Segfault in capability printing #568
Description
Version: 2.2.3-1 (Debian package)
Environment: Debian Sid, amd64, Linux 6.18.1
The problem: it crashes. But only when expected to print some information. gddcutil still works, ddcui works, "ddcutil getvcp ..." or "ddcutil setvcp ..." in existing scripts work. "detect" command works.
But: "capabilities" fails (pretty quickly, segfault), same with "interrogate" (just much later).
Backtrace indicates some bad parameter of some vsnprintf call or similar. However, running this in valgrind prevents the crash while reporting an invalid access. Smells like using-after-free type of issue.
==1901262== Command: src/ddcutil capabilities
==1901262==
==1901262== Invalid read of size 1
==1901262== at 0x49D3CE6: strlen (vg_replace_strmem.c:506)
==1901262== by 0x4DB9ABF: __printf_buffer (vfprintf-process-arg.c:443)
==1901262== by 0x4DDDCFB: __vsnprintf_internal (vsnprintf.c:96)
==1901262== by 0x40DED4C: xvrpt_vstring (in /home/build/git/ddcutil/src/ddcutil)
==1901262== by 0x40DEE77: rpt_vstring (in /home/build/git/ddcutil/src/ddcutil)
==1901262== by 0x407DE69: dyn_report_parsed_capabilities (dyn_parsed_capabilities.c:589)
==1901262== by 0x40514DD: app_show_parsed_capabilities (app_capabilities.c:106)
==1901262== by 0x4051741: app_capabilities (app_capabilities.c:139)
==1901262== by 0x4043A9B: execute_cmd_with_optional_display_handle (main.c:771)
==1901262== by 0x4046116: main (main.c:1459)
==1901262== Address 0x61b7189 is 25 bytes inside a block of size 26 free'd
==1901262== at 0x49CD87F: free (vg_replace_malloc.c:989)
==1901262== by 0x40CFFB8: is_traced_file (trace_control.c:464)
==1901262== by 0x40A948D: is_tracing (core.c:415)
==1901262== by 0x40AA236: dbgtrc (core.c:776)
==1901262== by 0x407DDBC: dyn_report_parsed_capabilities (dyn_parsed_capabilities.c:576)
==1901262== by 0x40514DD: app_show_parsed_capabilities (app_capabilities.c:106)
==1901262== by 0x4051741: app_capabilities (app_capabilities.c:139)
==1901262== by 0x4043A9B: execute_cmd_with_optional_display_handle (main.c:771)
==1901262== by 0x4046116: main (main.c:1459)
==1901262== Block was alloc'd at
==1901262== at 0x49CA818: malloc (vg_replace_malloc.c:446)
==1901262== by 0x4C01CB1: g_malloc (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8600.3)
==1901262== by 0x4BE2A4B: g_path_get_basename (in /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0.8600.3)
==1901262== by 0x40CFF6F: is_traced_file (trace_control.c:461)
==1901262== by 0x40A948D: is_tracing (core.c:415)
==1901262== by 0x40AA236: dbgtrc (core.c:776)
==1901262== by 0x407DDBC: dyn_report_parsed_capabilities (dyn_parsed_capabilities.c:576)
==1901262== by 0x40514DD: app_show_parsed_capabilities (app_capabilities.c:106)
==1901262== by 0x4051741: app_capabilities (app_capabilities.c:139)
==1901262== by 0x4043A9B: execute_cmd_with_optional_display_handle (main.c:771)
==1901262== by 0x4046116: main (main.c:1459)
==1901262==
capabilities string:
Errors parsing capabilities string:
Invalid VCP value in list for feature xe2: _COLOR_IS_USER _COLOR_IS_STANDARD _COLOR_IS_ECO _COLOR_IS_GRAPHICS _COLOR_IS_MOVIE _COLOR_IS_sRGB _COLOR_IS_REC709 _COLOR_IS_HDR _VCP_E2h_Save_sRGB _VCP_E2h_Save_Reading _VCP_E2h_Save_Darkroom
Model: ACER B277U E
MCCS version: 2.2
Commands:
Op Code: 01 (VCP Request)
Op Code: 02 (VCP Response)
Op Code: 03 (VCP Set)
Op Code: 07 (Timing Request)
Op Code: 0C (Save Settings)
Op Code: E3 (Capabilities Reply)
Op Code: F3 (Capabilities Request)
(gdb) bt full
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
No locals.
