Hello
On Tue, 3 Jul 2018 20:57:46 +0200 "W. Martin Borgert" <deba...@debian.org>
wrote:
> Any more ideas? The workaround with the Jessie chroot is OK, but.. ;~)
A way to get more information would be to install the debug information packages
and let simple-scan run by gdb [1].
[1] https://wiki.debian.org/HowToGetABacktrace
I suggest these steps:
- Add "deb http://debug.mirrors.debian.org/debian-debug/ testing-debug main" to
your sources.list
- apt update
- apt install gdb simple-scan-dbgsym libsane-dbgsym
As regular user then:
- gdb -q --args simple-scan
- cont
When the stack smashing happens:
- bt
- detach
- q
Also I tried to instect a simple-scan process without having the actual scanner.
I gues the problem is inside function Mustek_DMAWrite:
0x00007fffb6db7f40: Mustek_DMAWrite: 354 } //
0x00007fffb6db7f3b <Mustek_DMAWrite+411>: callq 0x7fffb6dabf70
<__stack_chk_fail@plt>
0x00007fffb6db8bf5: Asic_Open: 2444: status =
Mustek_DMAWrite (chip, 64, (SANE_Byte *) (temps));
0x00007fffb6dbcfe0: MustScanner_PowerControl: 298: if (STATUS_GOOD !=
Asic_Open (&g_chip, g_pDeviceFile))
0x00007fffb6dbfeba: sane_mustek_usb2_open: 565: return
MustScanner_PowerControl (isLampOn, isTALampOn);
Unfortunately the "stack smashing" is just detected
when leaving the function, so the actual problem was somewhere
between entering Mustek_DMAWrite and leaving.
So if one does not fear gdb and wants to debug that following
sequence could lead to the exact location where the stack
smashing detection bytes get overwritten:
(gdb) print Mustek_DMAWrite
$6 = {STATUS (unsigned int, SANE_Byte *, PAsic)} 0x7fffb6db7da0
<Mustek_DMAWrite>
# use function address from above
(gdb) b *(0x7fffb6db7da0+36)
Breakpoint 5 at 0x7fffb6db7dc4: file mustek_usb2_asic.c, line 304.
(gdb) cont
(gdb) print/x $rsp+0x18
$4 = 0x7fffffffe3c8
# use memory location from above
(gdb) watch *0x7fffffffe3c8
Hardware watchpoint 2: *0x7fffffffe3c8
(gdb) cont
Continuing.
# possibly the watchpoint triggers
Hardware watchpoint 2: *0x7fffffffe3c8
Old value = 1953463552
New value = 1953463807
...
# that should show the problematic stack
(gdb) bt
(gdb) disassemble Mustek_DMAWrite
Dump of assembler code for function Mustek_DMAWrite:
...
0x00007fffb6db7db6 <+22>: mov %fs:0x28,%rax #
"magic" value loaded to register
0x00007fffb6db7dbf <+31>: mov %rax,0x18(%rsp) #
and stored from register to some memory after local variables
0x00007fffb6db7dc4 <+36>: xor %eax,%eax
...
#
do some useful work
...
0x00007fffb6db7e80 <+224>: xor %fs:0x28,%rcx #
compare "magic" to the memory we stored above
0x00007fffb6db7e89 <+233>: mov %r15d,%eax
0x00007fffb6db7e8c <+236>: jne 0x7fffb6db7f3b <Mustek_DMAWrite+411> #
if it changed we jump to +411 -> stack smashing detected
0x00007fffb6db7e92 <+242>: add $0x28,%rsp #
or if unchanged all is ok -> safe to continue
0x00007fffb6db7e96 <+246>: pop %rbx
0x00007fffb6db7e97 <+247>: pop %rbp
0x00007fffb6db7e98 <+248>: pop %r12
0x00007fffb6db7e9a <+250>: pop %r13
0x00007fffb6db7e9c <+252>: pop %r14
0x00007fffb6db7e9e <+254>: pop %r15
0x00007fffb6db7ea0 <+256>: retq
...
0x00007fffb6db7f3b <+411>: callq 0x7fffb6dabf70 <__stack_chk_fail@plt>
End of assembler dump.
