regression: sbsign crashes while signing an (EFI) image
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sbsigntool (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Reproduction:
Try signing a file using sbsign where key is stored on a Yubikey, it will crash:
```
sbsign --engine pkcs11 --key 'pkcs11:
```
gdb shows this backtrace:
```
Thread 1 "sbsign" received signal SIGSEGV, Segmentation fault.
0x00007ffff7faf1fe in ?? () from /usr/lib/
(gdb) bt
#0 0x00007ffff7faf1fe in ?? () from /usr/lib/
#1 0x00007ffff7faf962 in ?? () from /usr/lib/
#2 0x00007ffff7fb5567 in ?? () from /usr/lib/
#3 0x00007ffff7fb58b0 in ?? () from /usr/lib/
#4 0x00007ffff7fb3731 in ?? () from /usr/lib/
#5 0x00007ffff7fb37bb in ?? () from /usr/lib/
#6 0x00007ffff7d1eed6 in RSA_sign (type=<optimised out>, m=m@entry=
sigret=
#7 0x00007ffff7d1d5a2 in pkey_rsa_sign (ctx=0x5555555e
tbs=
#8 0x00007ffff7c06817 in EVP_DigestSignFinal (ctx=ctx@
#9 0x00007ffff7cfdcbc in PKCS7_SIGNER_
#10 0x00007ffff7cfdf9d in do_pkcs7_
#11 PKCS7_dataFinal (p7=p7@
#12 0x0000555555557c40 in IDC_set (image=<optimised out>, si=0x5555555a85f0, p7=0x5555555f3520) at /usr/src/
#13 main (argc=<optimised out>, argv=<optimised out>) at /usr/src/
(gdb)
```
It is likely that pkcs11.so is a "red herring" because I tried replacing the library with an older library from a docker image (`docker cp old_image /usr/lib/
These are logs just before crash:
```
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] slot.c:
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] pkcs11-
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] slot.c:
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] pkcs11-
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] slot.c:
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] pkcs11-
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] slot.c:
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] pkcs11-
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] ctx.c:1066:
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] reader-
fish: Job 1, 'sbsign --engine pkcs11 --key 'p…' terminated by signal SIGSEGV (Address boundary error)
```
Logs were collected with `set -x OPENSC_DEBUG 9`, See more logs here: https:/
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: sbsigntool 0.9.4-3.1ubuntu7
ProcVersionSign
Uname: Linux 6.8.0-31-generic x86_64
NonfreeKernelMo
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: KDE
Date: Sat May 25 16:30:00 2024
InstallationDate: Installed on 2023-08-15 (284 days ago)
InstallationMedia: Kubuntu 23.10 "Mantic Minotaur" - Daily amd64 (20230815)
SourcePackage: sbsigntool
UpgradeStatus: Upgraded to noble on 2024-05-24 (1 days ago)