#1 0x00007ffff7a65ac0 in __printf_buffer (buf=buf@entry=0x7fffffffd740, format=0x5555556800ec "%s capabilities string: %s", ap=0x7fffffffd918, mode_flags=2) at ./stdio-common/vfprintf-process-arg.c:443
len = <optimized out>
iter = {remaining_in_current_group = 1, remaining = 0, groupings = 0x200000000 <error: Cannot access memory at address 0x200000000>, non_repeating_groups = 1432986548, separators = 21845}
octal_marker = <optimized out>
ptrptr = 0x73
written = <optimized out>
number_slow_path = <optimized out>
number_length = <optimized out>
prec_inc = <optimized out>
signed_number = <optimized out>
step0_jumps = {0, 1407, 1295, 2615, 2527, 1791, 1695, 1935, 2879, 1455, 4367, 2791, 2703, 679, 1895, 4575, 4351, 4559, 2167, 319, 1159, 1007, 3087, 4455, 1567, 783, 319, 3999, 679, 2079, 3879, 4087}
space = <optimized out>
is_short = <optimized out>
use_outdigits = <optimized out>
step1_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 1455, 4367, 2791, 2703, 679, 1895, 4575, 4351, 4559, 2167, 319, 1159, 1007, 3087, 4455, 1567, 783, 319, 3999, 679, 0, 3879, 4087}
group = <optimized out>
prec = <optimized out>
is_fast = <optimized out>
step2_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4367, 2791, 2703, 679, 1895, 4575, 4351, 4559, 2167, 319, 1159, 1007, 3087, 4455, 1567, 783, 319, 3999, 679, 0, 3879, 4087}
string = <optimized out>
left = 0
is_long_double = <optimized out>
width = <optimized out>
bitwidth = <optimized out>
step3a_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4263, 0, 0, 0, 1895, 4575, 4351, 4559, 2167, 0, 0, 0, 0, 4455, 0, 0, 0, 0, 0, 0, 3879, 0}
alt = <optimized out>
showsign = <optimized out>
is_long = <optimized out>
is_char = <optimized out>
pad = 32 ' '
step3b_jumps = {0 <repeats 11 times>, 2703, 0, 0, 1895, 4575, 4351, 4559, 2167, 319, 1159, 1007, 3087, 4455, 1567, 783, 319, 0, 0, 0, 3879, 0}
step4_jumps = {0 <repeats 14 times>, 1895, 4575, 4351, 4559, 2167, 319, 1159, 1007, 3087, 4455, 1567, 783, 319, 0, 0, 0, 3879, 0}
is_negative = <optimized out>
number = <optimized out>
base = <optimized out>
the_arg = {pa_wchar = 0 L'\000', pa_int = 0, pa_long_int = 0, pa_long_long_int = 0, pa_u_int = 0, pa_u_long_int = 0, pa_u_long_long_int = 0, pa_double = 0, pa_long_double = <invalid float value>, pa_float128 = -nan(0xffffffffffff0000000000000000), pa_string = 0x0, pa_wstring = 0x0,
pa_pointer = 0x0, pa_user = 0x0}
spec = <optimized out>
thousands_sep = <optimized out>
grouping = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>
f = <optimized out>
lead_str_end = 0x5555556800ec "%s capabilities string: %s"
end_of_spec = <optimized out>
work_buffer = "\300\331\377\377\377\177\000\000\000\331\377\377\377\177\000\000<u\240\367\377\177\000\000\312\331\374\367\377\177\000\000\r\004\000\000\000\000\000\000\370\300\241\367\377\177\000\000\240:\312\367\377\177\000\000\310\323\377\377\377\177\000\000\304\323\377\377\377\177\000\000x-iUUU\000\000\205PVUUU\000\0000\217UUUU\000\000\240\324\377\377\377\177\000\000\v\325\374\367\377\177\000\000P\\\302\367\377\177\000\000\304\323\377\377&\000\000\000\262\323\377\377\377\177\000\000\260\327\377\377\377\177\000\000\260\323\377\377\377\177\000\000\000\004\000\000\000\000\000\0002\000\000\000\000\000\000\000\370\300\241\367\377\177\000\000\240:\312\367\377\177\000\000H\324\377\377\377\177\000\000D\324\377\377\377\177\000\000"...
