pxcloud/spice
5
0
Fork 0
mirror of https://gitlab.uni-freiburg.de/opensourcevdi/spice synced 2025-12-29 08:47:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
945834b460
spice/server
History
Frediano Ziglio 945834b460 remove dangling pointer for RedCharDeviceVDIPort 
When a client disconnects remove it from the list of clients connected
to the spice char-device.

This was caused by commit 1cec1c5118
("reds: Make VDIPortState a GObject") as the lifespan of RedCharDevice
was changed.

This could be reproduced with:
- start rhel7 machine
- connect remote viewer (RV)
- RV: login
- connect ssh
- SSH: stop agent
- disconnect RV
- SSH: start agent
- connect to RV

and caused (using address sanitizer):

main_channel_handle_parsed: agent start
=================================================================
==29592==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00001cff0 at pc 0x7fa85b6e8595 bp 0x7ffde3801940 sp 0x7ffde3801930
READ of size 8 at 0x60c00001cff0 thread T0
    #0 0x7fa85b6e8594 in red_client_get_main /home/freddy/work/spice-server/server/red-channel.c:2190
    #1 0x7fa85b7311e6 in vdi_port_send_msg_to_client /home/freddy/work/spice-server/server/reds.c:880
    #2 0x7fa85b69383e in red_char_device_send_msg_to_client /home/freddy/work/spice-server/server/char-device.c:138
    #3 0x7fa85b69383e in red_char_device_send_msg_to_clients /home/freddy/work/spice-server/server/char-device.c:356
    #4 0x7fa85b69383e in red_char_device_read_from_device /home/freddy/work/spice-server/server/char-device.c:403
    #5 0x55a2633b81c1  (/usr/bin/qemu-system-x86_64+0x5561c1)
    #6 0x55a2633afe7a  (/usr/bin/qemu-system-x86_64+0x54de7a)
    #7 0x55a2634cb7b1  (/usr/bin/qemu-system-x86_64+0x6697b1)
    #8 0x55a2632078d0  (/usr/bin/qemu-system-x86_64+0x3a58d0)
    #9 0x55a26379b2e8  (/usr/bin/qemu-system-x86_64+0x9392e8)
    #10 0x55a26379a7a0  (/usr/bin/qemu-system-x86_64+0x9387a0)
    #11 0x55a26313fb78 in main (/usr/bin/qemu-system-x86_64+0x2ddb78)
    #12 0x7fa85a3cc57f in __libc_start_main (/lib64/libc.so.6+0x2057f)
    #13 0x55a26314b0c8  (/usr/bin/qemu-system-x86_64+0x2e90c8)

0x60c00001cff0 is located 48 bytes inside of 128-byte region [0x60c00001cfc0,0x60c00001d040)
freed by thread T0 here:
    #0 0x7fa869e3667a in __interceptor_free (/lib64/libasan.so.2+0x9867a)
    #1 0x7fa85b6d75f7 in red_client_unref /home/freddy/work/spice-server/server/red-channel.c:2076
    #2 0x7fa85b6ead74 in dispatcher_handle_single_read /home/freddy/work/spice-server/server/dispatcher.c:291
    #3 0x7fa85b6ead74 in dispatcher_handle_recv_read /home/freddy/work/spice-server/server/dispatcher.c:314
    #4 0x55a26379b2e8  (/usr/bin/qemu-system-x86_64+0x9392e8)
    #5 0x55a26379a7a0  (/usr/bin/qemu-system-x86_64+0x9387a0)
    #6 0x55a26313fb78 in main (/usr/bin/qemu-system-x86_64+0x2ddb78)
    #7 0x7fa85a3cc57f in __libc_start_main (/lib64/libc.so.6+0x2057f)

