Bug 1769610
Summary: | vncserver crashes when xfreerdp closes | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | bugzilla | ||||||
Component: | xorg-x11-server | Assignee: | Adam Jackson <ajax> | ||||||
Status: | CLOSED WONTFIX | QA Contact: | Desktop QE <desktop-qa-list> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 7.7 | CC: | goetz.waschk, wattersm | ||||||
Target Milestone: | rc | Keywords: | Triaged | ||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2021-05-07 07:30:25 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
We tried the test without changes to damage.c and the crash was averted. See the new attached patch. that is simpler and fixes the problem. Created attachment 1633515 [details]
Simpler fix
I added a link to a bug that looks related, but possibly different. Both cause an Xorg crash using xfreerdp. We do not know if this bug can be triggered without Xvnc. Note that Xvnc is statically built against the Xorg source, so first patch Xorg, then install the xorg-x11-server-source RPM and then rebuild tigervnc against it. If it is not rebuilt against the patched source then it will not fix tigervnc. Can you try with this patch instead? https://gitlab.freedesktop.org/xorg/xserver/-/commit/5096fcd492b1efd178773748e5f42177439426d6 (In reply to Adam Jackson from comment #5) > Can you try with this patch instead? > > https://gitlab.freedesktop.org/xorg/xserver/-/commit/ > 5096fcd492b1efd178773748e5f42177439426d6 I have recompiled xorg-x11-server with that patch and compiled tigervnc against it. Now, Xvnc no longer segfaults. I can X the xfreerdp window or I can disconnect from Windows, no crash so far. I've seen the same issue happen when closing an xterm as well. The Xvnc process segfaults with an error like this. (EE) Backtrace: (EE) 0: /usr/bin/Xvnc (xorg_backtrace+0x55) [0x5c31d5] (EE) 1: /usr/bin/Xvnc (0x400000+0x1c6b39) [0x5c6b39] (EE) 2: /usr/lib64/libpthread.so.0 (0x7f8aebb6f000+0xf5f0) [0x7f8aebb7e5f0] (EE) 3: /usr/bin/Xvnc (DamageUnregister+0x10) [0x4d8350] (EE) 4: /usr/bin/Xvnc (compSetParentPixmap+0x37) [0x51f787] (EE) 5: /usr/bin/Xvnc (compFreeClientWindow+0x231) [0x51fa21] (EE) 6: /usr/bin/Xvnc (0x400000+0x11a4b9) [0x51a4b9] (EE) 7: /usr/bin/Xvnc (0x400000+0x197952) [0x597952] (EE) 8: /usr/bin/Xvnc (FreeResource+0xde) [0x59852e] (EE) 9: /usr/bin/Xvnc (compUnredirectWindow+0xb1) [0x51ee21] (EE) 10: /usr/bin/Xvnc (0x400000+0x11b743) [0x51b743] (EE) 11: /usr/bin/Xvnc (compDestroyWindow+0x179) [0x51d219] (EE) 12: /usr/bin/Xvnc (0x400000+0xd85de) [0x4d85de] (EE) 13: /usr/bin/Xvnc (0x400000+0x89710) [0x489710] (EE) 14: /usr/bin/Xvnc (0x400000+0xd22be) [0x4d22be] (EE) 15: /usr/bin/Xvnc (0x400000+0x19c504) [0x59c504] (EE) 16: /usr/bin/Xvnc (DeleteWindow+0x246) [0x59f2e6] (EE) 17: /usr/bin/Xvnc (0x400000+0x197952) [0x597952] (EE) 18: /usr/bin/Xvnc (FreeResource+0xde) [0x59852e] (EE) 19: /usr/bin/Xvnc (ProcDestroyWindow+0x8f) [0x56dbef] (EE) 20: /usr/bin/Xvnc (Dispatch+0x31d) [0x573abd] (EE) 21: /usr/bin/Xvnc (dix_main+0x39a) [0x5779ba] (EE) 22: /usr/lib64/libc.so.6 (__libc_start_main+0xf5) [0x7f8ae96ac505] (EE) 23: /usr/bin/Xvnc (0x400000+0x5632e) [0x45632e] (EE) (EE) Segmentation fault at address 0x38 I think this was fixed in xorg-x11-server-1.20.4-10 and the rebuilt vncserver packages. At least I cannot reproduce it anymore. After evaluating this issue, there are no plans to address it further or fix it in an upcoming release. Therefore, it is being closed. If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened. |