Kind regards,
Bernhard
7f38806a0000-7f38806c7000 r-xp 00000000 fd:01 13110586
/usr/lib/x86_64-linux-gnu/sane/libsane-mustek_usb2.so.1.0.25
*** stack smashing detected ***: simple-scan terminated
======= Backtrace: =========
/usr/lib/x86_64-linux-gnu/sane/libsane-mustek_usb2.so.1(+0xef40)[0x7f38806aef40]
/usr/lib/x86_64-linux-gnu/sane/libsane-mustek_usb2.so.1(+0xfbf5)[0x7f38806afbf5]
/usr/lib/x86_64-linux-gnu/sane/libsane-mustek_usb2.so.1(+0x13fe0)[0x7f38806b3fe0]
/usr/lib/x86_64-linux-gnu/sane/libsane-mustek_usb2.so.1(sane_mustek_usb2_open+0x35a)[0x7f38806b6eba]
0x7f38806b6eba == sane_mustek_usb2_open+0x35a -> sane_mustek_usb2_open ==
0x7F38806B6B60 -> offset 0x16B60
#####################
#####################
#####################
#####################
0x00007fffb6db7f40: Mustek_DMAWrite: 354 } //
0x00007fffb6db7f3b <Mustek_DMAWrite+411>: callq 0x7fffb6dabf70
<__stack_chk_fail@plt>
0x00007fffb6db8bf5: Asic_Open: 2444: status =
Mustek_DMAWrite (chip, 64, (SANE_Byte *) (temps));
0x00007fffb6dbcfe0: MustScanner_PowerControl: 298: if (STATUS_GOOD !=
Asic_Open (&g_chip, g_pDeviceFile))
0x00007fffb6dbfeba: sane_mustek_usb2_open: 565: return
MustScanner_PowerControl (isLampOn, isTALampOn);
#####################
#####################
#####################
#####################
nano /etc/apt/sources.list.d/buster.list
deb http://debug.mirrors.debian.org/debian-debug/ testing-debug main
apt install xserver-xorg sddm openbox dpkg-dev gdb valgrind simple-scan
simple-scan-dbgsym libsane-dbg
apt source sane-backends
export DISPLAY=:0
gdb -q --args simple-scan
Reading symbols from simple-scan...Reading symbols from
/usr/lib/debug/.build-id/47/ff0748a2b23050c1e376e9721f3638221e9b68.debug...done.
done.
(gdb) set pagination off
(gdb) directory /home/benutzer/sane-backends/sane-backends-1.0.25/backend
Source directories searched:
/home/benutzer/sane-backends/sane-backends-1.0.25/backend:$cdir:$cwd
(gdb) run
(gdb) info share mustek_usb2
From To Syms Read Shared Object Library
0x00007fffb6dac210 0x00007fffb6dc4761 Yes
/usr/lib/x86_64-linux-gnu/sane/libsane-mustek_usb2.so.1
---------
(gdb) print sane_mustek_usb2_open
$1 = {SANE_Status (SANE_String_Const, SANE_Handle *)} 0x7fffb6dbfb60
<sane_mustek_usb2_open>
(gdb) disassemble sane_mustek_usb2_open
...
0x00007fffb6dbfeb5 <+853>: callq 0x7fffb6dbcfb0 <MustScanner_PowerControl>
0x00007fffb6dbfeba <+858>: test %eax,%eax
...
(gdb) disassemble /m sane_mustek_usb2_open
...
561 static SANE_Bool
562 PowerControl (SANE_Bool isLampOn, SANE_Bool isTALampOn)
563 {
564 DBG (DBG_FUNC, "PowerControl: start\n");
0x00007fffb6dbfe9e <+830>: lea 0x7fb1(%rip),%rsi # 0x7fffb6dc7e56
0x00007fffb6dbfea5 <+837>: xor %eax,%eax
0x00007fffb6dbfea7 <+839>: mov $0x5,%edi
0x00007fffb6dbfeac <+844>: callq 0x7fffb6db11f0
<sanei_debug_mustek_usb2_call>
565 return MustScanner_PowerControl (isLampOn, isTALampOn);
0x00007fffb6dbfeb1 <+849>: xor %esi,%esi
0x00007fffb6dbfeb3 <+851>: xor %edi,%edi
0x00007fffb6dbfeb5 <+853>: callq 0x7fffb6dbcfb0 <MustScanner_PowerControl>
566 }
...
2090 SANE_Status
2091 sane_open (SANE_String_Const devicename, SANE_Handle * handle)
2092 {
...
2101 if (!PowerControl (SANE_FALSE, SANE_FALSE))
0x00007fffb6dbfeba <+858>: test %eax,%eax
0x00007fffb6dbfebc <+860>: jne 0x7fffb6dbff08
<sane_mustek_usb2_open+936>
2102 {
---------
(gdb) disassemble MustScanner_PowerControl
Dump of assembler code for function MustScanner_PowerControl:
...
