pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-31 20:04:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2ec0791beb
spice/server
History
Marc-Andre Lureau 2ec0791beb smartcard: add a ref to item before adding to pipe 
There is an unref when the message is sent.

This is related to CVE-2016-0749

==17204== ERROR: AddressSanitizer: heap-use-after-free on address 0x6008000144a8 at pc 0x7fffee0ce245 bp 0x7fffffffc630 sp 0x7fffffffc620
READ of size 4 at 0x6008000144a8 thread T0
    #0 0x7fffee0ce244 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:608
    #1 0x7fffee0cb451 in smartcard_unref_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:178
    #2 0x7fffedfcdf14 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:330
    #3 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901
    #4 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990
    #5 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189
    #6 0x5555559375f1 in qemu_chr_fe_write /home/elmarco/src/qemu/qemu-char.c:220
    #7 0x555555b3b682 in ccid_card_vscard_send_msg.isra.2 /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:76
    #8 0x555555b3c466 in ccid_card_vscard_send_error /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:91
    #9 0x555555b3c466 in ccid_card_vscard_handle_message /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:242
    #10 0x555555b3c466 in ccid_card_vscard_read /home/elmarco/src/qemu/hw/usb/ccid-card-passthru.c:289
    #11 0x55555593f169 in vmc_write /home/elmarco/src/qemu/spice-qemu-char.c:41
    #12 0x7fffedfcee6d in spice_char_device_write_to_device /home/elmarco/src/spice/spice/server/char-device.c:477
    #13 0x7fffedfcfd31 in spice_char_device_write_buffer_add /home/elmarco/src/spice/spice/server/char-device.c:629
    #14 0x7fffee0ce9df in smartcard_channel_write_to_reader /home/elmarco/src/spice/spice/server/smartcard.c:675
    #15 0x7fffee0cc7db in smartcard_char_device_notify_reader_add /home/elmarco/src/spice/spice/server/smartcard.c:341
    #16 0x7fffee0ce4f3 in smartcard_add_reader /home/elmarco/src/spice/spice/server/smartcard.c:648
    #17 0x7fffee0cf2e2 in smartcard_channel_handle_message /home/elmarco/src/spice/spice/server/smartcard.c:763
    #18 0x7fffedffe21f in red_peer_handle_incoming /home/elmarco/src/spice/spice/server/red-channel.c:307
    #19 0x7fffedffe4f6 in red_channel_client_receive /home/elmarco/src/spice/spice/server/red-channel.c:325
    #20 0x7fffee00726c in red_channel_client_event /home/elmarco/src/spice/spice/server/red-channel.c:1566
    #21 0x555555c3c53d in qemu_iohandler_poll /home/elmarco/src/qemu/iohandler.c:143
    #22 0x555555c3b800 in main_loop_wait /home/elmarco/src/qemu/main-loop.c:504
    #23 0x5555556f160c in main_loop /home/elmarco/src/qemu/vl.c:1818
    #24 0x5555556f160c in main /home/elmarco/src/qemu/vl.c:4394
    #25 0x7fffed7d0b14 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/libc-start.c:274
    #26 0x5555556f9c20 in _start (/home/elmarco/src/qemu/x86_64-softmmu/qemu-system-x86_64+0x1a5c20)
0x6008000144a8 is located 24 bytes inside of 40-byte region [0x600800014490,0x6008000144b8)
freed by thread T0 here:
    #0 0x7ffff4e61009 in __interceptor_free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61
    #1 0x7fffee0ce2a1 in smartcard_unref_vsc_msg_item /home/elmarco/src/spice/spice/server/smartcard.c:610
    #2 0x7fffee0cdd58 in smartcard_channel_release_pipe_item /home/elmarco/src/spice/spice/server/smartcard.c:548
    #3 0x7fffee000668 in red_channel_client_release_item /home/elmarco/src/spice/spice/server/red-channel.c:602
    #4 0x7fffee0006ef in red_channel_client_release_sent_item /home/elmarco/src/spice/spice/server/red-channel.c:609
    #5 0x7fffee0007b5 in red_channel_peer_on_out_msg_done /home/elmarco/src/spice/spice/server/red-channel.c:620
    #6 0x7fffedffed7e in red_peer_handle_outgoing /home/elmarco/src/spice/spice/server/red-channel.c:385
    #7 0x7fffee0057bb in red_channel_client_send /home/elmarco/src/spice/spice/server/red-channel.c:1294
    #8 0x7fffee0076e6 in red_channel_client_begin_send_message /home/elmarco/src/spice/spice/server/red-channel.c:1605
    #9 0x7fffee0cdccd in smartcard_channel_send_item /home/elmarco/src/spice/spice/server/smartcard.c:541
    #10 0x7fffee000570 in red_channel_client_send_item /home/elmarco/src/spice/spice/server/red-channel.c:588
    #11 0x7fffee005bfb in red_channel_client_push /home/elmarco/src/spice/spice/server/red-channel.c:1347
    #12 0x7fffee007ef7 in red_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/red-channel.c:1673
    #13 0x7fffee0cde4d in smartcard_channel_client_pipe_add_push /home/elmarco/src/spice/spice/server/smartcard.c:571
    #14 0x7fffee0cb567 in smartcard_send_msg_to_client /home/elmarco/src/spice/spice/server/smartcard.c:187
    #15 0x7fffedfcdba2 in spice_char_device_send_msg_to_clients /home/elmarco/src/spice/spice/server/char-device.c:282
    #16 0x7fffedfcdea4 in spice_char_device_read_from_device /home/elmarco/src/spice/spice/server/char-device.c:329
    #17 0x7fffedfd1763 in spice_char_device_wakeup /home/elmarco/src/spice/spice/server/char-device.c:901
    #18 0x7fffee05da98 in spice_server_char_device_wakeup /home/elmarco/src/spice/spice/server/reds.c:2990
    #19 0x55555593fa34 in spice_chr_write /home/elmarco/src/qemu/spice-qemu-char.c:189

Signed-off-by: Marc-Andre Lureau <marcandre.lureau@redhat.com>
2016-07-07 18:39:54 +02:00
..
