Bug 1021653 - xsane crashing with new sane-backends
xsane crashing with new sane-backends
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: sane-backends (Show other bugs)
19
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Nils Philippsen
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-21 13:38 EDT by Sammy
Modified: 2013-12-10 01:08 EST (History)
2 users (show)

See Also:
Fixed In Version: sane-backends-1.0.24-7.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-10 02:12:58 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
gdb-run (7.47 KB, text/plain)
2013-10-28 11:48 EDT, Sammy
no flags Details
gdb-bt (2.29 KB, text/plain)
2013-10-28 11:49 EDT, Sammy
no flags Details
gdb-list (374 bytes, text/plain)
2013-10-28 11:49 EDT, Sammy
no flags Details

  None (edit)
Description Sammy 2013-10-21 13:38:48 EDT
xsane crashing after update of sane-backends to 1.0.24-2. Going back to
sane-backends-1.0.23-18 prevents the crash.

$ xsane
*** buffer overflow detected ***: xsane terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x39d430d6b7]
/lib64/libc.so.6[0x39d430b880]
/usr/lib64/sane/libsane-pixma.so.1(+0x1d28e)[0x7f7289a0328e]
/usr/lib64/sane/libsane-pixma.so.1(sanei_bjnp_find_devices+0x6b2)[0x7f7289a03a22]
/usr/lib64/sane/libsane-pixma.so.1(sanei_pixma_collect_devices+0x24d)[0x7f72899f669d]
/usr/lib64/sane/libsane-pixma.so.1(sane_pixma_get_devices+0x2e)[0x7f72899f40ae]
/lib64/libsane.so.1(sane_dll_get_devices+0xb7)[0x7f72998d4247]
xsane[0x46ecda]
xsane[0x4739d3]
xsane[0x409565]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x39d4221b75]
xsane[0x40961d]
Comment 1 Sammy 2013-10-21 17:52:17 EDT
Just another data point: The crash is not happening on my IBM Thinkpad with
intel HD graphics. The above desktop uses Nvidia graphics and drivers from
rpmfusion.
Comment 2 Sammy 2013-10-23 09:20:41 EDT
scanimage is also crashing on start. The problem seems to be with sane-backends
1.0.24. Going back to last 1.0.23 has no crash.
Comment 3 Sammy 2013-10-24 09:04:40 EDT
Here is the debug info from valgrind:

==1757== Command: scanimage
==1757== 
**1757** *** strcpy_chk: buffer overflow detected ***: program terminated
==1757==    at 0x4A08C4C: ??? (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1757==    by 0x4A0BCC3: __strcpy_chk (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==1757==    by 0xB25728D: add_scanner (string3.h:104)
==1757==    by 0xB257A21: sanei_bjnp_find_devices (pixma_bjnp.c:1934)
==1757==    by 0xB24A69C: sanei_pixma_collect_devices (pixma_io_sanei.c:377)
==1757==    by 0xB2480AD: sane_pixma_get_devices (pixma.c:231)
==1757==    by 0x4C77246: sane_dll_get_devices (dll.c:1059)
==1757==    by 0x10AC3A: main (scanimage.c:1985)
Comment 4 Sammy 2013-10-24 10:15:18 EDT
From above the crash is happening when a Canon scanner is found:

device `pixma:MX850_DHCP-129-59-117' is a CANON Canon PIXMA MX850 multi-function peripheral

I do not have a Canon scanner and keep getting this in addition to my local
hp scanner even if I comment the "net" in dll.conf.
Comment 5 Sammy 2013-10-27 17:57:22 EDT
Commenting out the "pixma" in /etc/sane.d/dll.conf stops the crash.
Anyone looking into this?
Comment 6 Nils Philippsen 2013-10-28 06:54:00 EDT
Please check with 1.0.24-3 as -2 has a broken hardware database which may contribute to recognizing your hardware wrongly.
Comment 7 Sammy 2013-10-28 08:38:48 EDT
I am using 1.0.24-3 (I even tried git with the same problem).

