pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2026-01-02 14:28:32 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
2,663 Commits 29 Branches 62 Tags 9.6 MiB
C++ 62%
C 28.6%
Makefile 4%
M4 3%
Meson 0.9%
Other 1.5%
945834b460
Go to file
Frediano Ziglio 945834b460 remove dangling pointer for RedCharDeviceVDIPort 
When a client disconnects remove it from the list of clients connected
to the spice char-device.

This was caused by commit 1cec1c5118
("reds: Make VDIPortState a GObject") as the lifespan of RedCharDevice
was changed.

This could be reproduced with:
- start rhel7 machine
- connect remote viewer (RV)
- RV: login
- connect ssh
- SSH: stop agent
- disconnect RV
- SSH: start agent
- connect to RV

and caused (using address sanitizer):

main_channel_handle_parsed: agent start
=================================================================
==29592==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00001cff0 at pc 0x7fa85b6e8595 bp 0x7ffde3801940 sp 0x7ffde3801930
READ of size 8 at 0x60c00001cff0 thread T0
    #0 0x7fa85b6e8594 in red_client_get_main /home/freddy/work/spice-server/server/red-channel.c:2190
    #1 0x7fa85b7311e6 in vdi_port_send_msg_to_client /home/freddy/work/spice-server/server/reds.c:880
    #2 0x7fa85b69383e in red_char_device_send_msg_to_client /home/freddy/work/spice-server/server/char-device.c:138
    #3 0x7fa85b69383e in red_char_device_send_msg_to_clients /home/freddy/work/spice-server/server/char-device.c:356
    #4 0x7fa85b69383e in red_char_device_read_from_device /home/freddy/work/spice-server/server/char-device.c:403
    #5 0x55a2633b81c1  (/usr/bin/qemu-system-x86_64+0x5561c1)
    #6 0x55a2633afe7a  (/usr/bin/qemu-system-x86_64+0x54de7a)
    #7 0x55a2634cb7b1  (/usr/bin/qemu-system-x86_64+0x6697b1)
    #8 0x55a2632078d0  (/usr/bin/qemu-system-x86_64+0x3a58d0)
    #9 0x55a26379b2e8  (/usr/bin/qemu-system-x86_64+0x9392e8)
    #10 0x55a26379a7a0  (/usr/bin/qemu-system-x86_64+0x9387a0)
    #11 0x55a26313fb78 in main (/usr/bin/qemu-system-x86_64+0x2ddb78)
    #12 0x7fa85a3cc57f in __libc_start_main (/lib64/libc.so.6+0x2057f)
    #13 0x55a26314b0c8  (/usr/bin/qemu-system-x86_64+0x2e90c8)

0x60c00001cff0 is located 48 bytes inside of 128-byte region [0x60c00001cfc0,0x60c00001d040)
freed by thread T0 here:
    #0 0x7fa869e3667a in __interceptor_free (/lib64/libasan.so.2+0x9867a)
    #1 0x7fa85b6d75f7 in red_client_unref /home/freddy/work/spice-server/server/red-channel.c:2076
    #2 0x7fa85b6ead74 in dispatcher_handle_single_read /home/freddy/work/spice-server/server/dispatcher.c:291
    #3 0x7fa85b6ead74 in dispatcher_handle_recv_read /home/freddy/work/spice-server/server/dispatcher.c:314
    #4 0x55a26379b2e8  (/usr/bin/qemu-system-x86_64+0x9392e8)
    #5 0x55a26379a7a0  (/usr/bin/qemu-system-x86_64+0x9387a0)
    #6 0x55a26313fb78 in main (/usr/bin/qemu-system-x86_64+0x2ddb78)
    #7 0x7fa85a3cc57f in __libc_start_main (/lib64/libc.so.6+0x2057f)

