[Pkg-utopia-maintainers] Bug#947891: avahi-daemon: segfaults after upgrade to buster with airprint service

Thu Jan 2 08:41:50 GMT 2020

Control: found -1 0.7-5
Control: tags -1 + confirmed upstream

Hello Ian Chard,

Thanks for you bug report. I can confirm that I can reproduce this also on unstable.

On Wed, Jan 01, 2020 at 07:45:29PM +0000, Ian Chard wrote:
> Package: avahi-daemon
> Version: 0.7-4+b1
> Severity: important
> 
> Hi,
> 
> After upgrading to buster avahi-daemon segfaults immediately on startup.
> If I run with --debug I see:
> 
> Found user 'avahi' (UID 113) and group 'avahi' (GID 118).
> Successfully dropped root privileges.
> avahi-daemon 0.7 starting up.
> Loading service file /etc/avahi/services/AirPrint-printer.service.
> Segmentation fault
> 
> I have one file in /etc/avahi/services (filename above) the contents of
> which are:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
> <service-group>
>    <name replace-wildcards="yes">AirPrint printer @ %h</name>
>    <service>
>       <type>_ipp._tcp</type>
>       <subtype>_universal._sub._ipp._tcp</subtype>
>       <port>631</port>
>       <txt-record>txtvers=1</txt-record>
>       <txt-record>qtotal=1</txt-record>
>       <txt-record>Transparent=T</txt-record>
>       <txt-record>URF=none</txt-record>
>       <txt-record>rp=printers/printer</txt-record>
>       <txt-record>note=</txt-record>

The above line is the one triggering the problem. Changing it to eg.
this makes the problem go away:

	<txt-record>note=foobar</txt-record>

>       <txt-record>product=(GPL Ghostscript)</txt-record>
>       <txt-record>printer-state=3</txt-record>
>       <txt-record>printer-type=0x1014</txt-record>
>       <txt-record>pdl=application/octet-stream,application/pdf,application/postscript,application/vnd.cups-raster,image/gif,image/jpeg,image/png,image/tiff,image/urf,text/html,text/plain,application/vnd.adobe-reader-postscript,application/vnd.cups-pdf</txt-record>
>    </service>
> </service-group>
> 
> For info the file was generated by
> https://github.com/tjfontaine/airprint-generate.  I've added line breaks
> for clarity (the daemon still fails with the line breaks present).

Thanks alot for the details you provided. The next step since this is a
segmentation fault happening would be to get a backtrace WITH debug
symbols. FYI https://wiki.debian.org/HowToGetABacktrace
Such a backtrace is provided below...

This is where the actual explosion happens:
https://sources.debian.org/src/avahi/0.7-5/avahi-daemon/static-services.c/#L630

(Unfortunately both u and u->buf is optimized out so can't really get much useful
info out of them without a non-optimized build.)

Here are some interesting places in the code for the m_endElementHandler
callback setup:

https://sources.debian.org/src/expat/2.2.9-1/expat/lib/xmlparse.c/#L2845

https://sources.debian.org/src/avahi/0.7-5/avahi-daemon/static-services.c/#L810

https://sources.debian.org/src/avahi/0.7-5/avahi-daemon/static-services.c/#L567

This backtrace was gathered with avahi-daemon-dbgsym and libexpat1-dbgsym installed:

sudo gdb /usr/sbin/avahi-daemon 
GNU gdb (Debian 8.3.1-1) 8.3.1
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/sbin/avahi-daemon...
Reading symbols from /usr/lib/debug/.build-id/8d/8043bbbc961d10fc363207d584de575181c079.debug...
(gdb) run
Starting program: /usr/sbin/avahi-daemon 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Process 29278 died: No such process; trying to remove PID file. (/run/avahi-daemon//pid)
Found user 'avahi' (UID 107) and group 'avahi' (GID 112).
Successfully dropped root privileges.
[Detaching after fork from child process 29391]
avahi-daemon 0.7 starting up.
Successfully called chroot().
Successfully dropped remaining capabilities.
Loading service file /services/AirPrint-printer.service.

