Bug 2094530

Summary:

After upgrade 35 to 36 process rastertokpsl (Kyocera cups-filter driver) segfaulted

Product:

[Fedora] Fedora

Reporter:

Amin <aminux>

Component:

cups

Assignee:

Zdenek Dohnal <zdohnal>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

high

Docs Contact:

Priority:

unspecified

Version:

rawhide

CC:

aoliva, arjun.is, codonell, dj, fweimer, law, mcermak, mcoufal, mfabian, pfrankli, rth, sipoyare, skolosov, twaugh, yann, zdohnal

Target Milestone:

---

Keywords:

Patch

Target Release:

---

Hardware:

x86_64

OS:

Linux

Whiteboard:

Fixed In Version:

cups-2.4.4-1.fc38 cups-2.4.4-1.fc37

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2023-06-10 01:47:09 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Part or cups logs with problem at rastertokpsl on fedora 36	none
strace of rastertokpsl on fedora 36	none
Correct strace of same file on Fedora 35	none

Description Amin 2022-06-07 19:52:58 UTC

Created attachment 1887776 [details]
Part or cups logs with problem at rastertokpsl on fedora 36

Created attachment 1887776 [details]
Part or cups logs with problem at rastertokpsl on fedora 36

!!!
...
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] envp[25]=\"PRINTER_STATE_REASONS=none\"
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] envp[26]=\"CUPS_FILETYPE=document\"
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] envp[27]=\"FINAL_CONTENT_TYPE=application/vnd.cups-raster\"
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] envp[28]=\"AUTH_INFO_REQUIRED=none\"
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] Start rendering...
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] Set job-printer-state-message to "Start rendering...", current level=INFO
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] Processing page 1...
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] Set job-printer-state-message to "Processing page 1...", current level=INFO
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] /usr/lib/cups/filter/rastertokpsl-fixed: line 4: 117128 Segmentation fault      <---------------------
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] PID 117121 (/usr/lib/cups/filter/rastertokpsl-fixed) stopped with status 139 (Directory not empty)
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] Hint: Try setting the LogLevel to "debug" to find out more.
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] PID 117122 (/usr/lib/cups/backend/socket) exited with no errors.
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] Processing page 2...
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] Rendering completed
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] PID 117120 (/usr/lib/cups/filter/gstoraster) exited with no errors.
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] End of messages
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] printer-state=3(idle)
июн 07 14:31:48 AmCave cupsd[1372]: [Job 130] printer-state-message="Rendering completed"
...



Description of problem:

After upgrade Fedora 35 to Fedora 36 my printer Kyocera FS-1125MFP don't printing. Cause of problem - segfault of driver component rastertokpsl  (proprietary part of kyocera printer driver)

On new-installed Fedora-36 problem also present;
On Fedora-35 program don't crashed - printing work correctly.

Version-Release number of selected component (if applicable):
- Fedora 36
- Kyocera LinuxDrv 1.1203 FS-1x2xMFP

How reproducible:
I make two new installs of Fedora 36 and one upgrade FC35 to FC36 - and catch problem.
I has a two machine with Ubuntu 22 and two machines with Fedora 35 also - on this systems same driver work correctly.


Steps to Reproduce:
1. Install new clean Fedora 36 or upgrade Fedora 35 to Fedora 36.
2. Install drivers for Kyocera FS-1125MFP (rastertokpsl backend)

- Driver from printer's manufacturer:
https://www.kyoceradocumentsolutions.ru/content/download-center/ru/drivers/all/LinuxDrv_1_1203_FS_1x2xMFP_zip.download.zip
- If need, apply fixer for job-names (problem with non-latin symbols in job-name ?):
https://github.com/lurepheonix/rastertokpsl-fs-1040/blob/master/rastertokpsl-fixed

3. Try print and catch segfault in system logs.

Actual results:
rastertokpsl crashed, print fail.

Expected results:
rastertokpsl run correctly, print OK.