Created attachment 1633514 [details] Fixes null pointer dereference Description of problem: This bug is being reported against xorg-x11-server since that is where the fix resides, but the problem is actually produced within an Xvnc session. When we connect to a Windows 10 system using xfreerdp and then close xfreerdp, Xvnc produces a segfault. Version-Release number of selected component (if applicable): xorg-x11-server-common-1.20.4-7.el7.x86_64 tigervnc-server-1.8.0-17.el7.x86_64 How reproducible: On our system, we can reproduce it trivially, though I am not sure if that is a behavior of our specific configuration. Steps to Reproduce: 1. Install tigervnc 2. Setup an Xvnc session and login 3. SSH forward to a remote host providing RDP access over port 3389 (may not be necessary) 4. xfreerdp /u:user /p:password /v:127.0.0.1 5. Close xfreerdp Actual results: /usr/bin/Xvnc segfaults Expected results: xfreerdp closes without crashing Xvnc Additional info: The attached patch simply checks to make sure cw->damage is not null before calling DamageUnregister() and DamageEmpty(). It is likely that the only part of the patch that is necessary to fix this bug is the one that modifies compalloc.c, the changes to damage.c are masked by the checks in compSetParentPixmap---but I do not know if there are other places that might call DamageUnregister in an unsafe way. The GDB and stacktrace are as follows: Program received signal SIGSEGV, Segmentation fault. DamageUnregister (pDamage=0x0) at damage.c:1793 1793 DrawablePtr pDrawable = pDamage->pDrawable; (gdb) bt #0 DamageUnregister (pDamage=0x0) at damage.c:1793 #1 0x000000000051f9e7 in compSetParentPixmap (pWin=pWin@entry=0x14290a0) at compalloc.c:640 #2 0x000000000051fc81 in compFreeClientWindow (pWin=0x14290a0, id=<optimized out>) at compalloc.c:285 #3 0x000000000051a739 in FreeCompositeClientWindow (value=<optimized out>, ccwid=<optimized out>) at compext.c:74 #4 0x0000000000597af2 in doFreeResource (res=0x2d29290, skip=0) at resource.c:880 #5 0x00000000005986ce in FreeResource (id=944, skipDeleteFuncType=skipDeleteFuncType@entry=0) at resource.c:910 #6 0x000000000051f081 in compUnredirectWindow (pClient=0x1051530, pWin=pWin@entry=0x14290a0, update=update@entry=0) at compalloc.c:330 #7 0x000000000051b9c3 in compCheckBackingStore (pWin=0x14290a0) at compinit.c:131 #8 compChangeWindowAttributes (pWin=0x14290a0, mask=<optimized out>) at compinit.c:152 #9 0x000000000051d489 in compDestroyWindow (pWin=0x14290a0) at compwindow.c:664 #10 0x00000000004d870e in damageDestroyWindow (pWindow=0x14290a0) at damage.c:1590 #11 0x00000000004897e0 in DbeDestroyWindow (pWin=0x14290a0) at dbe.c:1326 #12 0x00000000004d23ce in present_destroy_window (window=0x14290a0) at present_screen.c:163 #13 0x000000000059c694 in FreeWindowResources (pWin=pWin@entry=0x14290a0) at window.c:1032 #14 0x000000000059f456 in DeleteWindow (value=0x14290a0, wid=<optimized out>) at window.c:1101 #15 0x0000000000597af2 in doFreeResource (res=0x13b3250, skip=0) at resource.c:880 #16 0x00000000005986ce in FreeResource (id=41943041, skipDeleteFuncType=skipDeleteFuncType@entry=0) at resource.c:910 #17 0x000000000056de7f in ProcDestroyWindow (client=0x1428ca0) at dispatch.c:765 #18 0x0000000000573d4d in Dispatch () at dispatch.c:478 #19 0x0000000000577c4a in dix_main (argc=20, argv=0x7ffe08d61be8, envp=<optimized out>) at main.c:276 #20 0x00007f9a97f9e505 in __libc_start_main (main=0x454ed0 <main>, argc=20, argv=0x7ffe08d61be8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe08d61bd8) at ../csu/libc-start.c:266 #21 0x00000000004563be in _start ()