Bug 1283925
| Summary: | segfault in network::TcpListener::TcpListener | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jim Minter <jminter> | ||||
| Component: | tigervnc | Assignee: | Jan Grulich <jgrulich> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 7.2 | CC: | alanm, ayadav, jcastran, jgrulich, J.H.Hodrien, jraising, jsbillin, pasteur, paulm, sengork, tpelka, yzeng | ||||
| Target Milestone: | rc | Keywords: | ZStream | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1304700 (view as bug list) | Environment: | |||||
| Last Closed: | 2016-11-04 01:29:30 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1203710, 1297830, 1304700 | ||||||
| Attachments: |
|
||||||
We have also encountered this bug. You can trigger it by simply running: /usr/bin/Xvnc -inetd Created attachment 1103810 [details]
Patch to fix the crash in TcpListener
Here is proposed patch to fix this crash. It actually comes from upstream and I just forgot to backport this part to our IPv6 patch for tigervnc.
I built a version of the package with that patch added, and have tested it on our systems that run Xvnc with the -inetd option, and they no longer segfault when starting, so I can confirm that the patch works. Another confirmation of the patch solving the problem. We have two client sites that are experiencing this issue. VNC server is a critical component of our product. When would this patch be included in an official Red Hat update? *** Bug 1302324 has been marked as a duplicate of this bug. *** Fix commited to y-stream branch (rhel-7.3). We too are affected by this bug. Please note that disabling IPv6 will not fix this issue. We'd love to have this working again without any interim workarounds. When will this patch be released? I don't know when this will be released, it is supposed to be fixed in RHEL 7.3 and RHEL 7.2 as z-stream fix. (In reply to Jan Grulich from comment #15) > I don't know when this will be released, it is supposed to be fixed in RHEL > 7.3 and RHEL 7.2 as z-stream fix. As Jan mentioned the fix was published within 7.2.z, see https://rhn.redhat.com/errata/RHBA-2016-0543.html, it will be automatically included in upcomming 7.3 too. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2237.html *** Bug 1415028 has been marked as a duplicate of this bug. *** |
Description of problem: Xvnc segfaults when launched from inetd Version-Release number of selected component (if applicable): Latest RHEL 7.2 - tigervnc-server-1.3.1-3.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Add following to /etc/xinetd.d/rfb: service rfb { protocol = tcp wait = no user = nobody server = /usr/bin/Xvnc server_args = -inetd -query localhost -once -SecurityTypes None } 2. Attempt to vnc to box on :5900 Actual results: VNC session fails to launch, Xvnc segfaults Expected results: VNC session launches, GDM screen presented (this worked fine in RHEL 7.1) Additional info: Running GDB on core file created shows segfault in this line: Core was generated by `Xvnc -inetd -query localhost -once -SecurityTypes None'. Program terminated with signal 11, Segmentation fault. #0 network::TcpListener::TcpListener (this=0x7ffe72cbda20, listenaddr=0x0, listenaddrlen=6000) at /usr/src/debug/tigervnc-1.3.1/common/network/TcpSocket.cxx:426 426 if ((sock = socket (listenaddr->sa_family, SOCK_STREAM, 0)) < 0) It turns out that listenaddr is NULL. (gdb) bt #0 network::TcpListener::TcpListener (this=0x7ffe72cbda20, listenaddr=0x0, listenaddrlen=6000) at /usr/src/debug/tigervnc-1.3.1/common/network/TcpSocket.cxx:426 #1 0x000000000044794e in displayNumFree (num=num@entry=0) at xvnc.cc:355 #2 0x000000000044d2eb in ddxProcessArgument (argc=argc@entry=7, argv=argv@entry=0x7ffe72cbdd98, i=i@entry=1) at xvnc.cc:580 #3 0x00000000005bf34f in ProcessCommandLine (argc=argc@entry=7, argv=argv@entry=0x7ffe72cbdd98) at utils.c:689 #4 0x000000000056d629 in dix_main (argc=7, argv=0x7ffe72cbdd98, envp=0x7ffe72cbddd8) at main.c:146 #5 0x00007f0eef251b15 in __libc_start_main (main=0x449ad0 <main>, argc=7, ubp_av=0x7ffe72cbdd98, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe72cbdd88) at libc-start.c:274 #6 0x000000000044ad8d in _start () In displayNumFree, the logic repeatedly tries to find a display number, but NULL is passed directly into network::TcpListener::TcpListener and then dereferenced. This is a clear logic bug. (gdb) l xvnc.cc:355 350 351 static 352 bool displayNumFree(int num) 353 { 354 try { 355 network::TcpListener l(NULL, 6000+num); 356 } catch (rdr::Exception& e) { 357 return false; 358 } 359 char file[256]; A sort of workaround is to change server_args = -inetd -query localhost -once -SecurityTypes None to server_args = :1 -inetd -query localhost -once -SecurityTypes None in /etc/xinetd.d/rfb, as this bypasses the flawed logic. However this prevents multiple concurrent logins via VNC/XDM to the box.