0x00007fffb6dbcfdb <+43>: callq 0x7fffb6db88d0 <Asic_Open>
0x00007fffb6dbcfe0 <+48>: test %eax,%eax
...
(gdb) disassemble /m MustScanner_PowerControl
Dump of assembler code for function MustScanner_PowerControl:
295 {
...
297 DBG (DBG_FUNC, "MustScanner_PowerControl: Call in\n");
0x00007fffb6dbcfb4 <+4>: lea 0xcdad(%rip),%rsi # 0x7fffb6dc9d68
0x00007fffb6dbcfbd <+13>: mov $0x5,%edi
0x00007fffb6dbcfd6 <+38>: callq 0x7fffb6db11f0
<sanei_debug_mustek_usb2_call>
298 if (STATUS_GOOD != Asic_Open (&g_chip, g_pDeviceFile))
0x00007fffb6dbcfdb <+43>: callq 0x7fffb6db88d0 <Asic_Open>
0x00007fffb6dbcfe0 <+48>: test %eax,%eax
0x00007fffb6dbcfe2 <+50>: jne 0x7fffb6dbd070
<MustScanner_PowerControl+192>
299 {
---------
(gdb) disassemble Asic_Open
...
0x00007fffb6db8bf0 <+800>: callq 0x7fffb6db7da0 <Mustek_DMAWrite>
0x00007fffb6db8bf5 <+805>: test %eax,%eax
...
(gdb) disassemble /m Asic_Open
...
2442 }
2443
2444 status = Mustek_DMAWrite (chip, 64, (SANE_Byte *) (temps));
0x00007fffb6db8be8 <+792>: mov %rbp,%rsi
0x00007fffb6db8beb <+795>: mov $0x40,%edi
0x00007fffb6db8bf0 <+800>: callq 0x7fffb6db7da0 <Mustek_DMAWrite>
0x00007fffb6db8bf7 <+807>: mov %eax,%r12d
2445 if (status != STATUS_GOOD)
...
---------
(gdb) disassemble Mustek_DMAWrite,0x00007fffb6db7f3b+20
Dump of assembler code from 0x7fffb6db7da0 to 0x7fffb6db7f4f:
...
0x00007fffb6db7f3b <Mustek_DMAWrite+411>: callq 0x7fffb6dabf70
<__stack_chk_fail@plt>
0x00007fffb6db7f40 <Mustek_DMARead+0>: push %r15
...
(gdb) disassemble /m Mustek_DMAWrite,0x00007fffb6db7f3b+20
Dump of assembler code from 0x7fffb6db7da0 to 0x7fffb6db7f4f:
253 Mustek_DMARead (PAsic chip, unsigned int size, SANE_Byte * lpdata)
0x00007fffb6db7f40 <Mustek_DMARead+0>: push %r15
...
354 }
0x00007fffb6db7e7b <Mustek_DMAWrite+219>: mov 0x18(%rsp),%rcx
0x00007fffb6db7e80 <Mustek_DMAWrite+224>: xor %fs:0x28,%rcx
0x00007fffb6db7e89 <Mustek_DMAWrite+233>: mov %r15d,%eax
0x00007fffb6db7e8c <Mustek_DMAWrite+236>: jne 0x7fffb6db7f3b
<Mustek_DMAWrite+411>
0x00007fffb6db7e92 <Mustek_DMAWrite+242>: add $0x28,%rsp
0x00007fffb6db7e96 <Mustek_DMAWrite+246>: pop %rbx
0x00007fffb6db7e97 <Mustek_DMAWrite+247>: pop %rbp
0x00007fffb6db7e98 <Mustek_DMAWrite+248>: pop %r12
0x00007fffb6db7e9a <Mustek_DMAWrite+250>: pop %r13
0x00007fffb6db7e9c <Mustek_DMAWrite+252>: pop %r14
0x00007fffb6db7e9e <Mustek_DMAWrite+254>: pop %r15
0x00007fffb6db7ea0 <Mustek_DMAWrite+256>: retq
0x00007fffb6db7ea1 <Mustek_DMAWrite+257>: nopl 0x0(%rax)
0x00007fffb6db7ea8 <Mustek_DMAWrite+264>: mov %r14d,%ebx
0x00007fffb6db7eab <Mustek_DMAWrite+267>: shl $0xf,%ebx
0x00007fffb6db7f3b <Mustek_DMAWrite+411>: callq 0x7fffb6dabf70
<__stack_chk_fail@plt>
End of assembler dump.
Possibly related:
https://gitlab.com/sane-project/backends/issues/new
