sbsign crashes in pkcs11.so while signing an (EFI) image

[DimanNe]

Try signing a file using sbsign where key is stored on a Yubikey, it will crash:

sbsign --engine pkcs11 --key 'pkcs11:manufacturer=piv_II;id=%02' --cert ./sb/db.crt --output ./sb/secboot-linux-latest.efi.signed ./sb/secboot-linux-latest.efi

gdb shows this backtrace:

Thread 1 "sbsign" received signal SIGSEGV, Segmentation fault.
0x00007ffff7faf1fe in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
(gdb) bt
#0 0x00007ffff7faf1fe in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#1 0x00007ffff7faf962 in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#2 0x00007ffff7fb5567 in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#3 0x00007ffff7fb58b0 in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#4 0x00007ffff7fb3731 in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#5 0x00007ffff7fb37bb in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so
#6 0x00007ffff7d1eed6 in RSA_sign (type=<optimised out>, m=m@entry=0x7fffffffdb80 "\224t&n\257>Y$\377...", m_len=m_len@entry=32,
    sigret=sigret@entry=0x5555555f89a0 "\330\322\n", siglen=siglen@entry=0x7fffffffdb14, rsa=rsa@entry=0x5555555f4270) at ../crypto/rsa/rsa_sign.c:309
#7 0x00007ffff7d1d5a2 in pkey_rsa_sign (ctx=0x5555555eb5d0, sig=0x5555555f89a0 "\330\322\n", siglen=0x7fffffffdc30,
    tbs=0x7fffffffdb80 "\224t&n\257>Y$\377...", tbslen=32) at ../crypto/rsa/rsa_pmeth.c:180
#8 0x00007ffff7c06817 in EVP_DigestSignFinal (ctx=ctx@entry=0x5555555d8c50, sigret=0x5555555f89a0 "\330\322\n", siglen=siglen@entry=0x7fffffffdc30) at ../crypto/evp/m_sigver.c:560
#9 0x00007ffff7cfdcbc in PKCS7_SIGNER_INFO_sign (si=si@entry=0x5555555a85f0) at ../crypto/pkcs7/pk7_doit.c:952
#10 0x00007ffff7cfdf9d in do_pkcs7_signed_attrib (mctx=<optimised out>, si=0x5555555a85f0) at ../crypto/pkcs7/pk7_doit.c:728
#11 PKCS7_dataFinal (p7=p7@entry=0x5555555f3520, bio=bio@entry=0x5555555a8640) at ../crypto/pkcs7/pk7_doit.c:850
#12 0x0000555555557c40 in IDC_set (image=<optimised out>, si=0x5555555a85f0, p7=0x5555555f3520) at /usr/src/sbsigntool-0.9.4-3.1ubuntu7/src/idc.c:216
#13 main (argc=<optimised out>, argv=<optimised out>) at /usr/src/sbsigntool-0.9.4-3.1ubuntu7/src/sbsign.c:274
(gdb)

These are logs just before crash:

P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] slot.c:501:slot_token_removed: slot_token_removed(0x4)
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] pkcs11-session.c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x4) 0
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] slot.c:501:slot_token_removed: slot_token_removed(0x5)
P:169928; T:0x133947370026816 16:44:23.956 [opensc-pkcs11] pkcs11-session.c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x5) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] slot.c:501:slot_token_removed: slot_token_removed(0x6)
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] pkcs11-session.c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x6) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] slot.c:501:slot_token_removed: slot_token_removed(0x7)
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] pkcs11-session.c:145:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x7) 0
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] ctx.c:1066:sc_release_context: called
P:169928; T:0x133947370026816 16:44:23.957 [opensc-pkcs11] reader-pcsc.c:978:pcsc_finish: called
fish: Job 1, 'sbsign --engine pkcs11 --key 'p…' terminated by signal SIGSEGV (Address boundary error)

[0mniteck]

I am also experiencing this bug on x64 and aarch64

I have PKCS11_MODULE_PATH=/usr/lib/$(ARCH)-linux-gnu/libykcs11.so.2.2.0 set

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: data remaining[830976 vs 957042]: gaps between PE/COFF sections?
warning: data remaining[830976 vs 957048]: gaps between PE/COFF sections?
Enter engine key pass phrase:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f9e1fe in ?? () from /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so

[dengert]

In the original report it is using OpenSC-pkcs11. In the Sept 28 comment it is using Yubico's pkcs11 module for PIV.
What version(s) of OpenSSL are being used in sbsign, the libp11 engine and in the pkcs11 modules in both cases?

If possible use a libp11 build with debugging turned ( compile with LDFLAGS=-g and CFLAGS=-g) to get better backtrace when running it under gdb.

[0mniteck]

You're right this was maybe the wrong issue to add this to as I'm using the Yubico module. But I will attempt a build of libp11 with debugging.