Additional info:

### Crash of rastertokpsl in journalctl -a at printing ###
июн 07 14:31:47 AmCave systemd-coredump[117131]: [🡕] Process 117128 (rastertokpsl) of user 4 dumped core.
                                                    
                                                    Module linux-vdso.so.1 with build-id bbfba337e4ff5782c225df596fd0560be96d05f2
                                                    Module libgpg-error.so.0 with build-id a53c231739d55cc39b97e28c36cd8b3e58a8f8f8
                                                    Metadata for module libgpg-error.so.0 owned by FDO found: {
                                                            "type" : "rpm",
                                                            "name" : "libgpg-error",
                                                            "version" : "1.45-1.fc36",
                                                            "architecture" : "x86_64",
                                                            "osCpe" : "cpe:/o:fedoraproject:fedora:36"
                                                    }
                                                    
                                                    Module libgcc_s.so.1 with build-id 1e82df1fa0e0de4d8382b75c0fa730e0672f1a47
                                                    Module libgcrypt.so.20 with build-id ab80eae398f8814c7dc7bfc27fa3724491a47294
                                                    Stack trace of thread 117128:
                                                    #0  0x00007f6e8411eebd _cupsRasterClearError (libcups.so.2 + 0x4aebd)
                                                    #1  0x00007f6e8411ef10 _cupsRasterNew (libcups.so.2 + 0x4af10)
                                                    #2  0x0000000000406cdf n/a (rastertokpsl + 0x6cdf)
                                                    #3  0x00007f6e841a2550 __libc_start_call_main (libc.so.6 + 0x29550)
                                                    #4  0x00007f6e841a2609 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x29609)
                                                    #5  0x000000000040799d n/a (rastertokpsl + 0x799d)
                                                    ELF object binary architecture: AMD x86-64



# ldd /usr/lib/cups/filter/rastertokpsl
        linux-vdso.so.1 (0x00007ffcc71d7000)
        libcupsimage.so.2 => /lib64/libcupsimage.so.2 (0x00007fb783d80000)
        libm.so.6 => /lib64/libm.so.6 (0x00007fb783ca2000)
        libc.so.6 => /lib64/libc.so.6 (0x00007fb783aa1000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007fb783a9c000)
        libcups.so.2 => /lib64/libcups.so.2 (0x00007fb7839fc000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fb783da8000)
        libavahi-common.so.3 => /lib64/libavahi-common.so.3 (0x00007fb7839ee000)
        libavahi-client.so.3 => /lib64/libavahi-client.so.3 (0x00007fb7839d7000)
        libgnutls.so.30 => /lib64/libgnutls.so.30 (0x00007fb7837b8000)
        libz.so.1 => /lib64/libz.so.1 (0x00007fb78379e000)
        libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007fb783749000)
        libp11-kit.so.0 => /lib64/libp11-kit.so.0 (0x00007fb783614000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007fb7835f3000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007fb783439000)
        libtasn1.so.6 => /lib64/libtasn1.so.6 (0x00007fb783421000)
        libnettle.so.8 => /lib64/libnettle.so.8 (0x00007fb7833d5000)
        libhogweed.so.6 => /lib64/libhogweed.so.6 (0x00007fb783392000)
        libgmp.so.10 => /lib64/libgmp.so.10 (0x00007fb7832ed000)
        libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007fb783210000)
        libffi.so.8 => /lib64/libffi.so.8 (0x00007fb783202000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007fb7831d7000)
        libzstd.so.1 => /lib64/libzstd.so.1 (0x00007fb783124000)
        liblz4.so.1 => /lib64/liblz4.so.1 (0x00007fb783100000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007fb7830f6000)
        libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007fb782fb9000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007fb782f97000)
        libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007fb782f71000



# cat /usr/lib/cups/filter/rastertokpsl-fixed
#!/bin/bash
jobname=$(echo $3 | egrep -o '[[:alnum:]]' | tr -d '\n' | tail -c 20)
path=/usr/lib/cups/filter
$path/rastertokpsl "$1" "$2" "$jobname" "$4" "$5"


How to fix or make workaround of this bug ?

