Drivers shipped by Kyocera gets segfault due thread conflict in 2.4.2

[zdohnal]

Describe the bug
Reported in Fedora as bug - to sum it up - install your Kyocera printer with the driver from the link and try to print

To Reproduce

1. $ lp -d <printer_installed_with_kyocera_driver_from_the_link> /etc/fstab
2. rastertokpsl crashes

июн 07 14:31:47 AmCave systemd-coredump[117131]: [🡕] Process 117128 (rastertokpsl) of user 4 dumped core.
                                                    
                                                    Module linux-vdso.so.1 with build-id bbfba337e4ff5782c225df596fd0560be96d05f2
                                                    Module libgpg-error.so.0 with build-id a53c231739d55cc39b97e28c36cd8b3e58a8f8f8
                                                    Metadata for module libgpg-error.so.0 owned by FDO found: {
                                                            "type" : "rpm",
                                                            "name" : "libgpg-error",
                                                            "version" : "1.45-1.fc36",
                                                            "architecture" : "x86_64",
                                                            "osCpe" : "cpe:/o:fedoraproject:fedora:36"
                                                    }
                                                    
                                                    Module libgcc_s.so.1 with build-id 1e82df1fa0e0de4d8382b75c0fa730e0672f1a47
                                                    Module libgcrypt.so.20 with build-id ab80eae398f8814c7dc7bfc27fa3724491a47294
                                                    Stack trace of thread 117128:
                                                    #0  0x00007f6e8411eebd _cupsRasterClearError (libcups.so.2 + 0x4aebd)
                                                    #1  0x00007f6e8411ef10 _cupsRasterNew (libcups.so.2 + 0x4af10)
                                                    #2  0x0000000000406cdf n/a (rastertokpsl + 0x6cdf)
                                                    #3  0x00007f6e841a2550 __libc_start_call_main (libc.so.6 + 0x29550)
                                                    #4  0x00007f6e841a2609 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x29609)
                                                    #5  0x000000000040799d n/a (rastertokpsl + 0x799d)
                                                    ELF object binary architecture: AMD x86-64

Expected behavior
No crash.

System Information:

• Fedora 36
• 'lp'
• CUPS 2.4.2

Additional context
More debugging information are provided in Fedora bugzilla - I was able to found out it happens because _cupsGlobals() returns NULL in _cupsRasterClearError() and then dereferences it and I've tracked the issue had started to happen after our commit for multithreaded glibc functions.

[michaelrsweet]

Interesting because _cupsGlobals will only return NULL if the malloc fails, and that code did not change...

[LorenzISR]

I am not sure if this is related, but if I am trying to add a Kyocera printer using the cups web-UI it says "Unable to get list of printer drivers: Internal Server Error" /var/log/cups/error_log has this:
PID 4562 (/usr/lib/cups/daemon/cups-driverd) crashed on signal 11.

I am on Alpine Linux edge. It broke after I updated it today (I probably last updated a week ago). I don't have time to investigate this further currently, but if I find some more information, I'll add it later.

[zdohnal]

Hi @LorenzISR ,

thank you for the info! It looks like a different issue - the one crashing here in this issue is Kyocera filter during printing. Once you get to the issue again, please open a new issue, upload a full backtrace of the crash and more detailed steps how to got the issue (detailed steps+your cups version+if it happens everytime).

[zdohnal]

@michaelrsweet I was wrong - _cupsGlobals() returns a pointer, but the pointer can't be accessed:

Breakpoint 2, _cupsRasterClearError () at raster-error.c:98
98	  _cups_globals_t	*cg = _cupsGlobals();
(gdb) disable br 1
(gdb) n
100	  _cups_raster_error_t	*buf = &cg->raster_error;
(gdb) p cg
$2 = (_cups_globals_t *) 0x651a20
(gdb) p *cg
Cannot access memory at address 0x655000

it happens because pthread_setspecific() gets inaccessible pointer from cups_globals_allocate():

(gdb) p value
$5 = (const void *) 0x651a20
(gdb) p *(_cups_globals_t*)value
Cannot access memory at address 0x655000

I was able to track that it the new array in _cups_globals_t (pw_buf) was causing this - moving the buffer to a local variable does the trick.

[zdohnal]

3257232 fixes the issue, thank you, Mike!