tests replay: better help for -s option 2016-01-07 18:18:15 +01:00
.gitignore Update the .gitignore files for the new manual, 2015-12-11 18:39:27 +01:00
agent-msg-filter.c server: Add support for filtering out agent file-xfer msgs (rhbz#961848) 2013-06-06 16:07:30 +02:00
agent-msg-filter.h server: Add support for filtering out agent file-xfer msgs (rhbz#961848) 2013-06-06 16:07:30 +02:00
char_device.c server: Use PRI macros in printf for 32/64 bit compatibility 2016-01-13 12:08:17 +01:00
char_device.h Add missing license headers 2015-12-11 18:41:19 +01:00
demarshallers.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
dispatcher.c server/dispatcher: add extra_dispatcher, hack for red_record 2015-08-20 17:47:24 +01:00
dispatcher.h Add missing license headers 2015-12-11 18:41:19 +01:00
glz_encode_match_tmpl.c Remove use of INLINE 2015-08-20 17:10:49 +01:00
glz_encode_tmpl.c remove wrong statement terminator from preprocessor macro 2015-08-25 16:26:49 +01:00
glz_encoder_config.h Remove use of INLINE 2015-08-20 17:10:49 +01:00
glz_encoder_dictionary_protected.h glz: WindowImageSegment lines lines_end as void* 2015-08-20 11:09:00 +01:00
glz_encoder_dictionary.c fix spelling mistakes in comments (reseting to resetting & dummym to dummy) 2015-12-11 18:39:31 +01:00
glz_encoder_dictionary.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
glz_encoder.c Remove use of INLINE 2015-08-20 17:10:49 +01:00
glz_encoder.h syntax-check: Don't use tabs for indentation 2015-12-11 18:39:49 +01:00
inputs_channel.c server/inputs_channel: Cope with NULL keyboard in release_keys() 2015-08-12 10:28:57 +02:00
inputs_channel.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
jpeg_encoder.c mjpeg and jpeg encoder: fix alignment warnings 2015-08-20 11:22:59 +01:00
jpeg_encoder.h Remove trailing whitespace from end of lines 2012-01-13 18:11:59 +02:00
lz4_encoder.c LZ4: Send the original format with the compressed data 2015-02-03 10:39:16 +01:00
lz4_encoder.h LZ4: Send the original format with the compressed data 2015-02-03 10:39:16 +01:00
main_channel.c Remove unused struct RedsOutItem 2015-08-11 17:24:36 +02:00
main_channel.h Move RedsMigSpice to main-channel.h 2015-08-11 17:24:36 +02:00
main_dispatcher.c Add missing license headers 2015-12-11 18:41:19 +01:00
main_dispatcher.h Add missing license headers 2015-12-11 18:41:19 +01:00
Makefile.am build-sys: Adjust to new spice-common spice-deps.m4 2015-12-11 18:42:18 +01:00
migration_protocol.h migration_protocol: use SPICE_MAGIC_CONST 2015-08-20 10:54:56 +01:00
mjpeg_encoder.c remove small leak in MJPEG code 2015-12-11 18:41:58 +01:00
mjpeg_encoder.h server: Remove the rate_control_is_active field from MJpegEncoder. 2015-06-29 18:04:12 +02:00
red_bitmap_utils.h improve performances comparing image pixels 2015-09-04 11:04:09 +01:00
red_channel.c red-channel: make red_client_{ref,unref} thread safe 2016-04-14 12:11:21 +02:00
red_channel.h RedChannel: remove unused BufDescriptor struct 2015-08-11 17:24:36 +02:00
red_client_cache.h Use the spice-common logging functions 2012-03-25 19:00:00 +02:00
red_client_shared_cache.h Lock the pixmap image cache for the entire fill_bits call 2015-06-29 13:21:14 +02:00
red_common.h server: remove useless includes 2015-10-02 10:13:45 +01:00
red_dispatcher.c display: Advertise preferred compression cap 2015-09-24 11:06:42 +02:00
red_dispatcher.h Adjust to new SpiceImageCompress name 2015-07-29 17:40:48 +02:00
red_memslots.c memslot: do not crash if guest provide a wrong address 2016-03-29 11:54:24 +02:00
red_memslots.h server: remove memslot unused functions 2013-10-01 16:23:59 +02:00