Comment 1 Amin 2022-06-07 19:58:22 UTC

Created attachment 1887777 [details]
strace of rastertokpsl on fedora 36

 strace /usr/lib/cups/filter/rastertokpsl 1 4 test1 1 "" ~/dead.letter

Comment 2 Amin 2022-06-07 20:06:28 UTC

Created attachment 1887780 [details]
Correct strace of same file on Fedora 35

Comment 3 Amin 2022-06-07 20:09:03 UTC

On Fedora-35 ldd 
Fedora-35 # ldd /usr/lib/cups/filter/rastertokpsl
        linux-vdso.so.1 (0x00007ffdbc8d7000)
        libcupsimage.so.2 => /lib64/libcupsimage.so.2 (0x00007ff172823000)
        libm.so.6 => /lib64/libm.so.6 (0x00007ff172747000)
        libc.so.6 => /lib64/libc.so.6 (0x00007ff17253f000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007ff17253a000)
        libcups.so.2 => /lib64/libcups.so.2 (0x00007ff17249b000)
        /lib64/ld-linux-x86-64.so.2 (0x00007ff172840000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007ff172444000)
        libavahi-common.so.3 => /lib64/libavahi-common.so.3 (0x00007ff172434000)
        libavahi-client.so.3 => /lib64/libavahi-client.so.3 (0x00007ff17241f000)
        libgnutls.so.30 => /lib64/libgnutls.so.30 (0x00007ff172206000)
        libz.so.1 => /lib64/libz.so.1 (0x00007ff1721ec000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007ff17210e000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007ff1720f6000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007ff1720ed000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007ff1720dc000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007ff1720d5000)
        libcrypto.so.1.1 => /lib64/libcrypto.so.1.1 (0x00007ff171de7000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007ff171dd3000)
        libdbus-1.so.3 => /lib64/libdbus-1.so.3 (0x00007ff171d81000)
        libp11-kit.so.0 => /lib64/libp11-kit.so.0 (0x00007ff171c4d000)
        libidn2.so.0 => /lib64/libidn2.so.0 (0x00007ff171c2c000)
        libunistring.so.2 => /lib64/libunistring.so.2 (0x00007ff171aa7000)
        libtasn1.so.6 => /lib64/libtasn1.so.6 (0x00007ff171a8f000)
        libnettle.so.8 => /lib64/libnettle.so.8 (0x00007ff171a45000)
        libhogweed.so.6 => /lib64/libhogweed.so.6 (0x00007ff171a02000)
        libgmp.so.10 => /lib64/libgmp.so.10 (0x00007ff17195d000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007ff171932000)
        libsystemd.so.0 => /lib64/libsystemd.so.0 (0x00007ff171860000)
        libffi.so.6 => /lib64/libffi.so.6 (0x00007ff171855000)
        libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007ff1717b9000)
        liblzma.so.5 => /lib64/liblzma.so.5 (0x00007ff17178b000)
        libzstd.so.1 => /lib64/libzstd.so.1 (0x00007ff1716dc000)
        liblz4.so.1 => /lib64/liblz4.so.1 (0x00007ff1716b8000)
        libcap.so.2 => /lib64/libcap.so.2 (0x00007ff1716ae000)
        libgcrypt.so.20 => /lib64/libgcrypt.so.20 (0x00007ff171572000)
        libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00007ff171557000)
        libgpg-error.so.0 => /lib64/libgpg-error.so.0 (0x00007ff17152f000)

+ Add strace for same file on fedora 35 - attachment  1887780 [details]



+ sha256sum /usr/lib/cups/filter/rastertokpsl
6e41448d7430652e3939e4aeab461003e793146c7ff2e376853bc71c8dde3fb8  /usr/lib/cups/filter/rastertokpsl


+ sha1sum /usr/lib/cups/filter/rastertokpsl
2aceda00ea64863e50adca9279a97e7dd76393c4  /usr/lib/cups/filter/rastertokpsl


+ md5sum /usr/lib/cups/filter/rastertokpsl
08e1128d43b2faec443bc19d5f751417  /usr/lib/cups/filter/rastertokpsl

Comment 4 Zdenek Dohnal 2022-06-08 13:04:02 UTC

Hi Amin,

thank you for reporting the issue and investigation!

