Comment 1 Andrew Ammerlaan 2023-10-27 10:23:42 UTC

(gdb) run
Starting program: /usr/bin/sbsign --engine pkcs11 --key pkcs11:model=PKCS%2315%20emulated\;manufacturer=ZeitControl\;serial=00050000ae4c\;token=OpenPGP%20card%20%28User%20PIN%29\;id=%03 --cert /boot/cert.pem --output /tmp/test.efi /tmp/portage/sys-kernel/gentoo-kernel-6.5.9/image/usr/src/linux-6.5.9-gentoo-dist/arch/x86/boot/bzImage
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
Enter engine key pass phrase:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fb5375 in ?? () from /usr/lib64/engines-3/pkcs11.so
(gdb) backtrace
#0  0x00007ffff7fb5375 in ?? () from /usr/lib64/engines-3/pkcs11.so
#1  0x00007ffff7fb545c in ?? () from /usr/lib64/engines-3/pkcs11.so
#2  0x00007ffff7fb5560 in ?? () from /usr/lib64/engines-3/pkcs11.so
#3  0x00007ffff7fb7e5b in ?? () from /usr/lib64/engines-3/pkcs11.so
#4  0x00007ffff7fb87b3 in ?? () from /usr/lib64/engines-3/pkcs11.so
#5  0x00007ffff7fb72f2 in ?? () from /usr/lib64/engines-3/pkcs11.so
#6  0x00007ffff7fb841f in ?? () from /usr/lib64/engines-3/pkcs11.so
#7  0x00007ffff7fb84a4 in ?? () from /usr/lib64/engines-3/pkcs11.so
#8  0x00007ffff7cf59ed in RSA_sign () from /usr/lib64/libcrypto.so.3
#9  0x00007ffff7cf429e in ?? () from /usr/lib64/libcrypto.so.3
#10 0x00007ffff7be0ede in EVP_DigestSignFinal () from /usr/lib64/libcrypto.so.3
#11 0x00007ffff7cd57e8 in PKCS7_SIGNER_INFO_sign () from /usr/lib64/libcrypto.so.3
#12 0x00007ffff7cd5a62 in PKCS7_dataFinal () from /usr/lib64/libcrypto.so.3
#13 0x00005555555581b0 in ?? ()
#14 0x000055555555795e in ?? ()
#15 0x00007ffff784cf0a in ?? () from /usr/lib64/libc.so.6
#16 0x00007ffff784cfc5 in __libc_start_main () from /usr/lib64/libc.so.6
#17 0x0000555555557c11 in ?? ()


Will make a proper backtrace with debug info later.

