[BRLTTY] Crash of BRLTTY in X sessionudo systemctl edit brlpulse

Sebastian Humenda shumenda at gmx.de
Wed Feb 26 08:29:25 UTC 2025 

Hi

Samuel Thibault schrieb am 27.01.2025,  0:21 +0100:
>Sebastian Humenda, le jeu. 09 janv. 2025 18:05:13 +0100, a ecrit:
>> I took the packaging of BRLTTY 6.7-8 (a few weeks back). The crashes
>> got more frequent.
[…]
>Actually, looking at the code again, and checking the libasan code, the
>glob bug is in libasan which doesn't actually cope with GLOB_DOOFFS.
>
>Could you try the attached patch instead? It should avoid the libasan
>bug.

Thanks, this works now. I've applied your patch to the Debian packaging of
BRLTTY, i.e. version 6.7.
Before I could reproduce the X bug, I now got a crash
when detaching my braille device from its USB port. It's a magnetic charger,
so that happens every now and then.
The ASAN output is below. It didn't figure out the line numbers. If this is
too vague, I have to try and change the way I get the ASAN output.

Thanks
Sebastian
===
brltty: unsupported generic resource identifier: ttyUSB0
unsupported generic resource identifier: ttyUSB0
brltty: unsupported generic resource identifier: ttyUSB0
unsupported generic resource identifier: ttyUSB0
brltty: unsupported generic resource identifier: ttyUSB0
unsupported generic resource identifier: ttyUSB0
brltty: unsupported generic resource identifier: ttyUSB0
USB configuration set error 16: Device or resource busy
brltty: USB configuration set error 16: Device or resource busy
brltty: USB interface in use: 0 (usbhid)
USB interface in use: 0 (usbhid)
Braille Driver: ht [HandyTech] Version:0.6
brltty: Braille Driver: ht [HandyTech] Version:0.6
Speech Driver: sd [SpeechDispatcher]
brltty: Speech Driver: sd [SpeechDispatcher]
Speech Driver: sd [SpeechDispatcher]
brltty: Speech Driver: sd [SpeechDispatcher]
USB URB status error 32: Broken pipe
brltty: USB URB status error 32: Broken pipe
brltty: braille input monitor error 19: No such device
braille input monitor error 19: No such device
USB bulk transfer error 108: Cannot send after transport endpoint shutdown
brltty: USB bulk transfer error 108: Cannot send after transport endpoint shutdown
=================================================================
==208649==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0019f8101 at pc 0x55de2ae390a3 bp 0x7fff172e34a0 sp 0x7fff172e3498
READ of size 1 at 0x60c0019f8101 thread T0
    #0 0x55de2ae390a2 in usbCancelRequest ??:?
    #1 0x55de2ae28e6c in usbDeallocatePendingInputRequest usb.c:?
    #2 0x55de2ad68398 in removeItem queue.c:?
    #3 0x55de2ad683e4 in discardElement queue.c:?
    #4 0x55de2ad6897b in deleteElement ??:?
    #5 0x55de2ad6917e in deleteElements ??:?
    #6 0x55de2ae27b26 in usbFinishEndpoint usb.c:?
    #7 0x55de2ad698ef in processQueue ??:?
    #8 0x55de2ae27b97 in usbRemoveEndpoints usb.c:?
    #9 0x55de2ae2816c in usbCloseInterface ??:?
    #10 0x55de2ae2863f in usbCloseDevice ??:?
    #11 0x55de2ae2c589 in usbCloseChannel ??:?
    #12 0x55de2ae4dfaa in disconnectUsbResource gio_usb.c:?
    #13 0x55de2ae4afcd in gioDisconnectResource ??:?
    #14 0x55de2ae1b32a in disconnectBrailleResource ??:?
    #15 0x7ff8a203f0a6 in ?? ??:0
    #16 0x55de2ad7cc2a in destructBrailleDriver ??:?
    #17 0x55de2ad7d8ee in deactivateBrailleDriver config.c:?
    #18 0x55de2ad7dcba in stopBrailleDriver config.c:?
    #19 0x55de2ad7dd17 in stopBrailleDriverActivity config.c:?
    #20 0x55de2ad84ae4 in stopActivity ??:?
    #21 0x55de2ad7df4a in disableBrailleDriver ??:?
    #22 0x55de2ad7dfad in restartBrailleDriver ??:?
    #23 0x55de2ad35181 in handleBrailleDriverFailed core.c:?
    #24 0x55de2ad3556c in brlttyWait ??:?
    #25 0x55de2ad2dad7 in brlttyRun brltty.c:?
    #26 0x55de2ad2db10 in main ??:?
    #27 0x7ff8a9a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #28 0x7ff8a9a46304 in __libc_start_main_impl ../csu/libc-start.c:360
    #27 0x55de2ad2da00 in _start ??:?
0x60c0019f8101 is located 1 bytes inside of 120-byte region [0x60c0019f8100,0x60c0019f8178)
freed by thread T0 here:
    #0 0x7ff8ac4b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #28 0x55de2ae3b6bb in usbHandleCompletedInputRequests ??:?
    #29 0x55de2ad5e975 in invokeMonitorCallback async_io.c:?
    #30 0x55de2ad5fcef in asyncExecuteIoCallback ??:?
    #31 0x55de2ad5bbde in ioCallbackExecuter async_wait.c:?
    #32 0x55de2ad5bf06 in awaitAction async_wait.c:?
    #33 0x55de2ad5c1ef in asyncAwaitCondition ??:?
    #34 0x55de2ad3547b in brlttyWait ??:?
    #35 0x55de2ad2dad7 in brlttyRun brltty.c:?
    #36 0x55de2ad2db10 in main ??:?
    #10 0x7ff8a9a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
previously allocated by thread T0 here:
    #0 0x7ff8ac4b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #37 0x55de2ae38625 in usbMakeURB usb_linux.c:?
    #38 0x55de2ae38df6 in usbSubmitRequest ??:?
    #39 0x55de2ae28fd0 in usbAddPendingInputRequest usb.c:?
    #40 0x55de2ae290e0 in usbEnsurePendingInputRequests usb.c:?
    #41 0x55de2ae293c8 in usbHandleInputResponse ??:?
    #42 0x55de2ae3a991 in usbHandleInputURB usb_linux.c:?
    #43 0x55de2ae3b472 in usbHandleCompletedInputRequest usb_linux.c:?
    #44 0x55de2ae3b668 in usbHandleCompletedInputRequests ??:?
    #45 0x55de2ad5e975 in invokeMonitorCallback async_io.c:?
    #46 0x55de2ad5fcef in asyncExecuteIoCallback ??:?
    #47 0x55de2ad5bbde in ioCallbackExecuter async_wait.c:?
    #48 0x55de2ad5bf06 in awaitAction async_wait.c:?
    #49 0x55de2ad5c1ef in asyncAwaitCondition ??:?
    #50 0x55de2ad3547b in brlttyWait ??:?
    #51 0x55de2ad2dad7 in brlttyRun brltty.c:?
    #52 0x55de2ad2db10 in main ??:?
    #17 0x7ff8a9a46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/bin/brltty+0x1b80a2) in usbCancelRequest
Shadow bytes around the buggy address:
  0x0c1880336fd0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880336fe0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c1880336ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880337000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880337010: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
=>0x0c1880337020:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880337030: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1880337040: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c1880337050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1880337060: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1880337070: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==208649==ABORTING

More information about the BRLTTY mailing list