The segfault happens because _cupsGlobals() gets an invalid pointer from pthread library, but I'm not sure why - I will try to investigate further.

I consulted the issue with my senior colleague and he brought me on track that there can be conflict with other library using pthread - and it seems to be triggered by the following changes in CUPS:

From 038ceabd05ead6c77d5e20e0972eb2872a82c5c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Correa=20G=C3=B3mez?= <ablocorrea>
Date: Sun, 17 Oct 2021 00:09:16 +0200
Subject: [PATCH] Use thread-safe getpwnam_r and getpwuid_r in multi-threaded
 code

getpwnam and getpwuid are thread-unsafe and potentially dangerous
in multi-threaded code. Substitue all their occurrences in
multi-threaded code with getpwnam_r and getpwuid_r, which are
thread-safe.
---
 cups/auth.c         |  6 ++++--
 cups/cups-private.h |  5 +++++
 cups/globals.c      |  8 +++++---
 cups/usersys.c      | 21 +++++++++++----------
 4 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/cups/auth.c b/cups/auth.c
index 177eec8ce..dd6bd63f0 100644
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -1087,12 +1087,14 @@ cups_local_auth(http_t *http)		/* I - HTTP connection to server */
     * Verify that the current cupsUser() matches the current UID...
     */
 
-    struct passwd	*pwd;		/* Password information */
+    struct passwd	pwd;		/* Password information */
+    struct passwd	*result;	/* Auxiliary pointer */
     const char		*username;	/* Current username */
 
     username = cupsUser();
 
-    if ((pwd = getpwnam(username)) != NULL && pwd->pw_uid == getuid())
+    getpwnam_r(username, &pwd, cg->pw_buf, PW_BUF_SIZE, &result);
+    if (result && pwd.pw_uid == getuid())
     {
       httpSetAuthString(http, "PeerCred", username);
 
diff --git a/cups/cups-private.h b/cups/cups-private.h
index cf2559d95..06ad2c3bc 100644
--- a/cups/cups-private.h
+++ b/cups/cups-private.h
@@ -85,6 +85,11 @@ typedef struct _cups_globals_s		/**** CUPS global state data ****/
 			*cups_statedir,	/* CUPS_STATEDIR environment var */
 			*home,		/* HOME environment var */
 			*localedir;	/* LOCALDIR environment var */
+#ifndef _WIN32
+#define PW_BUF_SIZE 16384		/* As per glibc manual page */
+  char			pw_buf[PW_BUF_SIZE];
+					/* Big buffer for struct passwd buffers */
+#endif
 
   /* adminutil.c */
   time_t		cupsd_update;	/* Last time we got or set cupsd.conf */
diff --git a/cups/globals.c b/cups/globals.c
index a25902562..3105f13ba 100644
--- a/cups/globals.c
+++ b/cups/globals.c
@@ -325,10 +325,12 @@ cups_globals_alloc(void)
 
   if (!cg->home)
   {
-    struct passwd	*pw;		/* User info */
+    struct passwd	pw;		/* User info */
+    struct passwd	*result;	/* Auxiliary pointer */
 
