Android gpg-agent crashes in libgcrypt when signing, decrypting, importing secret keys

Hans-Christoph Steiner hans at
Tue Jan 28 20:41:39 CET 2014

On 01/25/2014 05:16 AM, Jussi Kivilinna wrote:
> On 20.01.2014 17:39, Hans-Christoph Steiner wrote:
>> On 01/19/2014 04:25 AM, Jussi Kivilinna wrote:
>>> On 19.01.2014 06:08, Hans-Christoph Steiner wrote:
>>>> On 01/18/2014 06:31 AM, Jussi Kivilinna wrote:
>>>>> On 17.01.2014 20:34, Hans-Christoph Steiner wrote:
>>>>>> On GPG for Android, I've updated to the latest libgcrypt in master (or close
>>>>>> to it, its commit 4b7db51ad5d1bf98fd08ca3048f258059eca61a4).  Now it seems
>>>>>> that any operation that needs a passphrase is crashing somewhere in libgcrypt.
>>>>>>  I've tried building with auto-detection of CPU which enables Padlock, Intelt
>>>>>> DRNG, and NEON.  I also tried with --disable-padlock-support
>>>>>> --disable-drng-support --disable-neon-support, and seemed to get the same thing.
>>>>>> I've also tried running gpg-agent with and without --enable-ssh-support, and
>>>>>> same result each time.
>>>>>> Here's the basic backtrace:
>>>>> <..snip..>
>>>>>> From the bug report in our tracker, you can download the complete build log, a
>>>>>> debug log from the Android app, a log from gpg-agent, and a log from gpgme:
>>>>> Have you configured gcc flags correctly for target platform? It seems that
>>>>> compiler (and libgcrypt assembly) are configured to allow unaligned memory
>>>>> accesses, but target does not support them.
>>> <...snip...>
>>>>> -Jussi
>>>>> [1]
>>>> I forget if I mentioned this before: the build flags are set by the default
>>>> Android build system.
>>>> So I built the whole thing again, manually adding -mno-unaligned-access to the
>>>> libgcrypt build, and the tests seem to be failing in the same place.  I tested
>>>> head of master on the armv7a emulator, which failed a lot more, and the head
>>>> of LIBGCRYPT-1-6-BRANCH on the Nexus 7 ARMv7 tablet, which failed in the same
>>>> places. Any pointers for next steps?
>>> That's a bit strange. Do you have crash logs of these?
>>> -Jussi
>> The crash log is here:
>> If you want to try running it on an Android device
>> or emulator, you can find a recent build here, but one what does not have
>> -mno-unaligned-access manually set:
> I disassembled the crash area ("code around pc:" section from crash-log) and it looks
> the same as without '-mno-unaligned-access':
>    0:   e1866469        orr     r6, r6, r9, ror #8
>    4:   e8900f00        ldm     r0, {r8, r9, sl, fp}
>    8:   e0244008        eor     r4, r4, r8
>    c:   e0255009        eor     r5, r5, r9
>   10:   e026600a        eor     r6, r6, sl
>   14:   e027700b        eor     r7, r7, fp
>   18:   eafffded        b       0xfffff7d4
>   1c:   e92d5ff0        push    {r4, r5, r6, r7, r8, r9, sl, fp, ip, lr}        <<<< _gcry_aes_arm_decrypt_block
>   20:   e89200f0        ldm     r2, {r4, r5, r6, r7}                            <<<< crashing instruction (load four 32-bit input words)
>   24:   e24dd010        sub     sp, sp, #16
>   28:   e59fe864        ldr     lr, [pc, #2148] ; 0x894
>   2c:   e3a0c0ff        mov     ip, #255        ; 0xff
>   30:   e58d1004        str     r1, [sp, #4]
>   34:   e1a0c18c        lsl     ip, ip, #3
>   38:   e353000c        cmp     r3, #12
>   3c:   aa000215        bge     0x898
> ...
> When I compile with CFLAGS="-O2 -mno-unaligned-access" for ARM, the assembly function
> ends up looking like this:
> 000011a8 <_gcry_aes_arm_decrypt_block>:
>     11a8:       e92d5ff0        push    {r4, r5, r6, r7, r8, r9, sl, fp, ip, lr}
>     11ac:       e3120003        tst     r2, #3                                  <<< Check if input is unaligned
>     11b0:       0a00001c        beq     1228 <_gcry_aes_arm_decrypt_block+0x80> <<< Jump to aligned load
