Bug 1769610

Summary: vncserver crashes when xfreerdp closes
Product: Red Hat Enterprise Linux 7 Reporter: bugzilla
Component: xorg-x11-serverAssignee: Adam Jackson <ajax>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.7CC: goetz.waschk, wattersm
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-07 07:30:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Fixes null pointer dereference
none
Simpler fix none

Description bugzilla 2019-11-07 00:56:23 UTC 
Created attachment 1633514 [details]
Fixes null pointer dereference

Description of problem:

This bug is being reported against xorg-x11-server since that is where the fix resides, but the problem is actually produced within an Xvnc session. When we connect to a Windows 10 system using xfreerdp and then close xfreerdp, Xvnc produces a segfault.


Version-Release number of selected component (if applicable):

xorg-x11-server-common-1.20.4-7.el7.x86_64
tigervnc-server-1.8.0-17.el7.x86_64


How reproducible:

On our system, we can reproduce it trivially, though I am not sure if that is a behavior of our specific configuration.

Steps to Reproduce:
1. Install tigervnc
2. Setup an Xvnc session and login
3. SSH forward to a remote host providing RDP access over port 3389 (may not be necessary)
4. xfreerdp /u:user /p:password /v:127.0.0.1
5. Close xfreerdp

Actual results:

/usr/bin/Xvnc segfaults


Expected results:

xfreerdp closes without crashing Xvnc


Additional info:

The attached patch simply checks to make sure cw->damage is not null before calling DamageUnregister() and DamageEmpty(). It is likely that the only part of the patch that is necessary to fix this bug is the one that modifies compalloc.c, the changes to damage.c are masked by the checks in compSetParentPixmap---but I do not know if there are other places that might call DamageUnregister in an unsafe way.

The GDB and stacktrace are as follows:

Program received signal SIGSEGV, Segmentation fault.
DamageUnregister (pDamage=0x0) at damage.c:1793
1793	    DrawablePtr pDrawable = pDamage->pDrawable;
(gdb) bt
#0  DamageUnregister (pDamage=0x0) at damage.c:1793
#1  0x000000000051f9e7 in compSetParentPixmap (pWin=pWin@entry=0x14290a0) at compalloc.c:640
#2  0x000000000051fc81 in compFreeClientWindow (pWin=0x14290a0, id=<optimized out>) at compalloc.c:285
#3  0x000000000051a739 in FreeCompositeClientWindow (value=<optimized out>, ccwid=<optimized out>) at compext.c:74
#4  0x0000000000597af2 in doFreeResource (res=0x2d29290, skip=0) at resource.c:880
#5  0x00000000005986ce in FreeResource (id=944, skipDeleteFuncType=skipDeleteFuncType@entry=0) at resource.c:910
#6  0x000000000051f081 in compUnredirectWindow (pClient=0x1051530, pWin=pWin@entry=0x14290a0, update=update@entry=0) at compalloc.c:330
#7  0x000000000051b9c3 in compCheckBackingStore (pWin=0x14290a0) at compinit.c:131
#8  compChangeWindowAttributes (pWin=0x14290a0, mask=<optimized out>) at compinit.c:152
#9  0x000000000051d489 in compDestroyWindow (pWin=0x14290a0) at compwindow.c:664
#10 0x00000000004d870e in damageDestroyWindow (pWindow=0x14290a0) at damage.c:1590
#11 0x00000000004897e0 in DbeDestroyWindow (pWin=0x14290a0) at dbe.c:1326
#12 0x00000000004d23ce in present_destroy_window (window=0x14290a0) at present_screen.c:163
#13 0x000000000059c694 in FreeWindowResources (pWin=pWin@entry=0x14290a0) at window.c:1032
#14 0x000000000059f456 in DeleteWindow (value=0x14290a0, wid=<optimized out>) at window.c:1101
#15 0x0000000000597af2 in doFreeResource (res=0x13b3250, skip=0) at resource.c:880
#16 0x00000000005986ce in FreeResource (id=41943041, skipDeleteFuncType=skipDeleteFuncType@entry=0) at resource.c:910
#17 0x000000000056de7f in ProcDestroyWindow (client=0x1428ca0) at dispatch.c:765
#18 0x0000000000573d4d in Dispatch () at dispatch.c:478
#19 0x0000000000577c4a in dix_main (argc=20, argv=0x7ffe08d61be8, envp=<optimized out>) at main.c:276
#20 0x00007f9a97f9e505 in __libc_start_main (main=0x454ed0 <main>, argc=20, argv=0x7ffe08d61be8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffe08d61bd8) at ../csu/libc-start.c:266
#21 0x00000000004563be in _start ()
Comment 2 bugzilla 2019-11-07 01:01:29 UTC 
We tried the test without changes to damage.c and the crash was averted. See the new attached patch. that is simpler and fixes the problem.
Comment 3 bugzilla 2019-11-07 01:02:12 UTC 
Created attachment 1633515 [details]
Simpler fix
Comment 4 bugzilla 2019-11-07 01:05:35 UTC 
I added a link to a bug that looks related, but possibly different. Both cause an Xorg crash using xfreerdp.