-    if ((pw = getpwuid(getuid())) != NULL)
-      cg->home = _cupsStrAlloc(pw->pw_dir);
+    getpwuid_r(getuid(), &pw, cg->pw_buf, PW_BUF_SIZE, &result);
+    if (result)
+      cg->home = _cupsStrAlloc(pw.pw_dir);
   }
 #endif /* _WIN32 */
 
diff --git a/cups/usersys.c b/cups/usersys.c
index a9386e7f1..5e19c0ca6 100644
--- a/cups/usersys.c
+++ b/cups/usersys.c
@@ -1256,9 +1256,10 @@ cups_finalize_client_conf(
     * Try the USER environment variable as the default username...
     */
 
-    const char *envuser = getenv("USER");
-					/* Default username */
-    struct passwd *pw = NULL;		/* Account information */
+    const char *envuser = getenv("USER");	/* Default username */
+    struct passwd pw;				/* Account information */
+    struct passwd *result = NULL;		/* Auxiliary pointer */
+    _cups_globals_t *cg = _cupsGlobals();	/* Pointer to library globals */
 
     if (envuser)
     {
@@ -1267,16 +1268,16 @@ cups_finalize_client_conf(
       * override things...  This makes sure that printing after doing su
       * or sudo records the correct username.
       */
-
-      if ((pw = getpwnam(envuser)) != NULL && pw->pw_uid != getuid())
-	pw = NULL;
+      getpwnam_r(envuser, &pw, cg->pw_buf, PW_BUF_SIZE, &result);
+      if (result && pw.pw_uid != getuid())
+        result = NULL;
     }
 
-    if (!pw)
-      pw = getpwuid(getuid());
+    if (!result)
+      getpwuid_r(getuid(), &pw, cg->pw_buf, PW_BUF_SIZE, &result);
 
-    if (pw)
-      strlcpy(cc->user, pw->pw_name, sizeof(cc->user));
+    if (result)
+      strlcpy(cc->user, pw.pw_name, sizeof(cc->user));
     else
 #endif /* _WIN32 */
     {


After I revert this change, your filter does not crash.

Comment 5 Amin 2022-06-08 15:55:17 UTC

Wow.

That actions can help to solve this issue at near time ?

- Reinstall cups and cups-filters from rawhide ?
- Build cups manually with revert this changes /* more difficult ? */ ?
- Simply wait until fix will applied ? /* Can require more time ? */

I can make additional tests if need.

Comment 6 Zdenek Dohnal 2022-06-13 05:24:41 UTC

I've tried a different allocation methods for pw_buf in new functions, but all don't work.

Glibc maintainers, would you mind reviewing the patch at https://bugzilla.redhat.com/show_bug.cgi?id=2094530#c4 whether there is a mistake? Do you have an idea why switching to the thread safe functions in the library can start causing segfaults of a binary using it?

Thank you in advance for any advice!

Comment 7 Zdenek Dohnal 2022-06-13 05:26:37 UTC

I'm sorry for assigning this to glibc, but I don't know about a better way how to set NEEDINFO for a correct person who currently works on the component.

Please reassign back once you answer, thank you!

Comment 8 Florian Weimer 2022-06-13 05:53:14 UTC

The new code seems to assume that even if getpwnam_r fails, result is set to NULL:

+    struct passwd	pwd;		/* Password information */
+    struct passwd	*result;	/* Auxiliary pointer */
     const char		*username;	/* Current username */
 
     username = cupsUser();
 
+    getpwnam_r(username, &pwd, cg->pw_buf, PW_BUF_SIZE, &result);
+    if (result && pwd.pw_uid == getuid())

I'm not sure if this is the case.

The usual ERANGE retry loop is missing as well.

Comment 9 Yann Droneaud 2022-06-13 17:36:52 UTC

(In reply to Amin from comment #1)
> Created attachment 1887777 [details]
> strace of rastertokpsl on fedora 36
> 
>  strace /usr/lib/cups/filter/rastertokpsl 1 4 test1 1 "" ~/dead.letter

Using valgrind might help pinpoint the origin of the issue:

 valgrind --track-origins=yes /usr/lib/cups/filter/rastertokpsl 1 4 test1 1 "" ~/dead.letter

Comment 10 Florian Weimer 2022-06-14 13:38:19 UTC

Moving back to cups based on comment 8. Please let me know if you have further questions. Thanks.