Comment 2 Andrew Ammerlaan 2023-10-27 12:01:29 UTC

(gdb) run
Starting program: /usr/bin/sbsign --engine pkcs11 --key pkcs11:model=PKCS%2315%20emulated\;manufacturer=ZeitControl\;serial=00050000ae4c\;token=OpenPGP%20card%20%28User%20PIN%29\;id=%03 --cert /boot/cert.pem --output /tmp/test.efi /tmp/portage/sys-kernel/gentoo-kernel-6.5.9/image/usr/src/linux-6.5.9-gentoo-dist/arch/x86/boot/bzImage
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
Enter engine key pass phrase:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7fb5375 in pkcs11_getattr_var (ctx=ctx@entry=0x5fffbc54da182a88, session=session@entry=17,
object=object@entry=93891482819376, type=type@entry=288, value=value@entry=0x0,
size=size@entry=0x7fffffffca90) at p11_attr.c:46
46      p11_attr.c: No such file or directory.
(gdb) backtrace
#0  0x00007ffff7fb5375 in pkcs11_getattr_var (ctx=ctx@entry=0x5fffbc54da182a88, session=session@entry=17,
object=object@entry=93891482819376, type=type@entry=288, value=value@entry=0x0,
size=size@entry=0x7fffffffca90) at p11_attr.c:46
#1  0x00007ffff7fb545c in pkcs11_getattr_alloc (ctx=ctx@entry=0x5fffbc54da182a88, session=17,
object=object@entry=93891482819376, type=type@entry=288, value=value@entry=0x7fffffffcae8,
size=size@entry=0x7fffffffcaf0) at p11_attr.c:66
#2  0x00007ffff7fb5560 in pkcs11_getattr_bn (ctx=ctx@entry=0x5fffbc54da182a88, session=<optimized out>,
object=object@entry=93891482819376, type=type@entry=288, bn=bn@entry=0x7fffffffcb20) at p11_attr.c:92
#3  0x00007ffff7fb7e5b in pkcs11_get_rsa (key=0x555555587aa0) at p11_rsa.c:197
#4  0x00007ffff7fb87b3 in pkcs11_get_evp_key_rsa (key=0x555555587aa0) at p11_rsa.c:265
#5  0x00007ffff7fb72f2 in pkcs11_get_key (key0=key0@entry=0x555555587aa0, object_class=<optimized out>)
at p11_key.c:450
#6  0x00007ffff7fb841f in pkcs11_rsa (key=key@entry=0x555555587aa0) at p11_rsa.c:34
#7  pkcs11_get_key_size (key=key@entry=0x555555587aa0) at p11_rsa.c:332
#8  0x00007ffff7fb84a4 in pkcs11_private_encrypt (flen=51,
from=0x5555555a2d70 "010\r\006\t`\206H\001e\003\004\002\001\005", to=0x555555563ee0 "cUUU\005",
key=0x555555587aa0, padding=1) at p11_rsa.c:91
#9  0x00007ffff7cf59ed in RSA_sign (type=<optimized out>,
m=m@entry=0x7fffffffd050 "\343H\177\222O\a~\217\252Sl\335\337Еڇ\326\3004\316\200~\320ƌ\307\372\f\361I\037 )ZUUU", m_len=m_len@entry=32, sigret=sigret@entry=0x555555563ee0 "cUUU\005",
siglen=siglen@entry=0x7fffffffcfe4, rsa=rsa@entry=0x555555587d80)
at ../openssl-3.1.4/crypto/rsa/rsa_sign.c:309
#10 0x00007ffff7cf429e in pkey_rsa_sign (ctx=0x555555563480, sig=0x555555563ee0 "cUUU\005",
siglen=0x7fffffffd0f0,
tbs=0x7fffffffd050 "\343H\177\222O\a~\217\252Sl\335\337Еڇ\326\3004\316\200~\320ƌ\307\372\f\361I\037 )ZUUU", tbslen=32) at ../openssl-3.1.4/crypto/rsa/rsa_pmeth.c:176
#11 0x00007ffff7be0ede in EVP_DigestSignFinal (ctx=ctx@entry=0x5555555a2810,
--Type <RET> for more, q to quit, c to continue without paging--c
sigret=0x555555563ee0 "cUUU\005", siglen=siglen@entry=0x7fffffffd0f0) at ../openssl-3.1.4/crypto/evp/m_sigver.c:553
#12 0x00007ffff7cd57e8 in PKCS7_SIGNER_INFO_sign (si=si@entry=0x55555559b6e0) at ../openssl-3.1.4/crypto/pkcs7/pk7_doit.c:945
#13 0x00007ffff7cd5a62 in do_pkcs7_signed_attrib (mctx=<optimized out>, si=0x55555559b6e0) at ../openssl-3.1.4/crypto/pkcs7/pk7_doit.c:721
#14 PKCS7_dataFinal (p7=0x555555586c10, bio=0x55555559b730) at ../openssl-3.1.4/crypto/pkcs7/pk7_doit.c:843
#15 0x00005555555581b0 in ?? ()
#16 0x000055555555795e in ?? ()
#17 0x00007ffff784cf0a in ?? () from /usr/lib64/libc.so.6
#18 0x00007ffff784cfc5 in __libc_start_main () from /usr/lib64/libc.so.6
#19 0x0000555555557c11 in ?? ()

Comment 3 Andrew Ammerlaan 2023-10-27 12:42:03 UTC

The problem is introduced in openssl-3.1.4, downgrading to openssl-3.1.3 resolves the segfault.

Comment 4 Sam James 2023-10-27 13:02:22 UTC

There's https://github.com/openssl/openssl/issues/22508 too...

Comment 5 Andrew Ammerlaan 2023-10-27 13:05:40 UTC

Signing with a regular key works fine, so the problem is specific to libp11.

Comment 6 Larry the Git Cow 2023-10-27 13:06:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=794bb500c772272eddaf96765df66838bf5a56d6

commit 794bb500c772272eddaf96765df66838bf5a56d6
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2023-10-27 13:02:44 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2023-10-27 13:04:53 +0000

    dev-libs/libp11: temporarily restrict to <dev-libs/openssl-3.1.4
    
    Bug: https://bugs.gentoo.org/916328
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 .../{libp11-0.4.12-r3.ebuild => libp11-0.4.12-r4.ebuild}    | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

Comment 7 Mike Gilbert 2023-11-11 22:03:22 UTC

Andrew: I don't see how libp11 is involved here. None of the symbols in your backtrace appear to be from that library.

