2.5.1 testing: gpgscm segfault

Fri Sep 13 03:29:18 CEST 2024

Hello,

Marcel Telka <marcel at telka.sk> wrote:
> I'm running tests for GnuPG 2.5.1 on OpenIndiana and I found that the
> gpgscm segfaults:

Thank you for your testing.

> do_process_spawn_io+0x2ff:      js     +0xe4    <do_process_spawn_io+0x3e9>
> do_process_spawn_io+0x305:      movslq 0xffffffffffffdfa4(%rbp),%rax
> do_process_spawn_io+0x30c:      movq   %rax,%rdi
> do_process_spawn_io+0x30f:      shrq   $0x6,%rax
> do_process_spawn_io+0x313:      movq   0xffffffffffffdfd0(%rbp,%rax,8),%rax
> do_process_spawn_io+0x31b:      btq    %rdi,%rax
> do_process_spawn_io+0x31f:      jb     +0x1c3   <do_process_spawn_io+0x4e8>
> do_process_spawn_io+0x325:      movslq 0xffffffffffffdfa8(%rbp),%rax
> do_process_spawn_io+0x32c:      movq   %rax,%r8
> do_process_spawn_io+0x32f:      shrq   $0x6,%rax
> do_process_spawn_io+0x333:      movq   0xffffffffffffdfd0(%rbp,%rax,8),%rax
> do_process_spawn_io+0x33b:      btq    %r8,%rax
> do_process_spawn_io+0x33f:      jae    -0xb5    <do_process_spawn_io+0x290>
> do_process_spawn_io+0x345:      movq   0xffffffffffffdf90(%rbp),%rdx
> do_process_spawn_io+0x34c:      movq   0xffffffffffffdf80(%rbp),%rax
> do_process_spawn_io+0x353:      movl   %r8d,%edi
> do_process_spawn_io+0x356:      subq   %r13,%rdx
> do_process_spawn_io+0x359:      leaq   (%rax,%r13),%rsi
> do_process_spawn_io+0x35d:      call   -0x6642  <PLT=libc.so.1`read>
> do_process_spawn_io+0x362:      testq  %rax,%rax
> do_process_spawn_io+0x365:      je     +0x265   <do_process_spawn_io+0x5d0>

It looks like access by FD_ISSET (err_fd, &read_fdset) caused SEGV
in tests/gpgscm/ffi.c:do_process_spawn_io.

Error handling is not good here.

I'm pushing the change for fix.

==========================

diff --git a/tests/gpgscm/ffi.c b/tests/gpgscm/ffi.c
index 16d9147bf..1179e01c0 100644
--- a/tests/gpgscm/ffi.c
+++ b/tests/gpgscm/ffi.c
@@ -936,10 +936,18 @@ do_process_spawn_io (scheme *sc, pointer args)
 
   err = gpgrt_process_spawn (argv[0], (const char **) &argv[1],
                              flags, NULL, &proc);
-  err = gpgrt_process_get_streams (proc, 0, &infp, NULL, NULL);
+  if (err)
+    {
+      xfree (argv);
+      FFI_RETURN_ERR (sc, err);
+    }
 
-  err = es_write (infp, a_input, strlen (a_input), NULL);
-  es_fclose (infp);
+  err = gpgrt_process_get_streams (proc, 0, &infp, NULL, NULL);
+  if (!err)
+    {
+      err = es_write (infp, a_input, strlen (a_input), NULL);
+      es_fclose (infp);
+    }
   if (err)
     {
       gpgrt_process_release (proc);
@@ -1198,6 +1206,8 @@ do_process_spawn_fd (scheme *sc, pointer args)
   err = gpgrt_process_spawn (argv[0], (const char **)&argv[1], 0, act, &proc);
   gpgrt_spawn_actions_release (act);
   xfree (argv);
+  if (err)
+    FFI_RETURN_ERR (sc, err);
   FFI_RETURN_POINTER (sc, proc_wrap (sc, proc));
 }
 

-- 