Comment 11 Amin 2022-08-05 14:43:46 UTC

Nowtime rastertokpsl crashed too on Fedora 36 with fiull updates.

Valgring output :

# valgrind --track-origins=yes /usr/lib/cups/filter/rastertokpsl 1 4 test1 1 "" ~/dead.letter
==237396== Memcheck, a memory error detector
==237396== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==237396== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==237396== Command: /usr/lib/cups/filter/rastertokpsl 1 4 test1 1  /root/dead.letter
==237396== 

==237396== Invalid read of size 8
==237396==    at 0x4BACEBD: _cupsRasterClearError (raster-error.c:104)
==237396==    by 0x4BACF0F: _cupsRasterNew (raster-stream.c:449)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5758 is 13,096 bytes inside an unallocated block of size 3,976,112 in arena "client"
==237396== 
==237396== Invalid write of size 8
==237396==    at 0x4BACEC4: _cupsRasterClearError (raster-error.c:104)
==237396==    by 0x4BACF0F: _cupsRasterNew (raster-stream.c:449)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5760 is 13,104 bytes inside an unallocated block of size 3,976,112 in arena "client"
==237396== 
==237396== Invalid read of size 8
==237396==    at 0x4BAC576: _cupsRasterAddError (raster-error.c:53)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5768 is 11,128 bytes inside an unallocated block of size 3,974,128 in arena "client"
==237396== 
==237396== Invalid read of size 8
==237396==    at 0x4BAC57D: _cupsRasterAddError (raster-error.c:53)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5760 is 11,120 bytes inside an unallocated block of size 3,974,128 in arena "client"
==237396== 
==237396== Invalid read of size 8
==237396==    at 0x4BAC58F: _cupsRasterAddError (raster-error.c:63)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5758 is 11,112 bytes inside an unallocated block of size 3,974,128 in arena "client"
==237396== 
==237396== Invalid read of size 8
==237396==    at 0x4BAC5B7: _cupsRasterAddError (raster-error.c:78)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5760 is 9,952 bytes inside an unallocated block of size 3,972,960 in arena "client"
==237396== 
==237396== Invalid write of size 8
==237396==    at 0x4BAC5C1: _cupsRasterAddError (raster-error.c:77)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5768 is 9,960 bytes inside an unallocated block of size 3,972,960 in arena "client"
==237396== 
==237396== Invalid read of size 8
==237396==    at 0x4BAC5CB: _cupsRasterAddError (raster-error.c:78)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5758 is 9,944 bytes inside an unallocated block of size 3,972,960 in arena "client"
==237396== 
==237396== Invalid write of size 8
==237396==    at 0x4BAC5D2: _cupsRasterAddError (raster-error.c:79)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5758 is 9,944 bytes inside an unallocated block of size 3,972,960 in arena "client"
==237396== 
==237396== Invalid write of size 8
==237396==    at 0x4BAC5D9: _cupsRasterAddError (raster-error.c:78)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5760 is 9,952 bytes inside an unallocated block of size 3,972,960 in arena "client"
==237396== 
==237396== Invalid read of size 8
==237396==    at 0x4BAC657: _cupsRasterAddError (raster-error.c:87)
==237396==    by 0x4BAD1B5: _cupsRasterNew (raster-stream.c:488)
==237396==    by 0x406CDE: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Address 0x56d5760 is 9,952 bytes inside an unallocated block of size 3,972,960 in arena "client"
==237396== 
==237396== Conditional jump or move depends on uninitialised value(s)
==237396==    at 0x484BC63: __strncpy_sse2_unaligned (vg_replace_strmem.c:603)
==237396==    by 0x409856: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x4071E7: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396==    by 0x498454F: (below main) (libc_start_call_main.h:58)
==237396==  Uninitialised value was created by a stack allocation
==237396==    at 0x409800: ??? (in /usr/lib/cups/filter/rastertokpsl)
==237396== 
@@@@010042022080517290D@@@@test10C@@@@0S@@@@0G@@@@XX 0P@@@@0F@@@@0E@@@@0T@@@@INFO: Ready to print.
==237396== 
==237396== HEAP SUMMARY:
==237396==     in use at exit: 7,482 bytes in 2 blocks
==237396==   total heap usage: 1,407 allocs, 1,405 frees, 132,896 bytes allocated
==237396== 
==237396== LEAK SUMMARY:
==237396==    definitely lost: 1,090 bytes in 1 blocks
==237396==    indirectly lost: 0 bytes in 0 blocks
==237396==      possibly lost: 0 bytes in 0 blocks
==237396==    still reachable: 6,392 bytes in 1 blocks
==237396==         suppressed: 0 bytes in 0 blocks
==237396== Rerun with --leak-check=full to see details of leaked memory
==237396== 
==237396== For lists of detected and suppressed errors, rerun with: -s
==237396== ERROR SUMMARY: 13 errors from 12 contexts (suppressed: 0 from 0)