Could you please elaborate on your reasoning here?

Comment 8 Mike Gilbert 2023-11-11 22:10:32 UTC

Oh, I guess they are non-public symbols from the OpenSSL plugin installed by libp11 (/usr/lib64/engines-3/pkcs11.so).

Comment 9 Larry the Git Cow 2024-01-02 18:53:17 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fc967d99bab80dad3fd013b2184954fba9597293

commit fc967d99bab80dad3fd013b2184954fba9597293
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2024-01-02 18:50:35 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2024-01-02 18:52:43 +0000

    dev-libs/libp11: fixup openssl version restrictions
    
    it breaks with 4 and up of the 3.1 series and
    with version 12 and up of the 3.0 series
    
    the recent removal of 3.1.3 broke things again on my system when openssl
    was downgraded to 3.0.12, downgrading again to 3.0.11 fixes the problem again.
    
    Bug: https://bugs.gentoo.org/916328
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 .../{libp11-0.4.12-r4.ebuild => libp11-0.4.12-r5.ebuild}   | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Comment 10 Larry the Git Cow 2024-02-01 16:46:33 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1d9f0cf25f1b992278cea5dacc29f54a03cd45bb

commit 1d9f0cf25f1b992278cea5dacc29f54a03cd45bb
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-02-01 16:42:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-02-01 16:45:56 +0000

    dev-libs/openssl: backport libp11 segfault fix/workaround to 3.1.5-r1, 3.2.1-r1
    
    Bug: https://bugs.gentoo.org/916328
    Signed-off-by: Sam James <sam@gentoo.org>

 .../openssl/files/openssl-3.1.5-p11-segfault.patch |  78 ++++++
 .../openssl/files/openssl-3.2.1-p11-segfault.patch |  79 ++++++
 dev-libs/openssl/openssl-3.1.5-r1.ebuild           | 285 +++++++++++++++++++
 dev-libs/openssl/openssl-3.2.1-r1.ebuild           | 304 +++++++++++++++++++++
 4 files changed, 746 insertions(+)

Comment 11 Sam James 2024-02-01 16:51:45 UTC

The deps still need adjusting in libp11 which Andrew is going to handle tomorrow morning. Maybe we should wait until stable is fixed before closing too.

Comment 12 Larry the Git Cow 2024-02-02 06:38:05 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=358fcf2c875fef243ab1670c996749a793463c90

commit 358fcf2c875fef243ab1670c996749a793463c90
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2024-02-02 06:35:56 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2024-02-02 06:37:56 +0000

    dev-libs/libp11: update allowed versions of openssl
    
    The underlying issue in openssl has been fixed in 3.1.5-r1+
    and 3.2.1-r1+
    
    Bug: https://bugs.gentoo.org/916328
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 .../{libp11-0.4.12-r5.ebuild => libp11-0.4.12-r6.ebuild}     | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

Comment 13 Larry the Git Cow 2024-04-15 08:17:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0626b571d9c2a3f6774d5cf929e80b325e571a38

commit 0626b571d9c2a3f6774d5cf929e80b325e571a38
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2024-04-15 08:12:52 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2024-04-15 08:16:46 +0000

    dev-libs/openssl: backport libp11 segfault fix to 3.0.13 too
    
    Bug: https://bugs.gentoo.org/916328
    Signed-off-by: Sam James <sam@gentoo.org>

 .../files/openssl-3.0.13-p11-segfault.patch        |  79 ++++++
 dev-libs/openssl/openssl-3.0.13-r2.ebuild          | 283 +++++++++++++++++++++
 2 files changed, 362 insertions(+)

Comment 14 Larry the Git Cow 2024-04-15 09:42:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=32e186395feea86d289dc5f5601e334e2f32aff8

commit 32e186395feea86d289dc5f5601e334e2f32aff8
Author:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
AuthorDate: 2024-04-15 09:40:13 +0000
Commit:     Andrew Ammerlaan <andrewammerlaan@gentoo.org>
CommitDate: 2024-04-15 09:40:13 +0000

    dev-libs/libp11: adjust blockers
    
    allow 3.0.13-r2
    
    Bug: https://bugs.gentoo.org/916328
    Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

 .../libp11/{libp11-0.4.12-r6.ebuild => libp11-0.4.12-r7.ebuild}  | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)