workend = 0x7fffffffd6f8 ""
ap_save = {{gp_offset = 32, fp_offset = 48, overflow_arg_area = 0x7fffffffd9f0, reg_save_area = 0x7fffffffd930}}
nspecs_done = 0
save_errno = 0
readonly_format = readonly_noerror
do_longlong_number = <optimized out>
#2 0x00007ffff7a89cfc in __vsnprintf_internal (string=<optimized out>, maxlen=<optimized out>, format=<optimized out>, args=<optimized out>, mode_flags=<optimized out>) at ./libio/vsnprintf.c:96
buf = {base = {write_base = 0x5555556ed340 "", write_ptr = 0x5555556ed340 "", write_end = 0x5555556ed538 "1", written = 0, mode = __printf_buffer_mode_snprintf},
discard = "02 03 04)) mswhql(1)asset_eep(40)mccs_ver(2.2))\000B _VCP_E2h_Save_Reading _VCP_E2h_Save_Darkroom)E3 E4 E5 E7(00 01 02) E8(00 01 "}
#3 0x0000555555632d4d in xvrpt_vstring ()
No symbol table info available.
#4 0x0000555555632e78 in rpt_vstring ()
No symbol table info available.
#5 0x00005555555d1e6a in dyn_report_parsed_capabilities (pcaps=0x5555556f5370, dh=0x5555556ed0d0, dref=0x5555556eb710, depth=0) at dyn_parsed_capabilities.c:589
d0 = 0
d1 = 1
d2 = 2
debug = false
__PRETTY_FUNCTION__ = "dyn_report_parsed_capabilities"
__func__ = "dyn_report_parsed_capabilities"
--Type <RET> for more, q to quit, c to continue without paging--
saved_prefix_report_output = true
has_error_messages = true
output_level = DDCA_OL_NORMAL
damaged = 85
vspec = {major = 0 '\000', minor = 0 '\000'}
#6 0x00005555555a54de in app_show_parsed_capabilities (dh=dh@entry=0x5555556ed0d0, pcap=pcap@entry=0x5555556f5370) at app_capabilities.c:106
debug = false
__func__ = "app_show_parsed_capabilities"
__PRETTY_FUNCTION__ = "app_show_parsed_capabilities"
#7 0x00005555555a5742 in app_capabilities (dh=dh@entry=0x5555556ed0d0) at app_capabilities.c:139
pcaps = 0x5555556f5370
ol = <optimized out>
debug = false
__func__ = "app_capabilities"
capabilities_string = 0x5555556ecae0 "(prot(monitor)type(LCD)model(ACER B277U E)cmds(01 02 03 07 0C E3 F3)vcp(04 10 12 14(05 06 08 0B) 16 18 1A 59 5A 5B 5C 5D 5E 60(0F 11 12)62 9B 9C 9D 9E 9F A0 D6 E0(00 04 05 09 0A) E1(00 01 02) E2(_C"...
ddcrc = 0
fout = <optimized out>
#8 0x0000555555597a9c in execute_cmd_with_optional_display_handle (parsed_cmd=parsed_cmd@entry=0x5555556e2220, dh=0x5555556ed0d0) at main.c:771
ddcrc = <optimized out>
debug = false
__func__ = "execute_cmd_with_optional_display_handle"
main_rc = 0
__PRETTY_FUNCTION__ = "execute_cmd_with_optional_display_handle"
#9 0x000055555559a117 in main (argc=<optimized out>, argv=<optimized out>) at main.c:1459
dh = 0x5555556ed0d0
rc = <optimized out>
useful_bus_ct = <optimized out>
dref = 0x5555556eb710
main_debug = false
s = <optimized out>
main_rc = <optimized out>
start_time_reported = <optimized out>
explicit_syslog_level = <optimized out>
syslog_opened = true
preparse_verbose = <optimized out>
skip_config = <optimized out>
parsed_cmd = 0x5555556e2220
traced_function_stack_initialized = true
program_start_time = 1766176664
program_start_time_s = <optimized out>
__func__ = "main"
new_argv = 0x5555556e2170
new_argc = 2
untokenized_cmd_prefix = 0x0
configure_fn = 0x0
preparsed_level = <optimized out>
__PRETTY_FUNCTION__ = "main"
parser_errmsgs = <optimized out>
errs = <optimized out>
callopts = 0 '\000'
values = <optimized out>
end_time = 140737350916864
end_time_s = <optimized out>
(gdb)