The CANON scanner is not mine. I have a HP Deskjet 3050 which works fine.
I am not sure where it is finding this CANON scanner (it always did that
with the 1.0.23 versions as well). It must be on the net but commenting
net in dll.conf still finds it. I am not using saned. I think Fedora 19
uses conn something to find network scanners, this may be where the problem
lies.
Comment 8 Nils Philippsen 2013-10-28 10:48:33 EDT
The net backend is only used for talking to a remote saned instance, which exports locally configured scanners to the network. Other network scanners are handled by their own backends. Can you generate a complete traceback? I.e. "debuginfo-install sane-backends", then run scanimage in gdb.
Comment 9 Sammy 2013-10-28 11:48:22 EDT
Created attachment 816845 [details]
gdb-run
Comment 10 Sammy 2013-10-28 11:49:09 EDT
Created attachment 816846 [details]
gdb-bt
Comment 11 Sammy 2013-10-28 11:49:41 EDT
Created attachment 816847 [details]
gdb-list
Comment 12 Sammy 2013-10-28 11:51:52 EDT
All attached....the DHCP ...197 is the CANON coming from somewhere.
Comment 13 Nils Philippsen 2013-10-29 09:21:39 EDT
Ahh thanks, with the backtrace I could find the root of the problem which is in this code:

--- 8< --- backend/pixma_bjnp.c:362 --- determine_scanner_serial () ---
  while (strlen (copy) >= SHORT_HOSTNAME_MAX)
    {
      /* if this is a FQDN, not an ip-address, remove domain part of the name */
      if ((dot = strchr (copy, '.')) != NULL)
        {
    *dot = '\0';
        }
      else
        strcpy(copy, mac_address);
    break;
    }
--- >8 ----------------------------------------------------------------

The break being outside of the else block effectively made an if clause out of the while loop. This caused long hostnames to not be shortened sufficiently which subsequentely made strcpy() write beyond buffer boundaries.

I've committed a fix to upstream in commit d35d6326cb00fcbb19b41599bdff7faf5d79225e and will roll an update containing it shortly.
Comment 14 Nils Philippsen 2013-10-29 09:30:09 EDT
Mind that you might need to kick udevd with "udevadm control --reload" (or restarting the system) for udevd to pick up the hwdb files correctly. I've seen the fix for udevd in dist-git, it should eventually be available with systemd 204-18 or thereabouts.
Comment 15 Fedora Update System 2013-10-29 09:46:14 EDT
sane-backends-1.0.24-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-4.fc19
Comment 16 Fedora Update System 2013-10-29 09:46:37 EDT
sane-backends-1.0.24-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-4.fc20
Comment 17 Fedora Update System 2013-10-29 09:46:53 EDT
sane-backends-1.0.24-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-4.fc18
Comment 18 Fedora Update System 2013-10-29 14:05:50 EDT
Package sane-backends-1.0.24-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sane-backends-1.0.24-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20221/sane-backends-1.0.24-4.fc20
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2013-11-06 22:37:25 EST
sane-backends-1.0.24-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 20 Fedora Update System 2013-11-07 07:26:23 EST
sane-backends-1.0.24-5.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-5.fc19
Comment 21 Fedora Update System 2013-11-07 07:26:41 EST
sane-backends-1.0.24-5.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-5.fc20
Comment 22 Fedora Update System 2013-11-07 07:27:02 EST
sane-backends-1.0.24-5.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-5.fc18
Comment 23 Fedora Update System 2013-11-07 23:38:40 EST
Package sane-backends-1.0.24-6.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing sane-backends-1.0.24-6.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-20919/sane-backends-1.0.24-6.fc18
then log in and leave karma (feedback).
Comment 24 Fedora Update System 2013-11-10 02:12:58 EST
sane-backends-1.0.24-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2013-11-20 17:08:11 EST
sane-backends-1.0.24-7.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-7.fc18
Comment 26 Fedora Update System 2013-11-20 17:08:44 EST
sane-backends-1.0.24-7.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-7.fc19
Comment 27 Fedora Update System 2013-11-20 17:09:11 EST
sane-backends-1.0.24-7.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/sane-backends-1.0.24-7.fc20
Comment 28 Fedora Update System 2013-12-10 01:08:52 EST
sane-backends-1.0.24-7.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.