diff --git a/SOURCES/gnome-keyring-40.0-ssh-agent-avoid-deadlock.patch b/SOURCES/gnome-keyring-40.0-ssh-agent-avoid-deadlock.patch new file mode 100644 index 0000000..93d3d56 --- /dev/null +++ b/SOURCES/gnome-keyring-40.0-ssh-agent-avoid-deadlock.patch @@ -0,0 +1,82 @@ +From dd92a85fb44ff68e075c348176d042448745fac8 Mon Sep 17 00:00:00 2001 +From: Steven Luo +Date: Mon, 5 Feb 2024 10:22:02 -0800 +Subject: [PATCH 1/2] ssh-agent: avoid deadlock when agent process dies before + we connect to it + +gkd_ssh_agent_process_connect() waits for the ssh-agent process to +become ready to accept input by entering the main loop while holding +self->lock. However, if the ssh-agent process dies before becoming +ready, the main loop will call on_child_watch(), which needs to take +self->lock, causing a deadlock. Fix this by releasing the lock before +entering the main loop. + +This should prevent a busyloop that's been reported multiple times [1] +[2] from lasting forever. + +[1] https://bugzilla.gnome.org/show_bug.cgi?id=794848 +[2] https://bugzilla.redhat.com/show_bug.cgi?id=1841855 (migrated to +https://issues.redhat.com/browse/RHEL-9302) +--- + daemon/ssh-agent/gkd-ssh-agent-process.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/daemon/ssh-agent/gkd-ssh-agent-process.c b/daemon/ssh-agent/gkd-ssh-agent-process.c +index d3bb3a7ed..cbf10ffb2 100644 +--- a/daemon/ssh-agent/gkd-ssh-agent-process.c ++++ b/daemon/ssh-agent/gkd-ssh-agent-process.c +@@ -228,8 +228,11 @@ gkd_ssh_agent_process_connect (GkdSshAgentProcess *self, + + if (started && !self->ready) { + source = g_timeout_add_seconds (5, on_timeout, &timedout); +- while (!self->ready && !timedout) ++ while (!self->ready && !timedout) { ++ g_mutex_unlock (&self->lock); + g_main_context_iteration (NULL, FALSE); ++ g_mutex_lock (&self->lock); ++ } + g_source_remove (source); + } + +-- +GitLab + + +From 03ca2228205bfaa7510116142f9beaaf2a682042 Mon Sep 17 00:00:00 2001 +From: Steven Luo +Date: Mon, 5 Feb 2024 10:29:56 -0800 +Subject: [PATCH 2/2] ssh-agent: stop waiting for agent to become ready if it's + dead + +If the ssh-agent process we launch dies before it becomes ready to take +input, self->pid will be set to 0 by on_child_watch(). If that happens, +there's no point in continuing to wait for the process to become ready. +This should avoid an unnecessary five-second wait in cases like [1] or +[2]. + +[1] https://bugzilla.gnome.org/show_bug.cgi?id=794848 +[2] https://bugzilla.redhat.com/show_bug.cgi?id=1841855 (migrated to +https://issues.redhat.com/browse/RHEL-9302) +--- + daemon/ssh-agent/gkd-ssh-agent-process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/daemon/ssh-agent/gkd-ssh-agent-process.c b/daemon/ssh-agent/gkd-ssh-agent-process.c +index cbf10ffb2..82e5559fb 100644 +--- a/daemon/ssh-agent/gkd-ssh-agent-process.c ++++ b/daemon/ssh-agent/gkd-ssh-agent-process.c +@@ -226,9 +226,9 @@ gkd_ssh_agent_process_connect (GkdSshAgentProcess *self, + started = TRUE; + } + +- if (started && !self->ready) { ++ if (started && self->pid && !self->ready) { + source = g_timeout_add_seconds (5, on_timeout, &timedout); +- while (!self->ready && !timedout) { ++ while (self->pid && !self->ready && !timedout) { + g_mutex_unlock (&self->lock); + g_main_context_iteration (NULL, FALSE); + g_mutex_lock (&self->lock); +-- +GitLab + diff --git a/SOURCES/gnome-keyring-40.0-strncpy.patch b/SOURCES/gnome-keyring-40.0-strncpy.patch new file mode 100644 index 0000000..a0e2cf2 --- /dev/null +++ b/SOURCES/gnome-keyring-40.0-strncpy.patch @@ -0,0 +1,78 @@ +From 6c4ad4cff086ba7fd79ef406311a283c6a942baf Mon Sep 17 00:00:00 2001 +From: Matt Turner +Date: Sun, 22 May 