[Bug 2067163] [NEW] regression: sbsign crashes while signing an (EFI) image

dimanne Sat, 25 May 2024 09:05:36 -0700

Public bug reported:

Reproduction:


Try signing a file using sbsign where key is stored on a Yubikey, it
will crash:

```
sbsign --engine pkcs11 --key 'pkcs11:manufacturer=piv_II;id=%02' --cert 
./sb/db.crt --output ./sb/secboot-linux-latest.efi.signed 
./sb/secboot-linux-latest.efi
```

gdb shows this backtrace:

```
Thread 1 "sbsign" received signal SIGSEGV, Segmentation fault.
0x00007ffff7faf1fe in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
(gdb) bt
#0  0x00007ffff7faf1fe in ?? () from 
/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#1  0x00007ffff7faf962 in ?? () from 
/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#2  0x00007ffff7fb5567 in ?? () from 
/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#3  0x00007ffff7fb58b0 in ?? () from 
/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#4  0x00007ffff7fb3731 in ?? () from 
/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#5  0x00007ffff7fb37bb in ?? () from 
/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#6  0x00007ffff7d1eed6 in RSA_sign (type=<optimised out>, 
m=m@entry=0x7fffffffdb80 "\224t&n\257>Y$\377...", m_len=m_len@entry=32,
    sigret=sigret@entry=0x5555555f89a0 "\330\322\n", 
siglen=siglen@entry=0x7fffffffdb14, rsa=rsa@entry=0x5555555f4270) at 
../crypto/rsa/rsa_sign.c:309
#7  0x00007ffff7d1d5a2 in pkey_rsa_sign (ctx=0x5555555eb5d0, sig=0x5555555f89a0 
"\330\322\n", siglen=0x7fffffffdc30,
    tbs=0x7fffffffdb80 "\224t&n\257>Y$\377...", tbslen=32) at 
../crypto/rsa/rsa_pmeth.c:180
#8  0x00007ffff7c06817 in EVP_DigestSignFinal (ctx=ctx@entry=0x5555555d8c50, 
sigret=0x5555555f89a0 "\330\322\n", siglen=siglen@entry=0x7fffffffdc30) at 
../crypto/evp/m_sigver.c:560
#9  0x00007ffff7cfdcbc in PKCS7_SIGNER_INFO_sign (si=si@entry=0x5555555a85f0) 
at ../crypto/pkcs7/pk7_doit.c:952
#10 0x00007ffff7cfdf9d in do_pkcs7_signed_attrib (mctx=<optimised out>, 
si=0x5555555a85f0) at ../crypto/pkcs7/pk7_doit.c:728
#11 PKCS7_dataFinal (p7=p7@entry=0x5555555f3520, bio=bio@entry=0x5555555a8640) 
at ../crypto/pkcs7/pk7_doit.c:850
#12 0x0000555555557c40 in IDC_set (image=<optimised out>, si=0x5555555a85f0, 
p7=0x5555555f3520) at /usr/src/sbsigntool-0.9.4-3.1ubuntu7/src/idc.c:216
#13 main (argc=<optimised out>, argv=<optimised out>) at 
/usr/src/sbsigntool-0.9.4-3.1ubuntu7/src/sbsign.c:274
(gdb)
```

It is likely that pkcs11.so is a "red herring" because I tried replacing
the library with an older library from a docker image (`docker cp
old_image /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so`) and it did NOT
fix the issue.


These are logs just before crash:

```
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] 
slot.c:501:slot_token_removed: slot_token_removed(0x4)
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] 
pkcs11-session.c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x4) 0
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] 
slot.c:501:slot_token_removed: slot_token_removed(0x5)
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] 
pkcs11-session.c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x5) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] 
slot.c:501:slot_token_removed: slot_token_removed(0x6)
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] 
pkcs11-session.c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x6) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] 
slot.c:501:slot_token_removed: slot_token_removed(0x7)
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] 
pkcs11-session.c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x7) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] 
ctx.c:1066:sc_release_context: called
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] 
reader-pcsc.c:978:pcsc_finish: called
fish: Job 1, 'sbsign --engine pkcs11 --key 'p…' terminated by signal SIGSEGV 
(Address boundary error)
```

Logs were collected with `set -x OPENSC_DEBUG 9`, See more logs here:
https://0bin.net/paste/4-TdVHy4#f8e68wCZrtty55tjhLKAFpA2YeSQ2jl9AopYJXf3J5-

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: sbsigntool 0.9.4-3.1ubuntu7
ProcVersionSignature: Ubuntu 6.8.0-31.31-generic 6.8.1
Uname: Linux 6.8.0-31-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: KDE
Date: Sat May 25 16:30:00 2024
InstallationDate: Installed on 2023-08-15 (284 days ago)
InstallationMedia: Kubuntu 23.10 "Mantic Minotaur" - Daily amd64 (20230815)
SourcePackage: sbsigntool
UpgradeStatus: Upgraded to noble on 2024-05-24 (1 days ago)

** Affects: sbsigntool (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug noble

** Summary changed:

- regression: sbsign crashes while signing unified EFI image
+ regression: sbsign crashes while signing an (EFI) image

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2067163

Title:
  regression: sbsign crashes while signing an (EFI) image

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/2067163/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2067163] [NEW] regression: sbsign crashes while signing an (EFI) image

Reply via email to