sbsign crashes randomly

Bug #1574372 reported by Rod Smith on 2016-04-24
38
This bug affects 7 people
Affects Status Importance Assigned to Milestone
sbsigntool (Ubuntu)
Undecided
Unassigned

Bug Description

The sbsign program in Ubuntu 16.04 is segfaulting randomly:

root@gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
warning: overwriting existing signature
Segmentation fault (core dumped)
root@gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
root@gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
root@gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
root@gil:/home/ubuntu# /usr/bin/sbsign --key //etc/refind.d/keys/refind_local.key --cert //etc/refind.d/keys/refind_local.crt --output /tmp/refind_local/refind_x64.efi /usr/share/refind/refind/refind_x64.efi
warning: data remaining[204288 vs 227742]: gaps between PE/COFF sections?
warning: data remaining[204288 vs 227744]: gaps between PE/COFF sections?
warning: overwriting existing signature
Segmentation fault (core dumped)

Note that on two of those five runs, the program segfaulted. This problem is new with Ubuntu 16.04; it did not occur with Ubuntu 16.04 or 15.10.

Here's my version information:

$ lsb_release -rd
Description: Ubuntu 16.04 LTS
Release: 16.04

$ apt-cache policy sbsigntool
sbsigntool:
  Installed: 0.6-0ubuntu10
  Candidate: 0.6-0ubuntu10
  Version table:
 *** 0.6-0ubuntu10 500
        500 http://nessus.rodsbooks.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

I'm attaching a crash dump from /var/crash.

Rod Smith (rodsmith) wrote :
Rod Smith (rodsmith) wrote :

s/it did not occur with Ubuntu 16.04/it did not occur with Ubuntu 14.04/

Sorry for the typo.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sbsigntool (Ubuntu):
status: New → Confirmed
David Pitcher (dp1312) wrote :

Can confirm same problem. Happy to upload crash dump as well if it'll help, but don't know how to gain permission from root

James Johnston (mail-codenest) wrote :

I am also having this problem on Ubuntu 16.04. I was not having this problem in 15.10 so maybe it's a regression. I'm attaching a test case that fails for me on Ubuntu 16.04 with sbsigntool 0.6-0ubuntu10, libssl1.0.0 1.0.2g-1ubuntu4.1.

It's truly random because successive invocations of sbsign with identical parameters may or may not crash. Obviously some undefined behavior. If it fails, I get this error:

warning: overwriting existing signature
Segmentation fault (core dumped)

The warning is in error, because there is NOT an existing signature. This random misidentification is probably part of the problem.

James Johnston (mail-codenest) wrote :
  • db.crt Edit (1.1 KiB, application/x-x509-ca-cert)
James Johnston (mail-codenest) wrote :
James Johnston (mail-codenest) wrote :
James Johnston (mail-codenest) wrote :

To reproduce with the above test files, run:

sbsign --key pvkey --cert db.crt --output testoutput.efi securegrubx64.efi

If it works, just run it again until it doesn't. Again note that the EFI I posted is NOT signed, yet sometimes the tool incorrectly warns that it is, and then segfaults.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers