Bug#954315: rastertopwg segfault

[Hideki Yamane]

On Thu, 9 Sep 2021 10:51:32 +0100
Brian Potkin  wrote:
> How are you progressing with this issue using the present cups in
> unstable?

 Well, I can have some time for Debian in next week, so will check
 later. Thanks for head up! :)


-- 
Regards,

 Hideki Yamane henrich @ debian.org/iijmio-mail.jp

Bug#954315: rastertopwg segfault

[Brian Potkin]

tags 954315 moreinfo
thanks


On Fri 20 Mar 2020 at 12:34:00 +0900, Hideki Yamane wrote:

> Package: cups
> Version: 2.3.1-11
> Severity: important
> 
> Dear Maintainer,
> 
>  I cannot print some pdf files with cups, it gets an error with rastertopwg
>  segfault.
> 
>  3月 20 11:53:04 tiny kernel: rastertopwg[31898]: segfault at 0 ip 
> 7f7a61751671 sp 7ffe7eb46428 error 4 in 
> libc-2.30.so[7f7a61618000+14a000]
>  3月 20 11:53:04 tiny kernel: Code: 84 00 00 00 00 00 0f 1f 00 31 c0 c5 f8 77 
> c3 66 2e 0f 1f 84 00 00 00 00 00 89 f9 48 89 fa c5 f9 ef c0 83 e1 3f 83 f9 20 
> 77 1f  fd 74 0f c5 fd d7 c1 85 c0 0f 85 df 00 00 00 48 83 c7 20 83 e1
>  3月 20 11:53:04 tiny systemd[1]: Started Process Core Dump (PID 31916/UID 0).
>  3月 20 11:53:05 tiny systemd-coredump[31917]: Process 31898 (rastertopwg) of 
> user 0 dumped core.
> 
> Stack trace of thread 31898:
> #0  0x7f7a61751671 
> __strlen_avx2 (libc.so.6 + 0x15e671)
> #1  0x7f7a618032f9 
> _cups_strlcpy (libcups.so.2 + 0x4d2f9)
> #2  0x55a058ca1a36 main 
> (rastertopwg + 0x1a36)
> #3  0x7f7a61619e0b 
> __libc_start_main (libc.so.6 + 0x26e0b)
> #4  0x55a058ca21aa _start 
> (rastertopwg + 0x21aa)
> 
> 

Hello Hideki,

How are you progressing with this issue using the present cups in
unstable?

Regards,

Brian.

Bug#954315: rastertopwg segfault

[Bernhard Übelacker]

Hello Till,
I am not the initial reporter of the issue and I cannot reproduce it,
therefore cannot test the suggested change.
Just tried to share my results.

Kind regards,
Bernhard

Bug#954315: rastertopwg segfault

[Till Kamppeter]

First, this is definitely a CUPS upstream bug, so please report it on 
the CUPS GitHub, also supplying all the information which you have 
gathered and attaching the files which I had asked for.


https://github.com/apple/cups/issues/

Probably it can be solved by adding a simple NULL check.

At line 273 of rastertopwg.c replace

  if (pwg_media)
strlcpy(outheader.cupsPageSizeName, pwg_media->pwg,
sizeof(outheader.cupsPageSizeName));

by

  if (pwg_media && pwg_media->pwg)
strlcpy(outheader.cupsPageSizeName, pwg_media->pwg,
sizeof(outheader.cupsPageSizeName));

Please try it if you are familiar with source code and compiling. Tell 
your result here and also in the upstream bug you are reporting.


   Till

Bug#954315: rastertopwg segfault

[Bernhard Übelacker]

Hello,
the stack trace should look like this with line numbers, if it helps:

0x7...671 in __strlen_avx2 at 
../sysdeps/x86_64/multiarch/strlen-avx2.S:65
0x7...2f4 in _cups_strlcpy at string.c:739
0x5...a31 in main at rastertopwg.c:274
0x7...e09 in __libc_start_main at ../csu/libc-start.c:308
0x5...1a4 <_start+36>

https://sources.debian.org/src/cups/2.3.1-11/cups/string.c/#L739
https://sources.debian.org/src/cups/2.3.1-11/filter/rastertopwg.c/#L274