previously allocated by thread T0 here:
    #0 0x7fa869e36b19 in __interceptor_calloc (/lib64/libasan.so.2+0x98b19)
    #1 0x7fa85b7d6858 in spice_malloc0 /home/freddy/work/spice-server/spice-common/common/mem.c:109
    #2 0x7fa85b6e760c in red_client_new /home/freddy/work/spice-server/server/red-channel.c:2053
    #3 0x7fa85b7449e4 in reds_handle_main_link /home/freddy/work/spice-server/server/reds.c:1762
    #4 0x7fa85b7449e4 in reds_handle_link /home/freddy/work/spice-server/server/reds.c:2002
    #5 0x7fa85b745d3a in reds_handle_ticket /home/freddy/work/spice-server/server/reds.c:2056
    #6 0x55a26379b2e8  (/usr/bin/qemu-system-x86_64+0x9392e8)
    #7 0x55a26379a7a0  (/usr/bin/qemu-system-x86_64+0x9387a0)
    #8 0x55a26313fb78 in main (/usr/bin/qemu-system-x86_64+0x2ddb78)
    #9 0x7fa85a3cc57f in __libc_start_main (/lib64/libc.so.6+0x2057f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/freddy/work/spice-server/server/red-channel.c:2190 red_client_get_main
Shadow bytes around the buggy address:
  0x0c187fffb9a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffb9c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffb9d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c187fffb9f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd
  0x0c187fffba00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffba10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffba20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffba30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffba40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Eduardo Lima (Etrunko) <etrunko@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
2016-05-05 18:04:37 +01:00
build-aux Update git-version-gen to latest version 2013-12-11 16:32:36 +01:00
docs Fix make dist 2016-04-25 17:10:04 -03:00
m4 m4: WARN FLAGS: Drop -Wenum-compare 2015-03-15 13:57:12 +02:00
server remove dangling pointer for RedCharDeviceVDIPort 2016-05-05 18:04:37 +01:00
spice-common@2a4bf49edd Update spice-common submodule 2016-04-06 10:30:00 +02:00
tests tests/migrate.py: add --vdagent 2011-08-23 17:01:14 +03:00
tools Add casts for compatibility purposes 2012-02-14 10:44:49 +02:00
uncrustify_cfg fresh start 2009-10-14 15:06:41 +02:00
.gitignore Update .gitignore files 2016-02-25 09:12:51 +00:00
.gitmodules Use the spice-common submodule 2012-03-25 18:59:10 +02:00
.mailmap syntax-check: Fix missing AUTHORS 2016-01-08 11:23:44 +00:00
.travis.yml Add travis CI file 2015-11-27 20:21:24 +01:00
AUTHORS syntax-check: Fix missing AUTHORS 2016-01-08 11:23:44 +00:00
autogen.sh build-sys: Pass --enable-python-checks when running autogen.sh 2015-04-23 10:38:24 +02:00
cfg.mk syntax-check: Fix sc_cast_of_argument_to_free 2016-01-08 11:24:17 +00:00
ChangeLog fresh start 2009-10-14 15:06:41 +02:00
configure.ac build-sys: Update libtool versioning for 0.13.1 2016-04-01 15:16:27 +02:00
COPYING Relicense everything from GPL to LGPL 2.1+ 2010-04-13 22:22:15 +02:00
GNUmakefile Add a 'syntax-check' make target 2012-01-13 18:12:00 +02:00
maint.mk syntax-check: Ignore .png files in sc_trailing_blank test 2015-10-19 14:25:36 +02:00
Makefile.am build-sys: remove --enable-opengl 2015-11-27 20:19:59 +01:00
NEWS Update NEWS for 0.13.1 2016-04-01 15:16:24 +02:00
README Revise the spice client and server to use the new snd_codec functions in spice-common. 2014-01-02 12:34:34 +01:00
spice-server.pc.in build-sys: Require a new enough spice-protocol in .pc file 2015-08-26 11:01:09 +02:00
TODO.multiclient Remove trailing whitespace from end of lines 2012-01-13 18:11:59 +02:00

README 

   SPICE: Simple Protocol for Independent Computing Environments
   =============================================================

SPICE is a remote display system built for virtual environments which
allows you to view a computing 'desktop' environment not only on the
machine where it is running, but from anywhere on the Internet and
from a wide variety of machine architectures.

Installation
------------

The SPICE package uses GNU autotools, so the build install process
follows the standard process documented in the INSTALL file. As a
quick start you can do

  ./configure --prefix=/usr --sysconfdir=/etc \
        --localstatedir=/var --libdir=/usr/lib
  make
  sudo make install

Or to install into a private user specific location

  ./configure --prefix=$HOME/spice
  make
  make install

The following mandatory dependancies are required in order to
build SPICE

    Spice protocol >= 0.9.0
    Pixman         >= 0.17.7
    OpenSSL
    libjpeg
    zlib
    Cyrus-SASL

The following optional dependancies increase the available
functionality

    GE Gui         >= 0.6.0,  < 0.7.0   (GUI app support)
    OpenGL                              (GUI app support)
    Alsa                                (Linux support)
    XRandR         >= 1.2               (X11 support)
    Xinerama       >= 1.0               (X11 support)
    libcacard      >= 0.1.2             (Smartcard support)

Communication
-------------

To communicate with the development team, or to post patches
there is a technical mailing list:

   http://lists.freedesktop.org/mailman/listinfo/spice-devel

There is also a mailing list for new release announcements:

   http://lists.freedesktop.org/archives/spice-announce/

To view known bugs, or report new bugs, in SPICE visit

   https://bugs.freedesktop.org/describecomponents.cgi?product=Spice

Bugs found when using an OS distribution's binary packages should
be reported to the OS vendors' own bug tracker first.

The latest SPICE code can be found in GIT at:

   http://cgit.freedesktop.org/spice/

Licensing
---------

SPICE is provided under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.

Please see the COPYING file for the complete LGPLv2+ license
terms, or visit <http://www.gnu.org/licenses/>.

Experimental Features
---------------------
To enable multiple client connections, set:
SPICE_DEBUG_ALLOW_MC=1

-- End of readme