usb_modeswitch_dispatcher crashed with SIGSEGV in strrchr()

StacktraceTop:
 strrchr () at ../sysdeps/x86_64/strrchr.S:32
 main (argc=<optimized out>, argv=<optimized out>) at usb_modeswitch_dispatcher.c:769

Status changed to 'Confirmed' because the bug affects multiple users.

Very similar crash happens to me on Bionic as well. So far it seems to me that usb_modeswitch_dispatcher is called incorrectly and therefore it crashes when it eventually encounters a NULL pointer.

Ah, it starts to make sense. usb_modeswitch_dispatcher is called correctly, but it cannot find interface 0 on the device to be switched. However, dmesg contains warning about the same thing:

[ 2.369824] usb 1-11: new high-speed USB device number 5 using xhci_hcd
[ 2.520482] usb 1-11: config 1 has an invalid interface number: 8 but max is 3
[ 2.520484] usb 1-11: config 1 has no interface number 1
[ 2.520915] usb 1-11: config 2 has an invalid interface number: 12 but max is 1
[ 2.520916] usb 1-11: config 2 has an invalid interface number: 13 but max is 1
[ 2.520917] usb 1-11: config 2 has an invalid interface number: 13 but max is 1
[ 2.520918] usb 1-11: config 2 has no interface number 0
[ 2.520919] usb 1-11: config 2 has no interface number 1
[ 2.521502] usb 1-11: New USB device found, idVendor=1199, idProduct=9041, bcdDevice= 0.06
[ 2.521503] usb 1-11: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2.521504] usb 1-11: Product: EM7305
[ 2.521505] usb 1-11: Manufacturer: Sierra Wireless, Incorporated

I think that upgrading the modem firmware (I have Sierra Wireless EM7305) might help, but that does not fix the underlying bug / broken assumptions.

Hmmm, it seems that this bug exists *only* in Ubuntu and not in Debian. Ubuntu source package contains a patch that rewrites the usb_modeswitch_dispatcher program from Tcl to C. While there must have been good reasons to do this, there is at least one more bug in the rewritten version.

On line 422 in file usb_modeswitch_dispatcher.c there is an assignment of NULL to a char pointer. This pointer is later passed to printf when forming the usb_modeswitch command. Therefore there should be strdup("") instead of null pointer, as now usb_modeswitch is launched literally with "(null)" argument produced by printf.

Would it be possible to remove the rewrite and switch back to Tcl (at least for new releases of Ubuntu)? It seems that the upstream package has switched to some lightweight Tcl interpreter (Jim). This could remove some of the reasons why it had to be rewritten (extra dependencies, boot time?).

EDIT: the null-pointer bug only exists in Ubuntu, the interface error bug may exist in upstream as well.

I have tried installing the package from Buster. That has resolved the crash - the program ended gracefully. However the underlying problem is still there - devices without interface 0 will not work. I think this is present in upstream as well.

USB_ModeSwitch log from Wed Dec 25 16:35:30 CET 2019

Use global config file: /etc/usb_modeswitch.conf
Raw parameters: {--switch-mode} {1-11}
Use top device dir /sys/bus/usb/devices/1-11
Check class of first interface ...
 No access to interface 0. Exit

Upstream bugreport: http://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=2&t=2915

I have realized that these are two different issues.

1) Ubuntu's version of usb_modeswitch_dispatcher crashes when there is no interface 0.
2) All versions exit prematurely (non-Ubuntu versions exit gracefully) and do not switch the device.

Therefore I'd include a fix only for (1) - to make the dispatcher exit gracefully. This could also pass as a SRU. I believe that this should go through SRU because a crash message pops out even when the system is booted from a Bionic live medium, which is a little annoying. However I have no association to Canonical, so this is not something that I can affect.

Resolving (2) requires more extensive changes that need to be discussed/merged in upstream first (it is sort of a new feature), so this could be integrated in further releases of Debian/Ubuntu.

Thanks for the thorough analysis!

I will check your patches and apply them upstream accordingly. It's amazing what device engineers come up with to make life more "interesting" ...

Thanks!

I have attached a patch for the Bionic release.

I am sorry for uploading the patches multiple times, I wanted them to be clean (i.e. patches ending with .patch, having consistent directory versions, etc)

The patch for bionic should be applicable to focal as well (current development branch; currently reading https://wiki.ubuntu.com/StableReleaseUpdates ).

The attachment "debian patch against usb-modeswitch_2.5.2+repack0-2ubuntu1" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

This is a debdiff for Bionic applicable to usb-modeswitch_2.5.2+repack0-2ubuntu1. I built this in pbuilder and it builds successfully, and I installed it, the patch works as intended.

The two patches inside the debdiff fix these bugs:

 * First issue is that usb_modeswitch_dispatcher.c crashes when a device presented to it has no USB interface 0. This is caused by improper checking for a NULL pointer returned by a interface-lookup function. It is fixed by adding a null-check and gracefully exiting the program if there is no interface 0. This should be consistent with how the upstream Tcl script handled this.

 * Second issue is that usb_modeswitch_dispatcher.c writes an unexpected literal "(null)" string to usb_modeswitch command line. This suprisingly does not cause any malfunction, because the argument is ignored by usb_modeswitch. The problem is caused by assignment of NULL to a variable where strdup("") should have been used instead. The problem is fixed by using strdup, which is consistent with how this was handled in other cases as well.

Thanks Jakub for the debugging work you put there and the fixes! I've upload now those changes to the current 'focal' Ubuntu serie (tweaking a bit the packaging, I merged the fixes in the patch doing the rewrite in C rather than stacking patches)

Some notes/questions

- the fixes look like they would be good to have in Bionic, for that we would need the bug to be SRU compliant first though (https://wiki.ubuntu.com/StableReleaseUpdates), which means to include a testcase which can be used to confirm the problem and that the fix work.

If someone having the issue would like to write that it would be nice (I guess it requires access to a specific hardware?)

- the patches are still not enough to make the modem work or are they? you said the second issue exists upstream still?

- we could reconsider dropping the rewrite but bringing a TCL stack even small, only for that one source has a cost in ISO size/maintainance (if we install tcl then we need to maintain it)

This bug was fixed in the package usb-modeswitch - 2.5.2+repack0-2ubuntu2

---------------
usb-modeswitch (2.5.2+repack0-2ubuntu2) focal; urgency=medium

  * debian/patches/dispatcher-c-rewrite.patch: fix SIGSEGV occuring when
    device has no usb interface 0 and serialization of a NULL pointer
    into usb_modeswitch cmdline (LP: #1676763)

 -- Jakub VanÄ›k <email address hidden> Sun, 29 Dec 2019 20:51:10 +0100

@Jakub, the change you proposed while fixing the segfault is creating issues for other users as description there

https://bugs.launchpad.net/ubuntu/+source/usb-modeswitch/+bug/1866926/comments/8

is that something you would be interesting in trying to resolve?

I've made an attempt to fix the problem of interfaces missing in the original Tcl wrapper. I intend to release 2.6.1 soon.

If anybody wants to test, the files are here:

https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?p=19605#p19605

FTR, uploaded 2.6.0-3 to Debian/unstable with the patch mentionned by @digidietze.

Thank you, I've tested the fix and it mostly works. However, a minor fixup is needed for flawless switching of this particular modem, see https://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=2&t=2915#p19606

I have released upstream version 2.6.1 which includes the fixes for recently reported problems.

As a reminder, the file

http://www.draisberghof.de/usb_modeswitch/usb-modeswitch-versions.xml

can be monitored for updates; it has download link and md5 value.