Issue1320: SIGBUS running `gpg-agent --daemon`

Fabian Keil freebsd-listen at fabiankeil.de
Thu Apr 28 19:20:09 CEST 2011


I ran into https://bugs.g10code.com/gnupg/issue1320 but
apparently I'm not allowed to comment there.

I think the problem is caused by this chunk from the
gpgtar backport 4d364ade61952b7:

diff --git a/common/estream.c b/common/estream.c
index 4015905..3ab68b5 100644
--- a/common/estream.c
+++ b/common/estream.c
[...]
@@ -368,15 +453,18 @@ static int
 es_init_do (void)
 {
-#ifdef HAVE_PTH
   static int initialized;
 
   if (!initialized)
     {
+#ifdef HAVE_PTH
       if (!pth_init () && errno != EPERM )
         return -1;
       if (pth_mutex_init (&estream_list_lock))
         initialized = 1;
-    }
+#else
+      initialized = 1;
 #endif
+      atexit (es_deinit);  
+    }
   return 0;
 }

In the "gpg-agent --daemon" case, main() calls pth_kill()
after the client has been forked, so when es_deinit() is
called on exit, acquiring the estream_list_lock seems to
cause pth to dereference a pointer located in a memory
region that has previously been free()'d.

The attached patch (against 2.0.17) prevents the crashes by
not locking the list when flushing the content through es_deinit().
I created it based on the assumption that locking isn't necessary in
that situation, is that correct?

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnupg-2.0.17-Do-not-lock-the-es_list-when-flushing-it-from-es_dei.patch
Type: text/x-patch
Size: 1459 bytes
Desc: not available
URL: </pipermail/attachments/20110428/45b5b345/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: </pipermail/attachments/20110428/45b5b345/attachment.pgp>


More information about the Gnupg-devel mailing list