Program received signal SIGSEGV, Segmentation fault.
__strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
120	../sysdeps/x86_64/multiarch/../strlen.S: No such file or directory.
(gdb) bt
#0  __strlen_sse2 () at ../sysdeps/x86_64/multiarch/../strlen.S:120
#1  0x000055555555f68f in xml_end (el=<optimized out>, data=0x7fffffffe2a0) at static-services.c:630
#2  xml_end (data=0x7fffffffe2a0, el=<optimized out>) at static-services.c:567
#3  0x00007ffff7f448aa in doContent (parser=parser at entry=0x555555580d10, startTagLevel=startTagLevel at entry=0, enc=<optimized out>, 
    s=s at entry=0x55555558149b "<service-group>\n   <name replace-wildcards=\"yes\">AirPrint printer @ %h</name>\n   <service>\n      <type>_ipp._tcp</type>\n      <subtype>_universal._sub._ipp._tcp</subtype>\n      <port>631</port>\n      "..., end=end at entry=0x55555558181e "", nextPtr=nextPtr at entry=0x555555580d40, haveMore=1 '\001') at ../../src/lib/xmlparse.c:2845
#4  0x00007ffff7f4557c in contentProcessor (parser=parser at entry=0x555555580d10, 
    start=start at entry=0x55555558149b "<service-group>\n   <name replace-wildcards=\"yes\">AirPrint printer @ %h</name>\n   <service>\n      <type>_ipp._tcp</type>\n      <subtype>_universal._sub._ipp._tcp</subtype>\n      <port>631</port>\n      "..., end=end at entry=0x55555558181e "", endPtr=endPtr at entry=0x555555580d40) at ../../src/lib/xmlparse.c:2444
#5  0x00007ffff7f42a73 in doProlog (parser=parser at entry=0x555555580d10, enc=0x7ffff7f649e0 <utf8_encoding>, 
    s=0x55555558149b "<service-group>\n   <name replace-wildcards=\"yes\">AirPrint printer @ %h</name>\n   <service>\n      <type>_ipp._tcp</type>\n      <subtype>_universal._sub._ipp._tcp</subtype>\n      <port>631</port>\n      "..., 
    s at entry=0x555555581440 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE service-group SYSTEM \"avahi-service.dtd\">\n<service-group>\n   <name replace-wildcards=\"yes\">AirPrint printer @ %h</name>\n   <service>\n      <type>_ipp._"..., end=end at entry=0x55555558181e "", tok=29, next=<optimized out>, nextPtr=0x555555580d40, haveMore=1 '\001', 
    allowClosingDoctype=1 '\001') at ../../src/lib/xmlparse.c:4371
#6  0x00007ffff7f43f3a in prologProcessor (parser=0x555555580d10, 
    s=0x555555581440 "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE service-group SYSTEM \"avahi-service.dtd\">\n<service-group>\n   <name replace-wildcards=\"yes\">AirPrint printer @ %h</name>\n   <service>\n      <type>_ipp._"..., end=0x55555558181e "", nextPtr=0x555555580d40) at ../../src/lib/xmlparse.c:4094
#7  0x00007ffff7f47b1c in XML_ParseBuffer (isFinal=0, len=<optimized out>, parser=0x555555580d10) at ../../src/lib/xmlparse.c:1893
#8  XML_ParseBuffer (parser=parser at entry=0x555555580d10, len=<optimized out>, isFinal=isFinal at entry=0) at ../../src/lib/xmlparse.c:1863
#9  0x0000555555560259 in static_service_group_load (g=g at entry=0x555555580b70) at static-services.c:828
#10 0x0000555555560bc0 in load_file (n=0x55555557ec00 "/services/AirPrint-printer.service") at static-services.c:862
#11 static_service_load (in_chroot=<optimized out>) at static-services.c:919
#12 0x000055555555b8b0 in run_server (c=0x555555576a20 <config>) at main.c:1235
#13 main (argc=<optimized out>, argv=<optimized out>) at main.c:1674
(gdb) up
#1  0x000055555555f68f in xml_end (el=<optimized out>, data=0x7fffffffe2a0) at static-services.c:630
630	                        value_buf_len = strlen(u->buf);
(gdb) print u
$1 = <optimized out>
(gdb) print u->buf
value has been optimized out
(gdb) 

Regards,
Andreas Henriksson