Bug#961345: cups: daemon crashes with invalid free()

To: Bernhard Übelacker <bernhardu@mailbox.org>
Cc: 961345@bugs.debian.org, Peter Krefting <peter@softwolves.pp.se>
Subject: Bug#961345: cups: daemon crashes with invalid free()
From: Ronny Adsetts <ronny.adsetts@amazinginternet.com>
Date: Fri, 28 Aug 2020 10:12:52 +0100
Message-id: <[🔎] a640934e-9e03-4b94-9722-8206963a83d7@amazinginternet.com>
Reply-to: Ronny Adsetts <ronny.adsetts@amazinginternet.com>, 961345@bugs.debian.org
In-reply-to: <[🔎] a37609d6-12df-e529-0bf9-14cb936fe900@mailbox.org>
References: <dfe58218-6630-a382-fb86-d0ad8741adb9@amazinginternet.com> <dfe58218-6630-a382-fb86-d0ad8741adb9@amazinginternet.com> <[🔎] 38245743-08f6-1088-7215-8ea4625075d2@mailbox.org> <[🔎] a7e13584-0203-1212-ca0a-e6bb29caff99@amazinginternet.com> <[🔎] c98e8bf2-fdf2-0778-8a93-baffd1e0b995@mailbox.org> <[🔎] 4cfc5dc5-f19e-21e8-049a-71afda5091ee@amazinginternet.com> <[🔎] d2c4691e-aa99-9765-9e32-5f3d20dc842a@mailbox.org> <[🔎] db904cff-0151-5cca-8d9a-fd739b2ad143@amazinginternet.com> <[🔎] cfe2e27a-9dfe-5176-02db-75a8b3bdbefb@mailbox.org> <[🔎] f44ddbbd-d2e8-acee-d560-77ac6cee6dba@amazinginternet.com> <[🔎] c259f361-64e7-875a-233c-a565bcb3fc09@mailbox.org> <[🔎] dd57b77f-5892-9410-5e00-db1e1fe0fe51@amazinginternet.com> <[🔎] a37609d6-12df-e529-0bf9-14cb936fe900@mailbox.org> <159024216581.6368.16601126942547777227.reportbug@perkele.intern.softwolves.pp.se>

Bernhard Übelacker wrote on 26/08/2020 23:10:
> 
> I tried to have a look and I get the feeling that there is a
> disagreement if the attribute "printer-alert" is of type IPP_TAG_TEXT
> or IPP_TAG_STRING.
> 
> Also it is the only line I found at a glance that calls ippAddString
> with a IPP_TAG_STRING.
> 
> Other attributes of type IPP_TAG_STRING seem to get added by a call
> to ippAddOctetString.
> 
> But still I am not sure which of STRING or TEXT is the right one.
> 
> Below patch is an attempt to add "printer-alert" in
> copy_printer_attrs by using ippAddOctetString.
> 
> The important change is in scheduler/ipp.c, the changes to
> backend/ipp.c should just mark another questionable place.
> 
> I could not test this change as I can not reproduce the crash - so it
> is untested.

Hi Bernhard,

So running with the patched cups packages seems to fix the "invalid free" on a test print. I've restored the systemd service file to remove valgrind so let's see how we go on a day's printing. :-).

Incidentally, stopping the cups service (new packages) after a single print job when under valgrind gave this in case it's related:

Aug 28 10:03:59 samba-prn-01.graysofwestminster.co.uk systemd[1]: Stopping CUPS Scheduler...
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== Invalid free() / delete / delete[] / realloc()
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    at 0x48369AB: free (vg_replace_malloc.c:538)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73629: check_free (dlerror.c:202)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73629: check_free (dlerror.c:186)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73AB1: free_key_mem (dlerror.c:221)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4C73AB1: __dlerror_main_freeres (dlerror.c:239)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4BECB71: __libc_freeres (in /usr/lib/x86_64-linux-gnu/libc-2.28.so)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x482B19E: _vgnU_freeres (vg_preloaded.c:75)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4ABDE89: __run_exit_handlers (exit.c:132)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4ABDEB9: exit (exit.c:139)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    by 0x4AA80A1: (below main) (libc-start.c:342)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==  Address 0x4a5dd94 is in a r-- mapped file /usr/lib/x86_64-linux-gnu/libcups.so.2 segment
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== HEAP SUMMARY:
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==     in use at exit: 829,720 bytes in 16,197 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==   total heap usage: 131,007 allocs, 114,811 frees, 25,289,313 bytes allocated
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== LEAK SUMMARY:
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    definitely lost: 51,468 bytes in 519 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    indirectly lost: 65,751 bytes in 4 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==      possibly lost: 0 bytes in 0 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==    still reachable: 712,501 bytes in 15,674 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==         suppressed: 0 bytes in 0 blocks
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== Rerun with --leak-check=full to see details of leaked memory
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238==
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== For lists of detected and suppressed errors, rerun with: -s
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk valgrind[5238]: ==5238== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk systemd[1]: cups.service: Succeeded.
Aug 28 10:04:00 samba-prn-01.graysofwestminster.co.uk systemd[1]: Stopped CUPS Scheduler.
Aug 28 10:04:12 samba-prn-01.graysofwestminster.co.uk systemd[1]: Started CUPS Scheduler.

Thanks.

Ronny
-- 
Ronny Adsetts
Technical Director
Amazing Internet Ltd, London
t: +44 20 8977 8943
w: www.amazinginternet.com

Registered office: 85 Waldegrave Park, Twickenham, TW1 4TJ
Registered in England. Company No. 4042957

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Bernhard Übelacker <bernhardu@mailbox.org>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Ronny Adsetts <ronny.adsetts@amazinginternet.com>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Bernhard Übelacker <bernhardu@mailbox.org>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Ronny Adsetts <ronny.adsetts@amazinginternet.com>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Bernhard Übelacker <bernhardu@mailbox.org>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Ronny Adsetts <ronny.adsetts@amazinginternet.com>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Bernhard Übelacker <bernhardu@mailbox.org>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Ronny Adsetts <ronny.adsetts@amazinginternet.com>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Bernhard Übelacker <bernhardu@mailbox.org>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Ronny Adsetts <ronny.adsetts@amazinginternet.com>
- Bug#961345: cups: daemon crashes with invalid free()
  - From: Bernhard Übelacker <bernhardu@mailbox.org>

Prev by Date: Bug#961345: cups: daemon crashes with invalid free()
Next by Date: Bug#969169: cups: Driverless printing not working
Previous by thread: Bug#961345: cups: daemon crashes with invalid free()
Next by thread: Bug#965144: Removed package(s) from unstable
Index(es):
- Date
- Thread