Bug 2225209

Summary: scanadf crashes when showing help for specific device
Product: [Fedora] Fedora Reporter: Raman Gupta <rocketraman>
Component: sane-frontendsAssignee: Zdenek Dohnal <zdohnal>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 38CC: nphilipp, rocketraman, zdohnal
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/aba34c28f84b975fbaa4e4178110e830b81456b
Whiteboard: abrt_hash:7e79cd99969cf89b99e06df21e6ae966e81fa2a7;VARIANT_ID=;
Fixed In Version: sane-frontends-1.0.14-48.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: backtrace
none
File: proc_pid_status
none
File: open_fds
none
File: cpuinfo
none
File: exploitable
none
File: dso_list
none
File: limits
none
File: mountinfo
none
File: os_info
none
File: core_backtrace
none
File: maps none

Description Raman Gupta 2023-07-24 14:53:57 UTC 
Description of problem:
Running `scanadf --help -d fujitsu`.

Happens every time.

Similar issue encountered in the past: https://bugzilla.redhat.com/show_bug.cgi?id=1837961.

Version-Release number of selected component:
sane-frontends-1.0.14-45.fc38

Additional info:
reporter:       libreport-2.17.11
kernel:         6.3.11-200.fc38.x86_64
uid:            1000
journald_cursor: s=d899f6fe8f904e98aa74a0dc5772525c;i=3e391c8;b=975b92ba20a2459cb7abf597777f828a;m=106622a8cd7;t=6013ca5b182ef;x=9ff3f9c5d4f6773b
backtrace_rating: 4
crash_function: sane_dll_close
reason:         scanadf killed by SIGSEGV
rootdir:        /
runlevel:       N 5
executable:     /usr/bin/scanadf
cgroup:         0::/user.slice/user-1000.slice/user/app.slice/app-yakuake
cmdline:        scanadf --help -d fujitsu
type:           CCpp
package:        sane-frontends-1.0.14-45.fc38

Truncated backtrace:
Thread no. 1 (3 frames)
 #0 sane_dll_close at /usr/src/debug/sane-backends-1.2.1-1.fc38.x86_64/backend/dll.c:1316
 #1 sane_close at /usr/src/debug/sane-backends-1.2.1-1.fc38.x86_64/backend/dll-s.c:82
 #2 scanadf_exit at /usr/src/debug/sane-frontends-1.0.14-45.fc38.x86_64/src/scanadf.c:664
Comment 1 Raman Gupta 2023-07-24 14:54:00 UTC 
Created attachment 1977308 [details]
File: backtrace
Comment 2 Raman Gupta 2023-07-24 14:54:01 UTC 
Created attachment 1977309 [details]
File: proc_pid_status
Comment 3 Raman Gupta 2023-07-24 14:54:03 UTC 
Created attachment 1977310 [details]
File: open_fds
Comment 4 Raman Gupta 2023-07-24 14:54:04 UTC 
Created attachment 1977311 [details]
File: cpuinfo
Comment 5 Raman Gupta 2023-07-24 14:54:05 UTC 
Created attachment 1977312 [details]
File: exploitable
Comment 6 Raman Gupta 2023-07-24 14:54:06 UTC 
Created attachment 1977313 [details]
File: dso_list
Comment 7 Raman Gupta 2023-07-24 14:54:08 UTC 
Created attachment 1977314 [details]
File: limits
Comment 8 Raman Gupta 2023-07-24 14:54:09 UTC 
Created attachment 1977315 [details]
File: mountinfo
Comment 9 Raman Gupta 2023-07-24 14:54:11 UTC 
Created attachment 1977316 [details]
File: os_info
Comment 10 Raman Gupta 2023-07-24 14:54:12 UTC 
Created attachment 1977317 [details]
File: core_backtrace
Comment 11 Raman Gupta 2023-07-24 14:54:14 UTC 
Created attachment 1977318 [details]
File: maps
Comment 12 Zdenek Dohnal 2023-07-26 08:29:50 UTC 
Hi Raman,

thank you for reporting the issue!

scanadf closes the device handle before scanadf_exit(), but does not set it to NULL, which causes use-after-free leading to the segfault.

I've created patch and sent it upstream as https://gitlab.com/sane-project/frontends/-/merge_requests/12 .
Comment 13 Fedora Update System 2023-07-26 09:08:14 UTC 
FEDORA-2023-0c94505bc7 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0c94505bc7
Comment 14 Fedora Update System 2023-07-26 09:26:09 UTC 
FEDORA-2023-97ce1b58b2 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-97ce1b58b2
Comment 15 Fedora Update System 2023-07-27 01:56:48 UTC 
FEDORA-2023-97ce1b58b2 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-97ce1b58b2`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-97ce1b58b2

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Fedora Update System 2023-07-27 02:55:48 UTC 
FEDORA-2023-0c94505bc7 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0c94505bc7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0c94505bc7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 17 Fedora Update System 2023-08-04 01:28:34 UTC 
FEDORA-2023-0c94505bc7 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 18 Fedora Update System 2023-08-04 01:28:35 UTC 
FEDORA-2023-97ce1b58b2 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.