Bug 710461
| Summary: | segfault on client after locking/unlocking KDE session | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Lubos Kocman <lkocman> | ||||||||
| Component: | spice-client | Assignee: | Christophe Fergeau <cfergeau> | ||||||||
| Status: | CLOSED ERRATA | QA Contact: | Desktop QE <desktop-qa-list> | ||||||||
| Severity: | high | Docs Contact: | |||||||||
| Priority: | high | ||||||||||
| Version: | 6.1 | CC: | cfergeau, cmeadors, dblechte, djasa, mkenneth, uril | ||||||||
| Target Milestone: | rc | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | spice-client-0.8.2-1.el6 | Doc Type: | Bug Fix | ||||||||
| Doc Text: |
Cause
Double free of a pointer (data of X-selection -- see comment 7).
Consequence
After locking/unlocking client screen, spice-client crashed (segfault).
Fix
Free this pointer only once
Result
After locking/unlocking client screen, spice-client does not crash.
|
Story Points: | --- | ||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2011-12-06 15:22:26 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
Created attachment 502809 [details]
spicec log
Additional Note: Guest is using KDE Desktop. Seems like it's somehow related to spice-vdagentd as I'm not facing to this issue after stopping it. I wasn't able to reproduce this in gnome. And it took two attempts to get it reproduce on KDE (then once it happened, I'm falling to this issue always) kdebase-4.3.4-4.el6.x86_64 I installed a rhel6.1 guest with vdagent and KDE, locked the guest screen several times with ctrl+alt+l but couldn't not reproduce this issue :-/ (host is a fedora 15 system though, with spice-client 0.8.1 compiled from source) I managed to reproduce thanks to Uri. It's the desktop where spicec runs that has to be locked, not the desktop running inside the guest. The crash seems related to agent copy and paste support too, so before locking I copied some rich text from OOo outside of the guest, then locked, and spicec was crashed after unlocking. This is caused by a double free in client/x11/platform.cpp, first in get_selection() in the exit: case with ret_val == -1 and data != NULL. In this case, *data_ret (which is returned to the caller) has already been assigned "data", so it's pointing to freed memory. Then in handle_selection_notify, get_selection_free is called on this pointer and will attempt to free it again. Created attachment 511721 [details]
proposed patch
An alternative would be not to call get_selection_free() in handle_selection_notify() when len == 0
The patch from comment #8 has been committed to spice git master This bug fix is available in spice 0.8.2 which is being pushed to RHEL 6.2 , see https://brewweb.devel.redhat.com/buildinfo?buildID=173449 and https://brewweb.devel.redhat.com/buildinfo?buildID=174105 VERIFIED in 0.8.2-7, no crash or hang occurs.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Cause
Double free of a pointer (data of X-selection -- see comment 7).
Consequence
After locking/unlocking client screen, spice-client crashed (segfault).
Fix
Free this pointer only once
Result
After locking/unlocking client screen, spice-client does not crash.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1518.html |
Created attachment 502808 [details] thread apply all bt Description of problem: spiceclient got segfault after locking/unlocking gnome session Version-Release number of selected component (if applicable): # rhel61x64 client/host spice-client-0.8.0-2.el6.x86_64 qemu-kvm-0.12.1.2-2.162.el6.x86_64 glibc-2.12-1.26.el6.x86_64 # rhel61x64 guest spice-vdagent-0.6.3-8.el6.x86_64 xorg-x11-drv-qxl-0.0.12-9.el6.x86_64 How reproducible: always on my setup with these options Steps to Reproduce: 1. /usr/libexec/qemu-kvm -m 768 -device qxl -device qxl -device qxl -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 -spice port=4003,disable-ticketing,image-compression=glz,streaming-video=on,playback-compression=on -soundhw ac97 -boot dcn -vga qxl /dev/rootvg/gst-rhel6x64 -device qxl -cdrom /home/lkocman/Downloads/RHEV-toolsSetup_2.3_395.iso -redir tcp:10000::8000 2. spicec -h localhost -p 4003 3. ctrl + alt + l on the client (gnome) 4. unlock screen 5. spice-client does not respond (spice-client hangs requires sigkill) 6. session is ok after re-execution of spicec (ad 3) Actual results: from attached gdb (see thread apply all bt in gdb.txt) Program received signal SIGSEGV, Segmentation fault. _int_free (av=0x326ad8cea0, p=0x1b4edb0, have_lock=0) at malloc.c:4873 4873 old_idx = fastbin_index(chunksize(old)); strace output: futex(0x326ad8cea0, FUTEX_WAIT_PRIVATE, 2, NULL Expected results: no segfault or hang should appear Additional info: qemu-kvm does not print any output so far last line in spicec.log: 1307106556 WARN [10424:10424] get_selection: property contains no data (zero length)