Bug 790749

Summary: race that can lead to accessing freed memory
Product: Red Hat Enterprise Linux 6 Reporter: Yonit Halperin <yhalperi>
Component: spice-serverAssignee: Alon Levy <alevy>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: acathrow, alevy, cfergeau, dblechte, djasa, mkenneth, mkrcmari
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-server-0.10.1-3.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 12:17:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Yonit Halperin 2012-02-15 10:35:29 UTC 
Description of problem:

The channel event SPICE_CHANNEL_EVENT_DISCONNECTED is sent to qemu from the main thread context. However, the display and cursor channels, which run in different threads, can be already destroyed, together with the SpiceChannelEventInfo which is referenced in the above channel_event.

I saw it when I tested my patches for 788444 769512. I Added a print in qemu
when we expect SpiceChannelEventInfo with extended address flag set, and we receive the unset flag.
The error msg looks like "spice: channel_event, extended address is expected".
The above bug cause this msg to sometimes appear when the client disconnects, since the SpiceChannelEventInfo memory is no longer valid.
I saw it when the client disconnected from a src server during migration.
Reproducing the bug in this manner will be possible only after the patches for 788444 769512 are in the build.
Comment 2 Alon Levy 2012-02-20 11:59:57 UTC 
patch upstream:

commit 5ec8515508828ecf5055de220cb0cc0f3c997a27
Author: Alon Levy <alevy>
Date:   Wed Feb 15 15:04:04 2012 +0200

    server, separate SpiceChannelEventInfo from RedStream
    
    fixes rhbz 790749 use after free of SpiceChannelEventInfo.
    
    The lifetime of the SpiceChannelEventInfo was that of RedsStream, but it
    is used by main_dispatcher_handle_channel_event after the RedsStream is
    freed for the cursor and display channels. Making SCEI allocation be at
    RedsStream allocation, and deallocation after the DESTROY event is
    processed by core->channel_event, fixes use after free.
Comment 6 David Jaša 2012-03-02 21:05:57 UTC 
Based on developer description, it seems like one-time fix that shouldn't be tested regularly.

Alon, Yonit, if you think that this bug can regress, please reply and add 100% step-by-step reproducer.
Comment 7 David Jaša 2012-04-16 16:25:04 UTC 
On hosts with spice-server-0.10.1-5.el6.x86_64 and qemu-kvm-0.12.1.2-2.270.el6.x86_64, I could not see nothing similar to "spice: channel_event, extended address is expected" after successive migrations so I think this can be marked as VERIFIED now.
Comment 10 errata-xmlrpc 2012-06-20 12:17:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0765.html