[libksane] [Bug 468053] New: Skanlite and Skanpage crash (deep in sane-backends) when a net scanner is available

[David Gow]

https://bugs.kde.org/show_bug.cgi?id=468053

            Bug ID: 468053
           Summary: Skanlite and Skanpage crash (deep in sane-backends)
                    when a net scanner is available
    Classification: Frameworks and Libraries
           Product: libksane
           Version: 22.12.3
          Platform: openSUSE
                OS: Linux
            Status: REPORTED
          Severity: crash
          Priority: NOR
         Component: general
          Assignee: kare.s...@iki.fi
          Reporter: da...@ingeniumdigital.com
  Target Milestone: ---

SUMMARY
Both skanlite and skanpage crash on boot when connecting to a saned-based
network scanner. Xsane is able to connect fine.

The stacktrace is:
```
Thread 1 "skanlite" received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
Downloading 0.01 MB source file
/usr/src/debug/glibc-2.37/string/../sysdeps/x86_64/multiarch/strlen-avx2.S
76              VPCMPEQ (%rdi), %ymm0, %ymm1
Missing separate debuginfos, use: zypper install
skanlite-debuginfo-22.12.3-1.2.x86_64
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
#1  0x00007fffcc0fb42a in do_authorization (dev=0x5555555af800, resource=0x58
<error: Cannot access memory at address 0x58>)
    at /usr/src/debug/sane-backends-1.1.1/backend/net.c:650
#2  0x00007fffcc0fe2ad in sane_net_control_option (handle=0x555555bae6e0,
option=2, action=<optimized out>, value=0x7fffffffcd80, 
    info=0x7fffffffcd24) at
/usr/src/debug/sane-backends-1.1.1/backend/net.c:1792
#3  0x00007ffff7753b87 in KSaneCore::ListOption::readValue
(this=0x555555a5a3a0) at
/usr/src/debug/ksanecore-22.12.3/src/options/listoption.cpp:33
#4  0x00007ffff77588f8 in KSaneCore::InterfacePrivate::loadDeviceOptions
(this=<optimized out>)
    at /usr/src/debug/ksanecore-22.12.3/src/interface_p.cpp:151
#5  0x00007ffff7f7966f in KSaneIface::KSaneWidget::openDevice
(this=0x555555901330, deviceName=...)
    at /usr/src/debug/libksane-22.12.3/src/ksanewidget.cpp:293
#6  0x00005555555655fb in Skanlite::Skanlite (parent=0x0, device=...,
this=0x7fffffffd500) at /usr/src/debug/skanlite-22.12.3/src/skanlite.cpp:198
#7  main (argc=<optimized out>, argv=<optimized out>) at
/usr/src/debug/skanlite-22.12.3/src/main.cpp:84
```

This warning appeared immediately before the crash:
```
[13:18:01.754776] [sanei_wire] sanei_w_array: DECODE: maximum amount of
allocated memory exceeded (limit: 1048576, new allocation: 7008781732, total:
7009830308 bytes)
```

More details from the crash in sane-backends, where reply.resource_to_authorise
is 0x58 for some reason:
```
#2  0x00007fffcc0fe2ad in sane_net_control_option (handle=0x555555bae6e0,
option=2, action=<optimized out>, value=0x7fffffffcd80, info=0x7fffffffcd24) at
/usr/src/debug/sane-backends-1.1.1/backend/net.c:1792
1792              do_authorization (s->hw, reply.resource_to_authorize);
(gdb) list
1787          status = reply.status;
1788          need_auth = (reply.resource_to_authorize != 0);
1789          if (need_auth)
1790            {
1791              DBG (3, "sane_control_option: auth required\n");
1792              do_authorization (s->hw, reply.resource_to_authorize);
1793              sanei_w_free (&s->hw->wire,
1794                            (WireCodecFunc) sanei_w_control_option_reply,
&reply);
1795
1796              sanei_w_set_dir (&s->hw->wire, WIRE_DECODE);
(gdb) print reply
$1 = {status = SANE_STATUS_GOOD, info = 2, value_type = 0, value_size = 57,
value = 0x7fffffffce50, resource_to_authorize = 0x58 <error: Cannot access
memory at address 0x58>}
(gdb) q
```


STEPS TO REPRODUCE
1. Configure the 'net' sane backend. (Uncomment 'net' from
/etc/saned.d/dll.conf, and add the hostname of the saned server to
/etc/saned.d/net.conf)
2. Make sure there is a saned server running. (I'm using Debian armhf
'sane-utils' version 1.0.31-4.1)
3. 

OBSERVED RESULT

The crash above when either skanpage or skanlite starts.

EXPECTED RESULT

Like non-ksanecore-based scanning programs, they work without crashing.
SOFTWARE/OS VERSIONS
Operating System: openSUSE Tumbleweed 20230330
KDE Plasma Version: 5.27.3
KDE Frameworks Version: 5.104.0
Qt Version: 5.15.8
Kernel Version: 6.2.8-1-vanilla (64-bit)
Graphics Platform: Wayland
Processors: 4 × Intel® Core™ i7-7560U CPU @ 2.40GHz
Memory: 15.3 Gio of RAM
Graphics Processor: Mesa Intel® Iris® Plus Graphics 640
Manufacturer: Dell Inc.
Product Name: XPS 13 9360

ADDITIONAL INFORMATION

This looks like it's probably a sane-backends or saned issue, but clearly
KSaneCore is doing something to trigger it that Xsane isn't.

-- 
You are receiving this mail because:
You are watching all bug changes.