We do not know if this bug can be triggered without Xvnc. Note that Xvnc is statically built against the Xorg source, so first patch Xorg, then install the xorg-x11-server-source RPM and then rebuild tigervnc against it. If it is not rebuilt against the patched source then it will not fix tigervnc.
Comment 5 Adam Jackson 2020-03-19 18:22:03 UTC 
Can you try with this patch instead?

https://gitlab.freedesktop.org/xorg/xserver/-/commit/5096fcd492b1efd178773748e5f42177439426d6
Comment 6 Götz Waschk 2020-03-19 19:51:53 UTC 
(In reply to Adam Jackson from comment #5)
> Can you try with this patch instead?
> 
> https://gitlab.freedesktop.org/xorg/xserver/-/commit/
> 5096fcd492b1efd178773748e5f42177439426d6

I have recompiled xorg-x11-server with that patch and compiled tigervnc against it. Now, Xvnc no longer segfaults. I can X the xfreerdp window or I can disconnect from Windows, no crash so far.
Comment 7 Michael Watters 2020-03-31 14:01:57 UTC 
I've seen the same issue happen when closing an xterm as well.  The Xvnc process segfaults with an error like this.


(EE) Backtrace:
(EE) 0: /usr/bin/Xvnc (xorg_backtrace+0x55) [0x5c31d5]
(EE) 1: /usr/bin/Xvnc (0x400000+0x1c6b39) [0x5c6b39]
(EE) 2: /usr/lib64/libpthread.so.0 (0x7f8aebb6f000+0xf5f0) [0x7f8aebb7e5f0]
(EE) 3: /usr/bin/Xvnc (DamageUnregister+0x10) [0x4d8350]
(EE) 4: /usr/bin/Xvnc (compSetParentPixmap+0x37) [0x51f787]
(EE) 5: /usr/bin/Xvnc (compFreeClientWindow+0x231) [0x51fa21]
(EE) 6: /usr/bin/Xvnc (0x400000+0x11a4b9) [0x51a4b9]
(EE) 7: /usr/bin/Xvnc (0x400000+0x197952) [0x597952]
(EE) 8: /usr/bin/Xvnc (FreeResource+0xde) [0x59852e]
(EE) 9: /usr/bin/Xvnc (compUnredirectWindow+0xb1) [0x51ee21]
(EE) 10: /usr/bin/Xvnc (0x400000+0x11b743) [0x51b743]
(EE) 11: /usr/bin/Xvnc (compDestroyWindow+0x179) [0x51d219]
(EE) 12: /usr/bin/Xvnc (0x400000+0xd85de) [0x4d85de]
(EE) 13: /usr/bin/Xvnc (0x400000+0x89710) [0x489710]
(EE) 14: /usr/bin/Xvnc (0x400000+0xd22be) [0x4d22be]
(EE) 15: /usr/bin/Xvnc (0x400000+0x19c504) [0x59c504]
(EE) 16: /usr/bin/Xvnc (DeleteWindow+0x246) [0x59f2e6]
(EE) 17: /usr/bin/Xvnc (0x400000+0x197952) [0x597952]
(EE) 18: /usr/bin/Xvnc (FreeResource+0xde) [0x59852e]
(EE) 19: /usr/bin/Xvnc (ProcDestroyWindow+0x8f) [0x56dbef]
(EE) 20: /usr/bin/Xvnc (Dispatch+0x31d) [0x573abd]
(EE) 21: /usr/bin/Xvnc (dix_main+0x39a) [0x5779ba]
(EE) 22: /usr/lib64/libc.so.6 (__libc_start_main+0xf5) [0x7f8ae96ac505]
(EE) 23: /usr/bin/Xvnc (0x400000+0x5632e) [0x45632e]
(EE)
(EE) Segmentation fault at address 0x38
Comment 8 Götz Waschk 2020-10-14 12:31:23 UTC 
I think this was fixed in xorg-x11-server-1.20.4-10 and the rebuilt vncserver packages. At least I cannot reproduce it anymore.
Comment 11 RHEL Program Management 2021-05-07 07:30:25 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.