Hello Florence, dear Maintainer,
Stack trace of thread 113079:
#0 0x00007f858b12ae71 raise
(libc.so.6 + 0x3ce71)
#1 0x00007f858b114536 abort
(libc.so.6 + 0x26536)
#2 0x00007f858b16c2b8 n/a
(libc.so.6 + 0x7e2b8)
#3 0x00007f858b1fad42
__fortify_fail (libc.so.6 + 0x10cd42)
#4 0x00007f858b1fad20
__stack_chk_fail (libc.so.6 + 0x10cd20)
#5 0x00007f857c763146
get_size (libsane-hpaio.so.1 + 0x14146)
#6 0xffffffffffffffff n/a
(n/a + 0x0)
Thanks for the fast response.
From looking at this stack trace I assume a stack variable in
function "get_size" gets overwritten. At the end of this function
the stack check gets triggered.
From looking at [1] I _think_ the issue might be with the
variable "char buffer[7]".
It looks like this buffer gets some hexadecimal size
information written to from a http connection.
Therefore my hypothesis is that either this "size" exceeds what
is with these 7 places possible (would be 268 MB ?),
or some unexpected input is read from the connection and
therefore the loop is not left before the buffer is overrun.
One easy thing might be to test if the resolution could be
changed to some lower value in the hope to get this "size" to
a lower value, does the scan then succeed ?
Kind regards,
Bernhard
[1]
https://sources.debian.org/src/hplip/3.21.6+dfsg0-1/scan/sane/bb_ledm.c/#L1086
1084
1085 int get_size(struct ledm_session* ps)
1086 {
1087 struct bb_ledm_session *pbb = ps->bb_session;
1088 char buffer[7];
1089 int i=0, tmo=50, len;
1090
1091 if(ps->currentResolution >= 1200) tmo *= 5;
1092
1093 while(1)
1094 {
1095 if(http_read_size(pbb->http_handle, buffer+i, 1, tmo, &len) ==
2) return 0;
1096 if( i && *(buffer+i) == '\n' && *(buffer+i-1) == '\r') break;
1097 i++;
1098 }
1099 *(buffer+i+1)='\0';
1100 return strtol(buffer, NULL, 16);
1101 }
1102
[2] https://sources.debian.org/src/hplip/3.21.6+dfsg0-1/scan/sane/http.c/#L513
# Bullseye/stable amd64 qemu VM 2021-09-15
echo "set enable-bracketed-paste off" >> /etc/inputrc; bash
apt update
apt dist-upgrade
apt install mc gdb simple-scan hplip
apt install simple-scan-dbgsym libsane-hpaio-dbgsym
apt build-dep libsane-hpaio
mkdir /home/benutzer/source/libsane-hpaio/orig -p
cd /home/benutzer/source/libsane-hpaio/orig
apt source libsane-hpaio
cd
benutzer@debian:~$ gdb -q
(gdb) set width 0
(gdb) set pagination off
(gdb) file /usr/bin/simple-scan
Reading symbols from /usr/bin/simple-scan...
Reading symbols from
/usr/lib/debug/.build-id/31/8e835860dafff5fa45c03cb758e8cae5a11fa0.debug...
(gdb) tb main
Temporary breakpoint 1 at 0xe160: file src/simple-scan.p/simple-scan.c, line
2434.
(gdb) run
Starting program: /usr/bin/simple-scan
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Temporary breakpoint 1, main (argc=1, argv=0x7fffffffe618) at
src/simple-scan.p/simple-scan.c:2434
2434 src/simple-scan.p/simple-scan.c: Datei oder Verzeichnis nicht gefunden.
(gdb) call dlopen("/usr/lib/x86_64-linux-gnu/sane/libsane-hpaio.so.1",0x102)
$1 = (void *) 0x5555555da300
(gdb) b get_size
Breakpoint 2 at 0x7ffff3618080: file scan/sane/bb_ledm.c, line 1086.
