colord-sane segfaults on boot/restart via systemd

[mlmatlock]

Starting (on boot/restarting via systemd) colord v1.4.7 on Arch (kernel 6.7.1, systemd 255) causes colord-sane (1.4.7) to segfault.

TIME                        PID UID GID SIG     COREFILE EXE                    SIZE
Wed 2024-01-24 10:38:54 EST 761 976 976 SIGSEGV present  /usr/lib/colord-sane 919.2K

coredumpctl stacktrace

full backtrace

Issue not present in v 1.4.6.

[Ferdi265]

I have the same issue, and observe the same backtrace. I debugged this, and it seems the issue is in hplip io/hpmud/musb.c. The call to libusb_init() fails and there is no check for it, resulting in a null pointer dereference later down the line. I'm not sure what causes libusb to fail initializing here, but not handling that correctly is definitely what causes the crash.

The crash started appearing for me after I installed hplip, but didn't happen before, so that is another indicator why this could be the reason.

The crash happens on my laptop when booted up without any scanner or printer attached. Restarting the colord service immediately triggers the crash. I figure this crash is probably reproducible on other systems as well by just having hplip and colord-sane installed, no HP scanner required.

This patch fixes the immediate crash for me:

--- src/hplip-3.23.12/io/hpmud/musb.c   2023-11-27 16:06:40.000000000 +0100
+++ src/hplip-3.23.12/io/hpmud/musb2.c  2024-01-30 00:22:19.025763255 +0100
@@ -2055,7 +2055,7 @@
     char serial[128], mfg[128], sz[HPMUD_LINE_SIZE];
     int r, size=0;
 
-    libusb_init(&ctx);
+    if (libusb_init(&ctx) != 0) return 0;
     numdevs = libusb_get_device_list(ctx, &list);
 
     if (numdevs <= 0)

There are more unchecked calls to libusb functions like this, and the same unchecked call to libusb_init() is done in 3 more places in the same file as well.

I'm pretty sure this is not an upstream colord issue, it's an hplip issue.

[Ferdi265]

I bisected this, and the issue in hplip is much older, but the crash was uncovered by colord commit d735245. Specifically, RestrictAddressFamilies=AF_UNIX in the systemd service file causes libusb_init() in hplip to fail.

[hughsie]

I'd be fine dropping RestrictAddressFamilies=AF_UNIX -- does that solve the issue? Can you do a PR please?

[Ferdi265]

Removing that line definitely avoids the crash, though I can't say if it's enough to make HP USB scanners work properly with colord, since I don't have any such devices to test with.

I will open a PR for removing that line.