previously allocated by thread T0 here:
    #0 0x7fa869e36b19 in __interceptor_calloc (/lib64/libasan.so.2+0x98b19)
    #1 0x7fa85b7d6858 in spice_malloc0 /home/freddy/work/spice-server/spice-common/common/mem.c:109
    #2 0x7fa85b6e760c in red_client_new /home/freddy/work/spice-server/server/red-channel.c:2053
    #3 0x7fa85b7449e4 in reds_handle_main_link /home/freddy/work/spice-server/server/reds.c:1762
    #4 0x7fa85b7449e4 in reds_handle_link /home/freddy/work/spice-server/server/reds.c:2002
    #5 0x7fa85b745d3a in reds_handle_ticket /home/freddy/work/spice-server/server/reds.c:2056
    #6 0x55a26379b2e8  (/usr/bin/qemu-system-x86_64+0x9392e8)
    #7 0x55a26379a7a0  (/usr/bin/qemu-system-x86_64+0x9387a0)
    #8 0x55a26313fb78 in main (/usr/bin/qemu-system-x86_64+0x2ddb78)
    #9 0x7fa85a3cc57f in __libc_start_main (/lib64/libc.so.6+0x2057f)

SUMMARY: AddressSanitizer: heap-use-after-free /home/freddy/work/spice-server/server/red-channel.c:2190 red_client_get_main
Shadow bytes around the buggy address:
  0x0c187fffb9a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffb9c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffb9d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffb9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c187fffb9f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd
  0x0c187fffba00: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffba10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fffba20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffba30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffba40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Signed-off-by: Frediano Ziglio <fziglio@redhat.com>
Acked-by: Eduardo Lima (Etrunko) <etrunko@redhat.com>
Acked-by: Uri Lublin <uril@redhat.com>
2016-05-05 18:04:37 +01:00
..
tests replay: skip the first N (slow) commands 2016-03-16 10:09:07 +00:00
.gitignore Update the .gitignore files for the new manual, 2015-10-16 15:48:23 -05:00
agent-msg-filter.c agent-msg-filter: Move include from header 2016-05-04 14:40:51 +01:00
agent-msg-filter.h agent-msg-filter: Move include from header 2016-05-04 14:40:51 +01:00
cache-item.h Rename all RedPipeItem subclasses 2016-04-27 10:22:26 -05:00
cache-item.tmpl.c Rename all RedPipeItem subclasses 2016-04-27 10:22:26 -05:00
char-device.c char-device: remove unused refs field 2016-05-04 13:09:56 +01:00
char-device.h Rename PipeItem to RedPipeItem 2016-04-27 10:22:01 -05:00
cursor-channel.c Rename all RedPipeItem subclasses 2016-04-27 10:22:26 -05:00
cursor-channel.h reduce header dependencies 2016-03-04 14:24:54 +00:00
dcc-encoders.c Simplify red_drawable_unref() 2016-02-15 12:29:08 +00:00
dcc-encoders.h Remove RedGlzDrawable::group_id 2016-02-15 12:29:13 +00:00
dcc-send.c server: Enable adding alternative MJPEG video encoders 2016-05-04 10:51:55 +01:00
dcc.c server: Enable adding alternative MJPEG video encoders 2016-05-04 10:51:55 +01:00
dcc.h server: Enable adding alternative MJPEG video encoders 2016-05-04 10:51:55 +01:00
demarshallers.h Remove trailing blank lines 2012-01-13 18:11:59 +02:00
dispatcher.c Convert Dispatcher and MainDispatcher to GObjects 2016-03-30 17:19:24 +01:00
