread_start () at ../sysdeps/
(gdb) frame 1
#1 0x0000aaaae369a538 in cmd_keytocard (ctx=0xffff7c02
3278 err = agent_key_from_file (ctrl, NULL, ctrl->server_
(gdb) p argv
$16 = {0xffff7c027c9a "XXXXXXXXXXXXXX
0xffff7c027ce4 "OPENPGP.1", 0xffff7c027cee "20240524T123456", 0xaaaae36c6a80 "Assuan processing failed: %s\n"}
(gdb) watch *0xffff7c027c9a
Hardware watchpoint 9: *0xffff7c027c9a
(gdb) c
Continuing.
Downloading source file /build/
Thread 2 "gpg-agent" hit Hardware watchpoint 9: *0xffff7c027c9a
Old value = 111111111
New value = 222222222
0x0000ffff8471afd4 in assuan_inquire (ctx=ctx@
r_buffer=
at ../../src/
263 wipememory (ctx->inbound.line, LINELENGTH);
(gdb) bt
#0 0x0000ffff8471afd4 in assuan_inquire (ctx=ctx@
keyword=
r_length=
#1 0x0000aaaae36a1e2c in pinentry_loopback (ctrl=0xff, max_length=255, size=0xffff8440
keyword=
#2 agent_askpin (ctrl=ctrl@
initial_
keyinfo=
cache_
#3 0x0000aaaae36aa2f0 in agent_askpin (cache_
keyinfo=
prompt_
#4 unprotect (r_passphrase=0x0, lookup_ttl=0x0, cache_mode=
keybuf=
#5 agent_key_from_file (ctrl=0xaaab192
shadow_
r_passphras
#6 0x0000aaaae369a538 in cmd_keytocard (ctx=0xffff7c02
#7 0x0000ffff8471a288 in dispatch_command (ctx=ctx@
line@
#8 0x0000ffff8471a8e0 in process_request (ctx=0xffff7c02
#9 assuan_process (ctx=0xffff7c02
#10 0x0000aaaae36bcfb8 in start_command_
at ../../agent/
#11 0x0000aaaae368da70 in do_start_
#12 0x0000ffff846e1bf4 in thread_start (startup_
#13 0x0000ffff8455597c in start_thread (arg=0xffff8489
#14 0x0000ffff845bba4c in thread_start () at ../sysdeps/
(gdb) frame 6
#6 0x0000aaaae369a538 in cmd_keytocard (ctx=0xffff7c02
3278 err = agent_key_from_file (ctrl, NULL, ctrl->server_
(gdb) p argv
$17 = {0xffff7c027c9a "", 0xffff7c027cc3 "YYYYYYYYYYYYYY
0xffff7c027cee "20240524T123456", 0xaaaae36c6a80 "Assuan processing failed: %s\n"}
(gdb) frame 0
#0 0x0000ffff8471afd4 in assuan_inquire (ctx=ctx@
keyword=
r_length=
263 wipememory (ctx->inbound.line, LINELENGTH);
(gdb) p ctx->inbound.line
$18 = '\000' <repeats 11 times>, "AAAAAAAAAAAAAA
```
I can see from the last print result, the passphrase (AAA...) from the client is already overwritten part of the Key ID (XXX...) in the same line buffer. The `argv` variable in the context of the `cmd_keytocard` function is also using the same underlying buffer. I have no in-depth knowledge of how GnuPG is implemented. It seems to be either the gnupg2 or libassuan0 issue, possibly also related to `--pinentry-
information type: | Private Security → Public |
Changed in gnupg2 (Ubuntu): | |
status: | New → Confirmed |
Thank you for your bug report. Seems you are not the only one, it's discussed also on https:/ /www.reddit. com/r/yubikey/ comments/ 1b5pjzq/ strange_ gpg_error_ when_using_ keytocard/ and might be worth reporting upstream on https:/ /dev.gnupg. org/maniphest/ task/edit/ form/3/