(gdb) disassemble get_size,get_size+200
Dump of assembler code from 0x7ffff3618080 to 0x7ffff3618148:
0x00007ffff3618080 <get_size+0>: push %r15
0x00007ffff3618082 <get_size+2>: push %r14
0x00007ffff3618084 <get_size+4>: push %r13
0x00007ffff3618086 <get_size+6>: push %r12
0x00007ffff3618088 <get_size+8>: mov $0x32,%r12d
0x00007ffff361808e <get_size+14>: push %rbp
0x00007ffff361808f <get_size+15>: push %rbx
0x00007ffff3618090 <get_size+16>: sub $0x28,%rsp
0x00007ffff3618094 <get_size+20>: mov 0x89b0(%rdi),%r15
0x00007ffff361809b <get_size+27>: mov %fs:0x28,%rax
0x00007ffff36180a4 <get_size+36>: mov %rax,0x18(%rsp)
0x00007ffff36180a9 <get_size+41>: xor %eax,%eax
0x00007ffff36180ab <get_size+43>: lea 0x11(%rsp),%r13
0x00007ffff36180b0 <get_size+48>: mov $0xfa,%eax
0x00007ffff36180b5 <get_size+53>: cmpl $0x4b0,0x744(%rdi)
0x00007ffff36180bf <get_size+63>: cmovge %eax,%r12d
0x00007ffff36180c3 <get_size+67>: mov %r13,%rbx
0x00007ffff36180c6 <get_size+70>: lea 0xc(%rsp),%r14
0x00007ffff36180cb <get_size+75>: xor %ebp,%ebp
0x00007ffff36180cd <get_size+77>: jmp 0x7ffff36180d8 <get_size+88>
0x00007ffff36180cf <get_size+79>: nop
0x00007ffff36180d0 <get_size+80>: add $0x1,%rbp
0x00007ffff36180d4 <get_size+84>: add $0x1,%rbx
0x00007ffff36180d8 <get_size+88>: mov 0x1f0(%r15),%rdi
0x00007ffff36180df <get_size+95>: mov %r14,%r8
0x00007ffff36180e2 <get_size+98>: mov %r12d,%ecx
0x00007ffff36180e5 <get_size+101>: mov %rbx,%rsi
0x00007ffff36180e8 <get_size+104>: mov $0x1,%edx
0x00007ffff36180ed <get_size+109>: call 0x7ffff3619130 <http_read_size>
0x00007ffff36180f2 <get_size+114>: cmp $0x2,%eax
0x00007ffff36180f5 <get_size+117>: je 0x7ffff3618120 <get_size+160>
0x00007ffff36180f7 <get_size+119>: test %rbp,%rbp
0x00007ffff36180fa <get_size+122>: je 0x7ffff36180d0 <get_size+80>
0x00007ffff36180fc <get_size+124>: cmpb $0xa,(%rbx)
0x00007ffff36180ff <get_size+127>: jne 0x7ffff36180d0 <get_size+80>
0x00007ffff3618101 <get_size+129>: cmpb $0xd,-0x1(%rbx)
0x00007ffff3618105 <get_size+133>: jne 0x7ffff36180d0 <get_size+80>
0x00007ffff3618107 <get_size+135>: mov $0x10,%edx
0x00007ffff361810c <get_size+140>: xor %esi,%esi
0x00007ffff361810e <get_size+142>: mov %r13,%rdi
0x00007ffff3618111 <get_size+145>: movb $0x0,0x12(%rsp,%rbp,1)
0x00007ffff3618116 <get_size+150>: call 0x7ffff3608590 <strtol@plt>
0x00007ffff361811b <get_size+155>: jmp 0x7ffff3618122 <get_size+162>
0x00007ffff361811d <get_size+157>: nopl (%rax)
0x00007ffff3618120 <get_size+160>: xor %eax,%eax
0x00007ffff3618122 <get_size+162>: mov 0x18(%rsp),%rcx
0x00007ffff3618127 <get_size+167>: sub %fs:0x28,%rcx
0x00007ffff3618130 <get_size+176>: jne 0x7ffff3618141 <get_size+193>
0x00007ffff3618132 <get_size+178>: add $0x28,%rsp
0x00007ffff3618136 <get_size+182>: pop %rbx
0x00007ffff3618137 <get_size+183>: pop %rbp
0x00007ffff3618138 <get_size+184>: pop %r12
0x00007ffff361813a <get_size+186>: pop %r13
0x00007ffff361813c <get_size+188>: pop %r14
0x00007ffff361813e <get_size+190>: pop %r15
0x00007ffff3618140 <get_size+192>: ret
0x00007ffff3618141 <get_size+193>: call 0x7ffff3608320
<__stack_chk_fail@plt>
0x00007ffff3618146: nopw %cs:0x0(%rax,%rax,1)
End of assembler dump.
(gdb) list get_size
1084
1085 int get_size(struct ledm_session* ps)
1086 {
1087 struct bb_ledm_session *pbb = ps->bb_session;
1088 char buffer[7];
1089 int i=0, tmo=50, len;
1090
1091 if(ps->currentResolution >= 1200) tmo *= 5;
1092
1093 while(1)
1094 {
1095 if(http_read_size(pbb->http_handle, buffer+i, 1, tmo, &len) == 2)
return 0;
1096 if( i && *(buffer+i) == '\n' && *(buffer+i-1) == '\r') break;
1097 i++;
1098 }
1099 *(buffer+i+1)='\0';
1100 return strtol(buffer, NULL, 16);
1101 }
1102
https://sources.debian.org/src/hplip/3.21.6+dfsg0-1/scan/sane/bb_ledm.c/#L1086
https://sources.debian.org/src/hplip/3.21.6+dfsg0-1/scan/sane/http.c/#L513
gdb -q
set width 0
set pagination off
directory /home/benutzer/source/libsane-hpaio/orig/hplip-3.21.6+dfsg0/scan/sane
file /usr/bin/simple-scan
tb main
run
call dlopen("/usr/lib/x86_64-linux-gnu/sane/libsane-hpaio.so.1",0x102)
b get_size
disassemble get_size