>     11b4:       e5d24000        ldrb    r4, [r2]                                <<< Input is not 32-bit aligned, so start unaligned load
>     11b8:       e5d28001        ldrb    r8, [r2, #1]
>     11bc:       e1844408        orr     r4, r4, r8, lsl #8
>     11c0:       e5d28002        ldrb    r8, [r2, #2]
>     11c4:       e1844808        orr     r4, r4, r8, lsl #16
>     11c8:       e5d28003        ldrb    r8, [r2, #3]
>     11cc:       e1844c08        orr     r4, r4, r8, lsl #24
>     11d0:       e5d25004        ldrb    r5, [r2, #4]
>     11d4:       e5d29005        ldrb    r9, [r2, #5]
>     11d8:       e1855409        orr     r5, r5, r9, lsl #8
>     11dc:       e5d29006        ldrb    r9, [r2, #6]
>     11e0:       e1855809        orr     r5, r5, r9, lsl #16
>     11e4:       e5d29007        ldrb    r9, [r2, #7]
>     11e8:       e1855c09        orr     r5, r5, r9, lsl #24
>     11ec:       e5d26008        ldrb    r6, [r2, #8]
>     11f0:       e5d28009        ldrb    r8, [r2, #9]
>     11f4:       e1866408        orr     r6, r6, r8, lsl #8
>     11f8:       e5d2800a        ldrb    r8, [r2, #10]
>     11fc:       e1866808        orr     r6, r6, r8, lsl #16
>     1200:       e5d2800b        ldrb    r8, [r2, #11]
>     1204:       e1866c08        orr     r6, r6, r8, lsl #24
>     1208:       e5d2700c        ldrb    r7, [r2, #12]
>     120c:       e5d2900d        ldrb    r9, [r2, #13]
>     1210:       e1877409        orr     r7, r7, r9, lsl #8
>     1214:       e5d2900e        ldrb    r9, [r2, #14]
>     1218:       e1877809        orr     r7, r7, r9, lsl #16
>     121c:       e5d2900f        ldrb    r9, [r2, #15]
>     1220:       e1877c09        orr     r7, r7, r9, lsl #24                     <<< End unaligned load
>     1224:       ea000000        b       122c <_gcry_aes_arm_decrypt_block+0x84> <<< Jump over aligned load
>     1228:       e89200f0        ldm     r2, {r4, r5, r6, r7}                    <<< Input is 32-bit aligned, so do aligned load
>     122c:       e24dd010        sub     sp, sp, #16
>     1230:       e59fe8d8        ldr     lr, [pc, #2264] ; 1b10 <_gcry_aes_arm_decrypt_block+0x968>
>     1234:       e3a0c0ff        mov     ip, #255        ; 0xff
>     1238:       e58d1004        str     r1, [sp, #4]
>     123c:       e1a0c18c        lsl     ip, ip, #3
>     1240:       e353000c        cmp     r3, #12
>     1244:       aa000234        bge     1b1c <_gcry_aes_arm_decrypt_block+0x974>
> ...
> Are you sure that new binaries built with '-mno-unaligned-access' are included to
> the Android application?

For the tests that happen in the emulator, the whole build/test process is
automated.  The .so files are automatically installed by the normal Android
process, which will overwrite the previous ones.  And just to be sure, the
process tries to uninstall first, which fails since the emulator is run in a
way that it doesn't save its state.  Just to be sure, I wiped out all the
files, and had it start from scratch including the 'git clone' of all the repos.

As for the tests on a tablet, I took the same APK as was used on the emulator
and installed it onto a Nexus 7.  The result was the same.

I don't know if you saw this, but the current builds have these ./configure
flags in them:
--disable-padlock-support --disable-drng-support --disable-neon-support.  The
crashes in libgcrypt also happen without those ./configure flags.

A simpler, more direct test harness would help here, but the cross-compiling
part makes it difficult.  Anyone have any ideas of how to make GNU autotools
'make check' setup handle running the tests in the emulator?

Also, it is easy to set up the Android tools and emulator on a Debian or
Ubuntu system, I'm happy to help you get that going via email, IRC, XMPP, etc.


PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587 374B BE81

More information about the Gnupg-devel mailing list