#689 ✓released
Pavel Borzenkov

scdaemon crash (100% reproducible)

Reported by Pavel Borzenkov | November 23rd, 2016 @ 05:00 PM | in 2.2.0 (closed)

Hi,

I have a 100% reproducible scdaemon crash in the following environment:

  • macOS Sierra
  • GPGTools 2016.10
  • Yubikey Neo (private PGP subkeys are on it)
  • gpg-agent is acting as ssh agent
  • ssh agent is forwarded to some trusted hosts ("ForwardAgent yes" in ~/.ssh/config)

The following scenario leads to the crash:

  • login to a trusted host using ssh key (key is inserted and unlocked by typing PIN code)
  • detach Yubikey from the machine
  • logoff from the trusted host

scdaemon crashes with the following callstack:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x00007fffc6316dda __pthread_kill + 10
1 libsystem_pthread.dylib 0x00007fffc6402787 pthread_kill + 90
2 libsystem_c.dylib 0x00007fffc627c420 abort + 129
3 scdaemon 0x000000010003f134 do_logv + 617
4 scdaemon 0x000000010003f45e log_bug + 141
5 scdaemon 0x000000010001b04a release_application + 109
6 scdaemon 0x0000000100008510 cmd_restart + 28
7 libassuan.0.dylib 0x000000010016f775 dispatch_command + 519
8 libassuan.0.dylib 0x000000010016f210 assuan_process + 151
9 scdaemon 0x0000000100005dff scd_command_handler + 496
10 scdaemon 0x00000001000052ec start_connection_thread + 152
11 libpth.20.0.27.dylib 0x00000001001819f5 pth_spawn_trampoline + 27
12 libpth.20.0.27.dylib 0x000000010017edda pth_mctx_set_bootstrap + 126
13 libpth.20.0.27.dylib 0x000000010017ed5c pth_mctx_set_trampoline + 37
14 libsystem_platform.dylib 0x00007fffc63f5bcd _sigtramp + 45
15 ??? 000000000000000000 0 + 0
16 libpth.20.0.27.dylib 0x0000000100181660 pth_spawn + 570
17 scdaemon 0x000000010000484f main + 3275
18 scdaemon 0x000000010000394c start + 52

Full crash dump is attached.

Filed bug with gnupg upstream: https://bugs.gnupg.org/gnupg/issue2852

Comments and changes to this ticket

  • Luke Le

    Luke Le November 23rd, 2016 @ 05:14 PM

    • Importance changed from “” to “Low”

    Hi Pavel,

    thank you for bringing this to our attention.
    From the log it looks like it might be crashing within a log message.

    Would you mind contacting the people at gnupg.org via the dev mailinglist:
    https://lists.gnupg.org/mailman/listinfo/gnupg-devel

    Thanks!

  • Pavel Borzenkov

    Pavel Borzenkov November 23rd, 2016 @ 05:28 PM

    Actually, it crashes because app refcounter becomes less than zero:

    from scd/app.c:release_application()
    if (!app->ref_count) log_bug ("trying to release an already released context\n"); if (--app->ref_count) return;

    And here is a part of the logfile:

    2016-11-23 19:26:25 scdaemon[10144] sending signal 31 to client 545
    2016-11-23 19:26:31 scdaemon[10144] DBG: asking for PIN '||Please enter the PIN'
    2016-11-23 19:26:37 scdaemon[10144] updating slot 0 status: 0x0007->0x0000 (1->2)
    2016-11-23 19:26:37 scdaemon[10144] sending signal 31 to client 545
    2016-11-23 19:26:38 scdaemon[10144] Ohhhh jeeee: trying to release an already released context

    I'll try to contact upstream regarding this issue.

  • Luke Le

    Luke Le November 23rd, 2016 @ 05:33 PM

    Ah ok, does log_bug force a crash (assert, the like?)?

    Thanks, it's best to contact upstream in this case.

  • Pavel Borzenkov

    Pavel Borzenkov November 23rd, 2016 @ 05:44 PM

    Yes, log_bug() calls assert().

    JFYI: filed an upstream issue: https://bugs.gnupg.org/gnupg/issue2852

  • Luke Le

    Luke Le November 23rd, 2016 @ 06:10 PM

    To completely eliminate GPG Suite as the culprit, you could install gpg2 via homebrew (after uninstalling MacGPG2) and see if the issue persists.
    We have a minor patch for scdaemon and helpers in order to circumvent a timeout on Yosemite which was caused by Apple's tokend drivers (if I recall correctly).

  • Pavel Borzenkov

    Pavel Borzenkov November 23rd, 2016 @ 06:44 PM

    Unfortunately, gpg2 from homebrew simply doesn't work for me:

    $ gpg2 --card-status gpg: can't connect to the agent - trying fall back
    scdaemon[17683]: pcsc_control failed: invalid parameter (0x80100004)
    scdaemon[17683]: pcsc_vendor_specific_init: GET_FEATURE_REQUEST failed: 65538

    gpg-agent was manually started before.

    And ssh fails to talk to it as well.

  • Luke Le

    Luke Le November 23rd, 2016 @ 06:47 PM

    Ha, that is interesting. Maybe hombrew installed gnupg 2.1?
    Just checked our patches and there's only one which affects tokens.

  • Pavel Borzenkov

    Pavel Borzenkov November 23rd, 2016 @ 06:51 PM

    Sorry, I screwed up and forgot to actually export required env variables.

    After doing this, I was able to use gpg2 from homebrew and the problem reproduces just the same.

  • steve

    steve June 18th, 2017 @ 06:22 PM

    • State changed from “new” to “fixed”

    We have moved to gpg 2.1 so this should be fixed in latest nightly.

    Could you please download and install our latest GPG Suite nightly build and see if the problem persists. That page also has sig and SHA256 to verify the download.

    All the best,
    steve

    Disclaimer: This is a development version which has not been thoroughly tested yet - bugs or crashes are to be expected. Thanks for helping us test.

  • steve

    steve September 25th, 2017 @ 04:20 PM

    • State changed from “fixed” to “released”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Shared Ticket Bins

People watching this ticket

Attachments

Pages