dispatcher.h Convert Dispatcher and MainDispatcher to GObjects 2016-03-30 17:19:24 +01:00
display-channel.c Rename all RedPipeItem subclasses 2016-04-27 10:22:26 -05:00
display-channel.h Rename all RedPipeItem subclasses 2016-04-27 10:22:26 -05:00
display-limits.h worker: start a DisplayChannelClient unit 2015-11-19 12:43:02 +00:00
event-loop.c revert new event-loop code for timers 2016-02-12 17:44:57 +00:00
glz-encode-match.tmpl.c server: rename _tmpl files 2015-11-26 13:33:36 +00:00
glz-encode.tmpl.c server: rename _tmpl files 2015-11-26 13:33:36 +00:00
glz-encoder-dict.c remove glz_encoder_config.h 2015-12-04 11:57:18 +00:00
glz-encoder-dict.h remove glz_encoder_config.h 2015-12-04 11:57:18 +00:00
glz-encoder-priv.h server: misc header cleanups 2015-12-09 22:17:51 +00:00
glz-encoder.c server: rename files 2015-12-03 23:54:32 +00:00
glz-encoder.h server: misc header cleanups 2015-12-09 22:17:51 +00:00
image-cache.c server: rename files 2015-12-03 23:54:32 +00:00
image-cache.h server: rename files 2015-12-03 23:54:32 +00:00
inputs-channel.c Add _config_ to SpiceServerConfig accessors 2016-04-27 10:27:23 -05:00
inputs-channel.h Add RedsState arg to inputs_channel_new() 2016-02-12 15:32:47 +00:00
jpeg-encoder.c server: rename files 2015-12-03 23:54:32 +00:00
jpeg-encoder.h server: rename files 2015-12-03 23:54:32 +00:00
lz4-encoder.c server: rename files 2015-12-03 23:54:32 +00:00
lz4-encoder.h server: rename files 2015-12-03 23:54:32 +00:00
main-channel.c Name MainChannelClient methods consistently 2016-04-29 15:49:56 -05:00
main-channel.h Name MainChannelClient methods consistently 2016-04-29 15:49:56 -05:00
main-dispatcher.c Convert Dispatcher and MainDispatcher to GObjects 2016-03-30 17:19:24 +01:00
main-dispatcher.h Convert Dispatcher and MainDispatcher to GObjects 2016-03-30 17:19:24 +01:00
Makefile.am server: Enable adding alternative MJPEG video encoders 2016-05-04 10:51:55 +01:00
memslot.c memslot: do not crash if guest provide a wrong address 2016-02-18 10:36:26 +00:00
memslot.h server: rename files 2015-12-03 23:54:32 +00:00
migration-protocol.h server: rename files 2015-12-03 23:54:32 +00:00
mjpeg-encoder.c server: Enable adding alternative MJPEG video encoders 2016-05-04 10:51:55 +01:00
pixmap-cache.c syntax-check: Add missing #include <config.h> 2015-10-19 14:25:36 +02:00
pixmap-cache.h server: rename files 2015-12-03 23:54:32 +00:00
red-channel.c Call public RedClient API instead of poking internals 2016-04-29 14:58:21 -05:00
red-channel.h Rename all RedPipeItem subclasses 2016-04-27 10:22:26 -05:00
red-common.h reds: Move RedsState typedef to red-common.h 2016-04-06 10:30:00 +02:00
red-parse-qxl.c make RedDataChunk structure private inside red-parse-qxl.c 2016-02-16 13:13:00 +00:00
red-parse-qxl.h make RedDataChunk structure private inside red-parse-qxl.c 2016-02-16 13:13:00 +00:00
red-pipe-item.c Rename PipeItem to RedPipeItem 2016-04-27 10:22:01 -05:00
red-pipe-item.h Rename PipeItem to RedPipeItem 2016-04-27 10:22:01 -05:00
red-qxl.c Convert Dispatcher and MainDispatcher to GObjects 2016-03-30 17:19:24 +01:00
red-qxl.h qxl: Remove duplicate QXLState typedef 2016-04-06 10:30:00 +02:00
red-record-qxl.c server: Use '%zu' to print size_t variables 2015-12-15 17:50:05 +00:00