My openssl version is 3.0.13 from ubuntu 24.04

[0mniteck]

In the end to workaround the issue I used a patch and rebuilt sbsign 0.9.5 (osresearch/sbsigntools@5154c68)

[Kasoo]

Here is a stack trace with debug symbols:

#0  0x00007ffff7f94f41 in pkcs11_getattr_var (ctx=0x2d0a1d773c159e62, session=17, object=93824992854736, type=288, value=0x0, size=0x7fffffffd7b8)
    at /home/user/libp11/libp11-0.4.12/src/p11_attr.c:46
#1  0x00007ffff7f95064 in pkcs11_getattr_alloc (ctx=0x2d0a1d773c159e62, session=17, object=93824992854736, type=288, value=0x7fffffffd820, 
    size=0x7fffffffd818) at /home/user/libp11/libp11-0.4.12/src/p11_attr.c:66
#2  0x00007ffff7f951c5 in pkcs11_getattr_bn (ctx=0x2d0a1d773c159e62, session=17, object=93824992854736, type=288, bn=0x7fffffffd860)
    at /home/user/libp11/libp11-0.4.12/src/p11_attr.c:92
#3  0x00007ffff7f98d5d in pkcs11_get_rsa (key=0x55555555ecc0) at /home/user/libp11/libp11-0.4.12/src/p11_rsa.c:197
#4  0x00007ffff7f98fff in pkcs11_get_evp_key_rsa (key=0x55555555ecc0) at /home/user/libp11/libp11-0.4.12/src/p11_rsa.c:265
#5  0x00007ffff7f97769 in pkcs11_get_key (key0=0x55555555ecc0, object_class=3) at /home/user/libp11/libp11-0.4.12/src/p11_key.c:450
#6  0x00007ffff7f98781 in pkcs11_rsa (key=0x55555555ecc0) at /home/user/libp11/libp11-0.4.12/src/p11_rsa.c:34
#7  0x00007ffff7f991e9 in pkcs11_get_key_size (key=0x55555555ecc0) at /home/user/libp11/libp11-0.4.12/src/p11_rsa.c:332
#8  0x00007ffff7f98901 in pkcs11_private_encrypt (flen=51, from=0x5555555cc5e0 "010\r\006\t`\206H\001e\003\004\002\001\005", 
    to=0x5555555efed0 "\277\251\v", key=0x55555555ecc0, padding=1) at /home/user/libp11/libp11-0.4.12/src/p11_rsa.c:91
#9  0x00007ffff7f99323 in pkcs11_rsa_priv_enc_method (flen=51, from=0x5555555cc5e0 "010\r\006\t`\206H\001e\003\004\002\001\005", 
    to=0x5555555efed0 "\277\251\v", rsa=0x5555555ecae0, padding=1) at /home/user/libp11/libp11-0.4.12/src/p11_rsa.c:384
#10 0x00007ffff7d1eed6 in RSA_sign () from /lib/x86_64-linux-gnu/libcrypto.so.3
#11 0x00007ffff7d1d5a2 in ?? () from /lib/x86_64-linux-gnu/libcrypto.so.3
#12 0x00007ffff7c06817 in EVP_DigestSignFinal () from /lib/x86_64-linux-gnu/libcrypto.so.3
#13 0x00007ffff7cfdcbc in PKCS7_SIGNER_INFO_sign () from /lib/x86_64-linux-gnu/libcrypto.so.3
#14 0x00007ffff7cfdf9d in PKCS7_dataFinal () from /lib/x86_64-linux-gnu/libcrypto.so.3
#15 0x0000555555557c40 in ?? ()
#16 0x00007ffff762a1ca in __libc_start_call_main (main=main@entry=0x555555556990, argc=argc@entry=10, argv=argv@entry=0x7fffffffe2f8)
    at ../sysdeps/nptl/libc_start_call_main.h:58
#17 0x00007ffff762a28b in __libc_start_main_impl (main=0x555555556990, argc=10, argv=0x7fffffffe2f8, init=<optimised out>, fini=<optimised out>, 
    rtld_fini=<optimised out>, stack_end=0x7fffffffe2e8) at ../csu/libc-start.c:360
#18 0x0000555555558575 in ?? ()

The issue starts at pkcs11_get_rsa, it appears that the key->slot->ctx pointer is not properly initialised.

I'll try with the patched sbsign version as discussed above, which sounds like it will work around the issue, but if you need any help digging into this further I'm able to reproduce and assist.

[dengert]

Some additional comments. This is #327 which was closed but never committed?
i.e. "I've temporarily worked around it by having sbsign leak the engine pointer; rather than digging much into the libp11 code."

Full docs on Engine: https://docs.openssl.org/3.3/man3/ Which deals with "functional reference" vs "structural reference" and in example has:

/* Release the functional reference from ENGINE_init() */
ENGINE_finish(e);
/* Release the structural reference from ENGINE_by_id() */
ENGINE_free(e);

So problem could be in libp11, actually doing the equivalent of ENGINE_freewhen called to do anENGINE_finish`

The doc also says: "All of these functions were deprecated in OpenSSL 3.0. ENGINE_cleanup() was deprecated in OpenSSL 1.1.0 by the automatic cleanup done by OPENSSL_cleanup() and should not be used."