Kind regards,
Bernhard


# From submitter:
Stack trace of thread 31898:
#0  0x7f7a61751671 
__strlen_avx2 (libc.so.6 + 0x15e671)
#1  0x7f7a618032f9 
_cups_strlcpy (libcups.so.2 + 0x4d2f9)
#2  0x55a058ca1a36 main 
(rastertopwg + 0x1a36)
#3  0x7f7a61619e0b 
__libc_start_main (libc.so.6 + 0x26e0b)
#4  0x55a058ca21aa _start 
(rastertopwg + 0x21aa)


###


# Unstable amd64 qemu VM 2020-03-20


apt update
apt dist-upgrade


apt install systemd-coredump gdb cups cups-dbgsym libcups2-dbgsym

reboot



# dpkg -l | grep cups
ii  cups  2.3.1-11   amd64
Common UNIX Printing System(tm) - PPD/driver support, web interface
ii  cups-browsed  1.27.2-1   amd64
OpenPrinting CUPS Filters - cups-browsed
ii  cups-client   2.3.1-11   amd64
Common UNIX Printing System(tm) - client programs (SysV)
ii  cups-common   2.3.1-11   all  
Common UNIX Printing System(tm) - common files
ii  cups-core-drivers 2.3.1-11   amd64
Common UNIX Printing System(tm) - driverless printing
ii  cups-daemon   2.3.1-11   amd64
Common UNIX Printing System(tm) - daemon
ii  cups-dbgsym   2.3.1-11   amd64
debug symbols for cups
ii  cups-filters  1.27.2-1   amd64
OpenPrinting CUPS Filters - Main Package
ii  cups-filters-core-drivers 1.27.2-1   amd64
OpenPrinting CUPS Filters - Driverless printing
ii  cups-ipp-utils2.3.1-11   amd64
Common UNIX Printing System(tm) - IPP developer/admin utilities
ii  cups-ppdc 2.3.1-11   amd64
Common UNIX Printing System(tm) - PPD manipulation utilities
ii  cups-server-common2.3.1-11   all  
Common UNIX Printing System(tm) - server common files
ii  libcups2:amd642.3.1-11   amd64
Common UNIX Printing System(tm) - Core library
ii  libcups2-dbgsym:amd64 2.3.1-11   amd64
debug symbols for libcups2
ii  libcupsfilters1:amd64 1.27.2-1   amd64
OpenPrinting CUPS Filters - Shared library




gdb -q

set width 0
set pagination off
file /usr/lib/cups/filter/rastertopwg
b main
run
dele 1
generate-core-file /tmp/core
kill
y
q


gdb -q

set width 0
set pagination off
file /usr/lib/cups/filter/rastertopwg
core /tmp/core

disassemble _start
b *0x61a4

disassemble __libc_start_main
b *0x77d8ee09

disassemble main
b *0x5a31

disassemble _cups_strlcpy
b *0x77f782f4

disassemble __strlen_avx2
b *0x77ec6671

info b





0x77ec6671 in __strlen_avx2 at 
../sysdeps/x86_64/multiarch/strlen-avx2.S:65
0x77f782f4 in _cups_strlcpy at string.c:739
0x5a31 in main at rastertopwg.c:274
0x77d8ee09 in __libc_start_main at ../csu/libc-start.c:308
0x61a4 <_start+36>


0x7...671 in __strlen_avx2 at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
0x7...2f4 in _cups_strlcpy at string.c:739
0x5...a31 in main at rastertopwg.c:274
0x7...e09 in __libc_start_main at ../csu/libc-start.c:308
0x5...1a4 <_start+36>




https://sources.debian.org/src/cups/2.3.1-11/cups/string.c/#L739
https://sources.debian.org/src/cups/2.3.1-11/filter/rastertopwg.c/#L274

Bug#954315: rastertopwg segfault

[Till Kamppeter]

We need a way to reproduce the bug and also a backtrace with line 
numbers of the source files.


So please attach the PDF input file which leads to the crash. Also 
attach your printer's PPD file, from the /etc/cups/ppd/ directory, named 
by the name of your print queue.