P.S. Nowtime i see only one repeatable and enough easy way to fix this - reinstall Fedora 35 back.

Has anyone another ideas how to bypass this problem ?


P.S.S. kyocera binary driver such old (2012 year) and can't work with print-jobs with spaces|new-string in job-name.
For reliable printing modified PPD must be used, which run original driver through this wrapper-script:


# cat /usr/lib/cups/filter/rastertokpsl-fixed 
#!/bin/bash

jobname=$(echo $3 | egrep -o '[[:alnum:]]' | tr -d '\n' | tail -c 20)
path=/usr/lib/cups/filter
$path/rastertokpsl "$1" "$2" "$jobname" "$4" "$5"


Does can help statically-files / LD-preload or another magic ?   // I don't want make rollback to Fedora 35, really.

Thank you all who try help solving this issue.

Comment 12 Amin 2022-08-05 14:46:44 UTC

I create simplest TXT-file with string '123'  (only 3 bytes) - even on this file driver crashed

# echo '123' > ~/123.txt 
# /usr/lib/cups/filter/rastertokpsl 1 4 test1 1 "" ~/123.txt 
Segmentation fault (core dumped)

Comment 13 Ben Cotton 2023-04-25 18:24:38 UTC

This message is a reminder that Fedora Linux 36 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '36'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 36 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 14 Zdenek Dohnal 2023-05-19 07:52:28 UTC

Ok, so we were able to get to the bottom of this issue upstream - it happens because rastertokpsl is built with partial copy of CUPS source (cups-private.h especially), but it tries to use system libcups on the real system. This way even private API/ABI is exposed and if the sequence of struct members changes, the binary using the ABI breaks.

The fix is to move the new array in structure to the end as it is done in https://github.com/OpenPrinting/cups/issues/619 (even though it shouldn't be needed - private API/ABI is not to be used...), the fix will be in the newest CUPS version (will be released in month at most).

Comment 15 Fedora Update System 2023-06-07 12:58:36 UTC

FEDORA-2023-fa7bac0197 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-fa7bac0197

Comment 16 Fedora Update System 2023-06-07 13:14:55 UTC

FEDORA-2023-d212cc5f13 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-d212cc5f13

Comment 17 Fedora Update System 2023-06-08 01:44:22 UTC

FEDORA-2023-fa7bac0197 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-fa7bac0197`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-fa7bac0197

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 18 Fedora Update System 2023-06-08 02:22:04 UTC

FEDORA-2023-d212cc5f13 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-d212cc5f13`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-d212cc5f13

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 19 Fedora Update System 2023-06-10 01:47:09 UTC

FEDORA-2023-fa7bac0197 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 20 Fedora Update System 2023-06-11 01:59:00 UTC

FEDORA-2023-d212cc5f13 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.