red-record-qxl.h server: rename files 2015-12-03 23:54:32 +00:00
red-replay-qxl.c server: Remove an unnecessary cast in spice_replay_next_cmd() 2016-02-25 09:18:06 +00:00
red-replay-qxl.h server: rename files 2015-12-03 23:54:32 +00:00
red-worker.c worker: remove check for canvas during cursor connect 2016-04-26 16:29:04 +01:00
red-worker.h Rename all RedPipeItem subclasses 2016-04-27 10:22:26 -05:00
reds-private.h Add RedServerConfig 2016-04-27 10:27:05 -05:00
reds-stream.c Introduce reds_core_watch_* 2016-03-03 16:45:36 +00:00
reds-stream.h reds: Move RedsState typedef to red-common.h 2016-04-06 10:30:00 +02:00
reds.c remove dangling pointer for RedCharDeviceVDIPort 2016-05-05 18:04:37 +01:00
reds.h audio: Remove global 'playback_compression' variable 2016-04-27 10:27:35 -05:00
smartcard.c Rename all RedPipeItem subclasses 2016-04-27 10:22:26 -05:00
smartcard.h smartcard: Turn RedCharDeviceSmartcard into a GObject 2016-04-06 11:37:07 -05:00
sound.c audio: Remove global 'playback_compression' variable 2016-04-27 10:27:35 -05:00
sound.h Remove use of global 'reds' from sound.c 2016-02-16 10:54:30 +00:00
spice-audio.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-bitmap-utils.c do not compile dump_bitmap if not necessary 2016-03-24 13:11:46 +00:00
spice-bitmap-utils.h server: misc header cleanups 2015-12-09 22:17:51 +00:00
spice-bitmap-utils.tmpl.c server: rename _tmpl files 2015-11-26 13:33:36 +00:00
spice-char.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-core.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-experimental.h Add missing license headers 2015-10-19 14:25:36 +02:00
spice-input.h Split spice.h 2014-11-27 14:27:18 +01:00
spice-migration.h Mark unused public API methods/code as deprecated 2016-04-27 10:27:08 -05:00
spice-qxl.h Add new spice-gl stubs API 2016-02-09 14:01:12 +00:00
spice-server.h Mark unused public API methods/code as deprecated 2016-04-27 10:27:08 -05:00
spice-server.syms Remove spice_server_set_keepalive_timeout 2016-03-11 18:27:51 +01:00
spice-version.h.in build-sys: generate spice-version.h 2014-11-27 14:27:33 +01:00
spice.h Split spice.h 2014-11-27 14:27:18 +01:00
spicevmc.c Using already exists function instead of SPICE_CONTAINEROF 2016-05-04 10:46:35 +01:00
stat.h Add RedsState arg to all stat functions 2016-02-15 12:04:02 +00:00
stream.c server: Enable adding alternative MJPEG video encoders 2016-05-04 10:51:55 +01:00
stream.h server: Enable adding alternative MJPEG video encoders 2016-05-04 10:51:55 +01:00
sw-canvas.c sw-canvas: Get rid of unsused SW_CANVAS_IMAGE_CACHE 2016-04-19 14:06:04 +02:00
sw-canvas.h sw-canvas: Get rid of unsused SW_CANVAS_IMAGE_CACHE 2016-04-19 14:06:04 +02:00
tree.c pass proper type to SPICE_CONTAINEROF 2015-12-04 13:33:54 +00:00
tree.h Move some tree item functions to tree.[ch] 2015-11-17 17:22:05 +00:00
utils.c worker: move dcc_add_surface_area_image 2015-11-23 13:50:44 +00:00
utils.h server: Add time constants to go with spice_get_monotonic_time_ms() 2015-12-14 11:24:47 +00:00
video-encoder.h server: Enable adding alternative MJPEG video encoders 2016-05-04 10:51:55 +01:00
zlib-encoder.c server: rename files 2015-12-03 23:54:32 +00:00
zlib-encoder.h server: rename files 2015-12-03 23:54:32 +00:00