Dear Maintainer,
the given code from dmesg points to this function:
LIBMTP_GetPartialObject at libmtp.c:9070
The related code [1] looks like function LIBMTP_Get_Filemetadata
returns a null pointer which get dereferenced unconditionally
in line 9070.
This part of the function seems unchanged upstream [2].
Kind regards,
Bernhard
[1] https://sources.debian.org/src/libmtp/1.1.16-2/src/libmtp.c/#L9070
9067 LIBMTP_file_t *mtpfile = LIBMTP_Get_Filemetadata(device, id);
9068
9069 /* Some devices do not like reading over the end and hang instead
of progressing */
9070 if (offset >= mtpfile->filesize) {
[2] https://sourceforge.net/p/libmtp/code/ci/master/tree/src/libmtp.c#l9084
From Submitter:
[ 6707.977374] pool[8766]: segfault at 18 ip 00007f6b6a6262ee sp
00007f6b49ffaac0 error 4 in libmtp.so.9.4.0[7f6b6a618000+2a000]
[ 6707.977385] Code: d7 41 56 41 89 f6 41 55 4d 89 c5 41 54 4d 89 cc 55 48 89
fd 53 48 83 ec 18 48 8b 5f 08 89 4c 24 0c e8 96 23 ff ff 8b 4c 24 0c <48> 8b 50
18 4c 39 fa 0f 86 15 01 00 00 89 c8 89 d6 4c 01 f8 44 29
0 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8
9 20 1 2 3 4 5 6 7 8 9 30 1 2 3 4 5 6 7 8 9 40 1 42
###########
# Unstable amd64 qemu VM 2020-01-10
apt update
apt dist-upgrade
apt install systemd-coredump xserver-xorg sddm openbox xterm gdb rhythmbox
libmtp9-dbgsym
export DISPLAY=:0
gdb -q --args rhythmbox
set width 0
set pagination off
run
Ctrl-C
(gdb) info share
From To Syms Read Shared Object Library
...
0x00007fffe10c9870 0x00007fffe10f2e20 Yes
/lib/x86_64-linux-gnu/libmtp.so.9
...
(gdb) find /b 0x00007fffe10c9870, 0x00007fffe10f2e20, 0xd7, 0x41, 0x56, 0x41,
0x89, 0xf6, 0x41, 0x55, 0x4d, 0x89, 0xc5, 0x41, 0x54, 0x4d, 0x89, 0xcc, 0x55,
0x48, 0x89, 0xfd, 0x53, 0x48, 0x83, 0xec, 0x18, 0x48, 0x8b, 0x5f, 0x08, 0x89,
0x4c, 0x24, 0x0c, 0xe8, 0x96, 0x23, 0xff, 0xff, 0x8b, 0x4c, 0x24, 0x0c, 0x48,
0x8b, 0x50, 0x18, 0x4c, 0x39, 0xfa, 0x0f, 0x86, 0x15, 0x01, 0x00, 0x00, 0x89,
0xc8, 0x89, 0xd6, 0x4c, 0x01, 0xf8, 0x44, 0x29
0x7fffe10d72c4 <LIBMTP_GetPartialObject+4>
1 pattern found.
(gdb) b *(0x7fffe10d72c4 + 42)
Breakpoint 2 at 0x7fffe10d72ee: file libmtp.c, line 9070.
(gdb) info b
Num Type Disp Enb Address What
2 breakpoint keep y 0x00007fffe10d72ee in LIBMTP_GetPartialObject
at libmtp.c:9070
(gdb) disassemble LIBMTP_GetPartialObject
Dump of assembler code for function LIBMTP_GetPartialObject:
0x00007fffe10d72c0 <+0>: push %r15
0x00007fffe10d72c2 <+2>: mov %rdx,%r15
0x00007fffe10d72c5 <+5>: push %r14
0x00007fffe10d72c7 <+7>: mov %esi,%r14d
0x00007fffe10d72ca <+10>: push %r13
0x00007fffe10d72cc <+12>: mov %r8,%r13
0x00007fffe10d72cf <+15>: push %r12
0x00007fffe10d72d1 <+17>: mov %r9,%r12
0x00007fffe10d72d4 <+20>: push %rbp
0x00007fffe10d72d5 <+21>: mov %rdi,%rbp
0x00007fffe10d72d8 <+24>: push %rbx
0x00007fffe10d72d9 <+25>: sub $0x18,%rsp
0x00007fffe10d72dd <+29>: mov 0x8(%rdi),%rbx
0x00007fffe10d72e1 <+33>: mov %ecx,0xc(%rsp)
0x00007fffe10d72e5 <+37>: callq 0x7fffe10c9680
<LIBMTP_Get_Filemetadata@plt>
0x00007fffe10d72ea <+42>: mov 0xc(%rsp),%ecx
0x00007fffe10d72ee <+46>: mov 0x18(%rax),%rdx
<<<<<<<
0x00007fffe10d72f2 <+50>: cmp %r15,%rdx
...
0x00007fffe10d744a <+394>: jmp 0x7fffe10d73d9
<LIBMTP_GetPartialObject+281>
End of assembler dump.
Debian: https://sources.debian.org/src/libmtp/1.1.16-2/src/libmtp.c/#L9070
9067 LIBMTP_file_t *mtpfile = LIBMTP_Get_Filemetadata(device, id);
9068
9069 /* Some devices do not like reading over the end and hang instead of
progressing */
9070 if (offset >= mtpfile->filesize) {
Upstream:
https://sourceforge.net/p/libmtp/code/ci/master/tree/src/libmtp.c#l9084
