Bug 1285469

Summary: crash in lz_rgb16_decompress when resizing guest monitor to size not fitting to video memory
Product: Red Hat Enterprise Linux 7 Reporter: David Jaša <djasa>
Component: spice-gtkAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 7.2CC: cfergeau, dblechte, djasa, pgrunt, rbalakri, rduda, tpelka
Target Milestone: rc   
Target Release: 7.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-gtk-0.26-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 01:12:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
full backtrace none

Description David Jaša 2015-11-25 16:35:27 UTC 
Created attachment 1098916 [details]
full backtrace

Description of problem:
a prewhql driver [1] allows resize beyond video memory limits on XP (bug 1285460). When attempting to do that, spice-gtk segfaults: #0  0x00007ffff55590fe in lz_rgb16_decompress (encoder=encoder@entry=0x1100c20, out_buf=out_buf@entry=0x7fffb95c3210, size=size@entry=8179200) at lz_decompress_tmpl.c:305

[1] https://brewweb.devel.redhat.com/buildinfo?buildID=457801


Version-Release number of selected component (if applicable):
spice-gtk3-0.26-5.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. have a XP VM with default video memory settings (ram/vgamem/vram: 64/16/64 MB) and qxl driver from [1] installed
2. connect to the VM
3. change resolution from OS applet (right click Desktop -> Options) beyond 2560x1600 or 2048x2048

Actual results:
segfault occurs:
#0  0x00007ffff55590fe in lz_rgb16_decompress (encoder=encoder@entry=0x1100c20, out_buf=out_buf@entry=0x7fffb95c3210, size=size@entry=8179200) at lz_decompress_tmpl.c:305
#1  0x00007ffff5565990 in lz_decode (lz=0x1100c20, to_type=<optimized out>, buf=0x7fffb95c3210 <Address 0x7fffb95c3210 out of bounds>) at lz.c:684
#2  0x00007ffff5547a53 in canvas_get_lz (canvas=canvas@entry=0xbebcf0, image=image@entry=0xc450a4, want_original=want_original@entry=0, invers=0) at ../spice-common/common/canvas_base.c:821
#3  0x00007ffff5547d47 in canvas_get_image_internal (canvas=canvas@entry=0xbebcf0, image=0xc450a4, want_original=want_original@entry=0, real_get=real_get@entry=1) at ../spice-common/common/canvas_base.c:1110
#4  0x00007ffff554992d in canvas_draw_copy (want_original=0, image=<optimized out>, canvas=0xbebcf0) at ../spice-common/common/canvas_base.c:1285
#5  0x00007ffff554992d in canvas_draw_copy (spice_canvas=0xbebcf0, bbox=0xc45024, clip=<optimized out>, copy=0xc45048) at ../spice-common/common/canvas_base.c:2258
#6  0x00007ffff552da9a in display_handle_draw_copy (channel=0xa4fa60 [SpiceDisplayChannel], in=<optimized out>) at channel-display.c:1559
#7  0x00007ffff5524394 in spice_channel_recv_msg (channel=0xa4fa60 [SpiceDisplayChannel], msg_handler=0x7ffff5523c10 <spice_channel_handle_msg>, data=0x0) at spice-channel.c:1877
#8  0x00007ffff5524514 in spice_channel_iterate_read (channel=0xa4fa60 [SpiceDisplayChannel]) at spice-channel.c:2114
#9  0x00007ffff5525cd0 in spice_channel_coroutine (channel=0xa4fa60 [SpiceDisplayChannel]) at spice-channel.c:2152
#10 0x00007ffff5525cd0 in spice_channel_coroutine (data=0xa4fa60) at spice-channel.c:2429
#11 0x00007ffff554e7cb in coroutine_trampoline (cc=0xa4f110) at coroutine_ucontext.c:63
#12 0x00007ffff554e609 in continuation_trampoline (i0=<optimized out>, i1=<optimized out>) at continuation.c:55
#13 0x00007ffff3609110 in __start_context () at /lib64/libc.so.6
#14 0x0000000000a4f4d8 in  ()
#15 0x0000000000000000 in  ()

Expected results:
remote-viewer survives the condition and works normally after the guest reverts back to previous working resolution

Additional info:
low prio/sev because this bug is triggered by another bug (bug 1285460)
Comment 1 Pavel Grunt 2015-11-26 10:17:01 UTC 
It is most likely the upstream bug https://bugs.freedesktop.org/show_bug.cgi?id=92820

David, can you test it with a different image compression type ?
Comment 4 Frediano Ziglio 2016-04-14 16:22:20 UTC 
in canvas_base.c line 870 stride is computed right only for 32 bit:

    stride = (n_comp_pixels / height) * 4;

this is causing memory corruption if top_down is false due to 

    if (!top_down) {
        stride = -stride;
        decomp_buf = src + stride * (height - 1);

I fixed replacing 

    stride = (n_comp_pixels / height) * 4;

with 

    stride = pixman_image_get_stride(lz_data->decode_data.out_surface);
    stride = abs(stride);

note that I'm getting some glitches due to the fact that on pixman stride is always a multiple of 4 (but this is probably another issue).
Comment 5 Frediano Ziglio 2016-04-14 16:57:51 UTC 
Posted a proposed patch at https://lists.freedesktop.org/archives/spice-devel/2016-April/028210.html
Comment 6 Frediano Ziglio 2016-04-15 13:48:58 UTC 
Accepted patch at https://cgit.freedesktop.org/spice/spice-common/commit/?id=5603961ffae7b8a0160e4d6e29ca506b7c3721d2
Comment 10 errata-xmlrpc 2016-11-04 01:12:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2229.html