Issue1320: SIGBUS running `gpg-agent --daemon`
Fabian Keil
freebsd-listen at fabiankeil.de
Thu Apr 28 19:20:09 CEST 2011
I ran into https://bugs.g10code.com/gnupg/issue1320 but
apparently I'm not allowed to comment there.
I think the problem is caused by this chunk from the
gpgtar backport 4d364ade61952b7:
diff --git a/common/estream.c b/common/estream.c
index 4015905..3ab68b5 100644
--- a/common/estream.c
+++ b/common/estream.c
[...]
@@ -368,15 +453,18 @@ static int
es_init_do (void)
{
-#ifdef HAVE_PTH
static int initialized;
if (!initialized)
{
+#ifdef HAVE_PTH
if (!pth_init () && errno != EPERM )
return -1;
if (pth_mutex_init (&estream_list_lock))
initialized = 1;
- }
+#else
+ initialized = 1;
#endif
+ atexit (es_deinit);
+ }
return 0;
}
In the "gpg-agent --daemon" case, main() calls pth_kill()
after the client has been forked, so when es_deinit() is
called on exit, acquiring the estream_list_lock seems to
cause pth to dereference a pointer located in a memory
region that has previously been free()'d.
The attached patch (against 2.0.17) prevents the crashes by
not locking the list when flushing the content through es_deinit().
I created it based on the assumption that locking isn't necessary in
that situation, is that correct?
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg-2.0.17-Do-not-lock-the-es_list-when-flushing-it-from-es_dei.patch
Type: text/x-patch
Size: 1459 bytes
Desc: not available
URL: </pipermail/attachments/20110428/45b5b345/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: </pipermail/attachments/20110428/45b5b345/attachment.pgp>
More information about the Gnupg-devel
mailing list