2022 13:00:46 -0400 +Subject: [PATCH] pkcs11: Don't use strncpy when copying paths +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Using strncpy produces the following warning, which indicates that the +destination string could be left unterminated. + + CC daemon/control/gkd-control-server.lo + CCLD libgkd-control.la + CC pkcs11/rpc-layer/libgkm_rpc_layer_la-gkm-rpc-dispatch.lo +In file included from /usr/include/string.h:519, + from /usr/include/glib-2.0/glib/galloca.h:33, + from /usr/include/glib-2.0/glib.h:30, + from ./egg/egg-error.h:24, + from pkcs11/rpc-layer/gkm-rpc-dispatch.c:31: +In function ‘strncpy’, + inlined from ‘gkm_rpc_layer_startup’ at pkcs11/rpc-layer/gkm-rpc-dispatch.c:2382:2: +/usr/include/bits/string_fortified.h:95:10: warning: ‘__builtin_strncpy’ specified bound 108 equals destination size [-Wstringop-truncation] + 95 | return __builtin___strncpy_chk (__dest, __src, __len, + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 96 | __glibc_objsize (__dest)); + | ~~~~~~~~~~~~~~~~~~~~~~~~~ +--- + pkcs11/rpc-layer/gkm-rpc-dispatch.c | 4 +++- + pkcs11/rpc-layer/gkm-rpc-module.c | 4 +++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pkcs11/rpc-layer/gkm-rpc-dispatch.c b/pkcs11/rpc-layer/gkm-rpc-dispatch.c +index 72d2ced1f..dbedb355e 100644 +--- a/pkcs11/rpc-layer/gkm-rpc-dispatch.c ++++ b/pkcs11/rpc-layer/gkm-rpc-dispatch.c +@@ -31,6 +31,8 @@ + #include "egg/egg-error.h" + #include "egg/egg-unix-credentials.h" + ++#include ++ + #include + #include + #include +@@ -2379,7 +2381,7 @@ gkm_rpc_layer_startup (const char *prefix) + memset(&addr, 0, sizeof(addr)); + addr.sun_family = AF_UNIX; + unlink (pkcs11_socket_path); +- strncpy (addr.sun_path, pkcs11_socket_path, sizeof (addr.sun_path)); ++ g_strlcpy (addr.sun_path, pkcs11_socket_path, sizeof (addr.sun_path)); + if (bind (sock, (struct sockaddr*)&addr, sizeof (addr)) < 0) { + gkm_rpc_warn ("couldn't bind to pkcs11 socket: %s: %s", + pkcs11_socket_path, strerror (errno)); +diff --git a/pkcs11/rpc-layer/gkm-rpc-module.c b/pkcs11/rpc-layer/gkm-rpc-module.c +index 24457ce18..515b18a4d 100644 +--- a/pkcs11/rpc-layer/gkm-rpc-module.c ++++ b/pkcs11/rpc-layer/gkm-rpc-module.c +@@ -29,6 +29,8 @@ + + #include "egg/egg-unix-credentials.h" + ++#include ++ + #include + #include + #include +@@ -233,7 +235,7 @@ call_connect (CallState *cs) + debug (("connecting to: %s", pkcs11_socket_path)); + + addr.sun_family = AF_UNIX; +- strncpy (addr.sun_path, pkcs11_socket_path, sizeof (addr.sun_path)); ++ g_strlcpy (addr.sun_path, pkcs11_socket_path, sizeof (addr.sun_path)); + + sock = socket (AF_UNIX, SOCK_STREAM, 0); + if (sock < 0) { +-- +GitLab + diff --git a/SPECS/gnome-keyring.spec b/SPECS/gnome-keyring.spec index 9228a16..5fbbecd 100644 --- a/SPECS/gnome-keyring.spec +++ b/SPECS/gnome-keyring.spec @@ -4,12 +4,15 @@ Name: gnome-keyring Version: 40.0 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Framework for managing passwords and other secrets License: GPLv2+ and LGPLv2+ URL: https://wiki.gnome.org/Projects/GnomeKeyring Source0: https://download.gnome.org/sources/%{name}/40/%{name}-%{version}.tar.xz +# https://issues.redhat.com/browse/RHEL-25560 +Patch0: gnome-keyring-40.0-ssh-agent-avoid-deadlock.patch +Patch1: gnome-keyring-40.0-strncpy.patch BuildRequires: pkgconfig(gcr-3) >= %{gcr_version} BuildRequires: pkgconfig(glib-2.0) >= %{glib2_version} @@ -105,6 +108,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/gnome-keyring/devel/*.la %changelog +* Fri Apr 12 2024 David King - 40.0-4 +- Avoid SSH agent deadlocks (RHEL-25560) + * Mon Aug 09 2021 Mohan Boddu - 40.0-3 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688