red_parse_qxl.c factor out red_validate_surface function to validate surface parameters 2016-07-01 14:46:11 +02:00
red_parse_qxl.h factor out red_validate_surface function to validate surface parameters 2016-07-01 14:46:11 +02:00
red_record_qxl.c server: Use '%zu' to print size_t variables 2016-01-13 12:08:17 +01:00
red_record_qxl.h server/red_{record, replay}.[ch]: introduce 2015-08-21 09:38:44 +01:00
red_replay_qxl.c server: Fix conversions between QXLPHYSICAL and pointers 2016-01-13 12:08:17 +01:00
red_replay_qxl.h server/red_{record, replay}.[ch]: introduce 2015-08-21 09:38:44 +01:00
red_time.h Add missing license headers 2015-12-11 18:41:19 +01:00
red_worker.c improve primary surface parameter checks 2016-07-01 15:27:09 +02:00
red_worker.h server: remove hardcoded RED_MAX_RENDERERS 2015-09-01 14:17:10 +01:00
reds_gl_canvas.c Remove unused SPICE_CANVAS_INTERNAL 2014-12-03 18:32:04 +01:00
reds_gl_canvas.h Remove unused SPICE_CANVAS_INTERNAL 2014-12-03 18:32:04 +01:00
reds_stream.c syntax-check: Don't use tabs for indentation 2015-12-11 18:39:49 +01:00
reds_stream.h reds-stream: add reds_stream_get_family() function 2015-01-15 18:29:36 +01:00
reds_sw_canvas.c Remove unused SPICE_CANVAS_INTERNAL 2014-12-03 18:32:04 +01:00
reds_sw_canvas.h Remove unused SPICE_CANVAS_INTERNAL 2014-12-03 18:32:04 +01:00
reds-private.h Remove spice_server_set_keepalive_timeout 2016-03-10 16:49:36 +01:00
reds.c Revert "Set TCP_KEEPINTVL when enabling TCP keepalive" 2016-04-14 17:09:22 +02:00
reds.h Move RedsMigSpice to main-channel.h 2015-08-11 17:24:36 +02:00
smartcard.c smartcard: add a ref to item before adding to pipe 2016-07-07 18:39:54 +02:00
smartcard.h Remove spice-experimental 2015-01-15 18:34:26 +01:00
snd_worker.c pass proper type to SPICE_CONTAINEROF 2016-01-13 12:08:17 +01:00
snd_worker.h Remove unused snd_get_playback_compression() method 2015-08-11 17:24:36 +02:00
spice_bitmap_utils.c Add missing license headers 2015-12-11 18:41:19 +01:00
spice_bitmap_utils.h server: move surface_format_to_image_type to spice_bitmap_utils 2013-08-14 12:08:04 +03:00
spice_image_cache.c Add missing license headers 2015-12-11 18:41:19 +01:00
spice_image_cache.h Add missing license headers 2015-12-11 18:41:19 +01:00
spice_server_utils.h Add missing license headers 2015-12-11 18:41:19 +01:00
spice_timer_queue.c spice_timer_queue: fix access after free 2015-09-03 10:25:13 +01:00
spice_timer_queue.h server: spice_timer_queue 2013-04-22 16:30:54 -04:00
spice-audio.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-char.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-core.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-experimental.h Add missing license headers 2015-12-11 18:41:19 +01:00
spice-input.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-migration.h Move spice_server_get_num_clients() declaration 2014-11-27 15:03:38 +01:00
spice-qxl.h server: allows to set maximum monitors 2015-06-26 16:17:42 +02:00
spice-server.h Remove spice_server_set_keepalive_timeout 2016-03-10 16:49:36 +01:00
spice-server.syms Remove spice_server_set_keepalive_timeout 2016-03-10 16:49:36 +01:00
spice-version.h.in build-sys: generate spice-version.h 2014-11-27 14:27:33 +01:00
spice.h Split spice.h 2014-11-27 14:27:18 +01:00
spicevmc.c spicevmc: Drop unsent data on client disconnection 2016-01-13 12:08:17 +01:00
stat.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
zlib_encoder.c Use the spice-common logging functions 2012-03-25 19:00:00 +02:00
zlib_encoder.h applying zlib compression over glz on WAN connection 2010-06-21 15:05:37 +02:00