Please also try to reproduce the crash with the "cupsfilter" command:

cupsfilter -p /etc/cups/ppd/QUEUE.ppd -i application/pdf -m 
printer/QUEUE -e FILE.pdf > out


Running only a part of the filter chain you can get the data which is 
fed into rastertopwg:


cupsfilter -p /etc/cups/ppd/QUEUE.ppd -i application/pdf -m 
application/vnd.cups-raster -e FILE.pdf > out.raster


Now you can run rastertopwg isolated:

ulimit -c unlimited
cat out.raster | PPD=/etc/cups/ppd/QUEUE.ppd 
/usr/lib/cups/filter/rastertopwg 1 1 1 1 "" > out


and get a backtrace:

gdb -c core /usr/lib/cups/filter/rastertopwg

Use the "bt" command at the prompt of gdb. Please post the backtrace here.

   Till

Bug#954315: rastertopwg segfault

[Hideki Yamane]

Package: cups
Version: 2.3.1-11
Severity: important

Dear Maintainer,

 I cannot print some pdf files with cups, it gets an error with rastertopwg
 segfault.

 3月 20 11:53:04 tiny kernel: rastertopwg[31898]: segfault at 0 ip 
7f7a61751671 sp 7ffe7eb46428 error 4 in 
libc-2.30.so[7f7a61618000+14a000]
 3月 20 11:53:04 tiny kernel: Code: 84 00 00 00 00 00 0f 1f 00 31 c0 c5 f8 77 c3 
66 2e 0f 1f 84 00 00 00 00 00 89 f9 48 89 fa c5 f9 ef c0 83 e1 3f 83 f9 20 77 
1f  fd 74 0f c5 fd d7 c1 85 c0 0f 85 df 00 00 00 48 83 c7 20 83 e1
 3月 20 11:53:04 tiny systemd[1]: Started Process Core Dump (PID 31916/UID 0).
 3月 20 11:53:05 tiny systemd-coredump[31917]: Process 31898 (rastertopwg) of 
user 0 dumped core.

Stack trace of thread 31898:
#0  0x7f7a61751671 
__strlen_avx2 (libc.so.6 + 0x15e671)
#1  0x7f7a618032f9 
_cups_strlcpy (libcups.so.2 + 0x4d2f9)
#2  0x55a058ca1a36 main 
(rastertopwg + 0x1a36)
#3  0x7f7a61619e0b 
__libc_start_main (libc.so.6 + 0x26e0b)
#4  0x55a058ca21aa _start 
(rastertopwg + 0x21aa)


henrich@tiny:~ $ LANG=C gdb /usr/lib/cups/filter/rastertopwg dump
GNU gdb (Debian 9.1-2) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later 
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/cups/filter/rastertopwg...
Reading symbols from 
/usr/lib/debug/.build-id/f6/625381c79c26618988e474ae2e419e5b4222bc.debug...
[New LWP 40096]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by 
`ipp://Photosmart%205520%20series%20%5BEB8411%5D._ipp._tcp.local/ 32 henrich 
202'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65  ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb)




-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8), 
LANGUAGE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups depends on:
ii  cups-client2.3.1-11
ii  cups-common2.3.1-11
ii  cups-core-drivers  2.3.1-11
ii  cups-daemon2.3.1-11
ii  cups-filters   1.27.2-1
ii  cups-ppdc  2.3.1-11
ii  cups-server-common 2.3.1-11
ii  debconf [debconf-2.0]  1.5.73
ii  ghostscript9.52~dfsg-1
ii  libavahi-client3   0.7-5
ii  libavahi-common3   0.7-5
ii  libc6  2.30-2
ii  libcups2   2.3.1-11
ii  libgcc-s1  10-20200312-2
ii  libstdc++6 10-20200312-2
ii  libusb-1.0-0   2:1.0.23-2
ii  poppler-utils  0.71.0-6
ii  procps 2:3.3.16-4

Versions of packages cups recommends:
ii  avahi-daemon  0.7-5
ii  colord1.4.4-1

Versions of packages cups suggests:
ii  cups-bsd   2.3.1-11
pn  cups-pdf   
ii  foomatic-db-compressed-ppds [foomatic-db]  20200219-1
pn  smbclient  
ii  udev   245.2-1

-- debconf information:
  cupsys/backend: lpd, socket, usb, snmp, dnssd
  cupsys/raw-print: true