Bug 855870

Summary:	Remote-viewer segfaults during spice migration with SSL when running from cli
Product:	Red Hat Enterprise Linux 6	Reporter:	Marian Krcmarik <mkrcmari>
Component:	spice-gtk	Assignee:	Marc-Andre Lureau <marcandre.lureau>
Status:	CLOSED ERRATA	QA Contact:	Desktop QE <desktop-qa-list>
Severity:	unspecified	Docs Contact:
Priority:	low
Version:	6.4	CC:	acathrow, bili, cfergeau, dblechte, lnovich, marcandre.lureau, mjenner, pvine
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	spice-gtk-0.20-1.el6	Doc Type:	Bug Fix
Doc Text:	No description necessary	Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-11-21 08:24:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Marian Krcmarik 2012-09-10 13:19:20 UTC

Description of problem:
Remote-viewer segfaults during spice migration with encrypted channels when It is started from command line. It prevents us to use our SSL migration automated test with remote-viewer connected in autotest framework successfully.

remote-viewer command line:
remote-viewer spice://localhost?tls-port=3002,port=3001 --spice-ca-file=/tmp/spice_x509d/ca-cert.pem  --spice-host-subject="C=CZ,L=BRNO,O=SPICE,CN=my Server"

source qemu command line:
/usr/libexec/qemu-kvm -m 1024 -smp 1 -vga qxl -enable-kvm -spice port=3001,tls-port=3002,password=123,x509-dir=/tmp/spice_x509d/,x509-key-password=testPassPhrase,tls-channel=inputs -device virtio-serial-pci,id=virtio-serial0,bus=pci.0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device AC97 /dev/rootvg/Windows7_test -monitor stdio

qemu monitor commands fro migrating:
__com.redhat_spice_migrate_info localhost 3011 3012 "C=CZ,L=BRNO,O=SPICE,CN=my Server"
migrate -d tcp:0:5811

From gdb:
Program received signal SIGSEGV, Segmentation fault.
SSL_write (s=0x0, buf=0x1ce1c08, num=6) at ssl_lib.c:974
974		if (s->handshake_func == 0)
(gdb) thread apply all bt

Thread 1 (Thread 0x7f12afeb8940 (LWP 26674)):
#0  SSL_write (s=0x0, buf=0x1ce1c08, num=6) at ssl_lib.c:974
#1  0x000000379aa17363 in spice_channel_flush_wire (channel=<value optimized out>, data=
    0x1ce1c08, datalen=6) at spice-channel.c:766
#2  0x000000379aa17558 in spice_channel_write (channel=0x1c64040 [SpiceMainChannel], 
    data=<value optimized out>, len=<value optimized out>) at spice-channel.c:843
#3  0x000000379aa17d67 in spice_channel_write_msg (channel=<value optimized out>, out=
    0x1cbed20) at spice-channel.c:869
#4  0x000000379aa1ae3e in spice_channel_iterate_write (channel=
    0x1c64040 [SpiceMainChannel]) at spice-channel.c:1983
#5  0x000000379aa18ff1 in spice_channel_iterate (data=0x1c64040) at spice-channel.c:2044
#6  spice_channel_coroutine (data=0x1c64040) at spice-channel.c:2225
#7  0x000000379aa3f72b in coroutine_trampoline (cc=0x1c640f8) at coroutine_ucontext.c:56
#8  0x000000379aa3f6e3 in continuation_trampoline (i0=<value optimized out>, 
    i1=<value optimized out>) at continuation.c:49
#9  0x00000037b4643630 in ?? () from /lib64/libc.so.6
#10 0x0000000001c644c0 in ?? ()
#11 0x0000000000000000 in ?? ()

Version-Release number of selected component (if applicable):
All RHEL6.3 packages
As well as on latest:
spice-gtk-0.13.29-1.el6.x86_64
virt-viewer-0.5.2-10.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Start qemu-kvm istance with SSL support.
2. Start remote-viewer from command line and successfully connect to the guest.
3. Migrate
  
Actual results:
Segfault of remote-viewer

Expected results:
No segfault

Additional info:
it does not happen without SSL or with spicec and SSL

Comment 2 Marian Krcmarik 2012-09-11 08:42:50 UTC

*** Bug 856068 has been marked as a duplicate of this bug. ***

Comment 3 Marc-Andre Lureau 2012-10-17 09:36:14 UTC

Can you reproduce with current rhel? spice-gtk 0.14-3 & virt-viewer 0.5.2-13? (I can't)

Comment 4 Marian Krcmarik 2012-10-17 12:12:39 UTC

(In reply to comment #3)
> Can you reproduce with current rhel? spice-gtk 0.14-3 & virt-viewer
> 0.5.2-13? (I can't)

Yes I can, I'll attach certs I am using, otherwise everything is valid as described in description which means:

1 Running a qemu like:
/usr/libexec/qemu-kvm -m 1024 -smp 1 -vga qxl -enable-kvm -spice port=3001,tls-port=3002,password=123,x509-dir=/tmp/spice_x509d/,x509-key-password=testPassPhrase,tls-channel=inputs -device virtio-serial-pci,id=virtio-serial0,bus=pci.0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device AC97 /dev/rootvg/Windows7_test -monitor stdio

2. Connecting to the guest like:
remote-viewer spice://localhost?tls-port=3002,port=3001 --spice-ca-file=/tmp/spice_x509d/ca-cert.pem  --spice-host-subject="C=CZ,L=BRNO,O=SPICE,CN=my Server"

3. Starting destionation qemu.

4. Migrating:
__com.redhat_spice_migrate_info localhost 3011 3012 "C=CZ,L=BRNO,O=SPICE,CN=my Server"
migrate -d tcp:0:5811

Comment 9 Marc-Andre Lureau 2012-10-18 10:41:16 UTC

I am afraid I really can't reproduce the issue. I am using the same cert, same command line argument and monitor command, with

spice-server-0.12.0-1.el6.x86_64
qemu-kvm-0.12.1.2-2.325.el6.x86_64
spice-gtk-0.14-3.el6.x86_64
virt-viewer-0.5.2-14.el6.x86_64

Comment 10 Marc-Andre Lureau 2012-10-18 10:42:45 UTC

please provide full log of both qemu instance and remote-viewer with G_MESSAGES_DEBUG=all SPICE_DEBUG=1

Comment 11 Marc-Andre Lureau 2012-10-18 10:47:09 UTC

I just noticed that the spice server is not checking password when using cert, I will try to dig in that direction

Comment 12 Marc-Andre Lureau 2012-10-18 10:52:05 UTC

(In reply to comment #11)
> I just noticed that the spice server is not checking password when using
> cert, I will try to dig in that direction

ok, my bad, I had disable-ticketing...
- we should error out if both disable-ticketing and password arguments are given
- now remote-viewer crashes immediately with double free error!

Comment 13 Christophe Fergeau 2012-10-18 11:26:16 UTC

remote-viewer has this known double-free related to setting the SPICE ticket, dunno if that's is what you are experiencing https://bugzilla.redhat.com/show_bug.cgi?id=867248

Comment 14 Marc-Andre Lureau 2012-10-18 12:07:56 UTC

(In reply to comment #13)
> remote-viewer has this known double-free related to setting the SPICE
> ticket, dunno if that's is what you are experiencing
> https://bugzilla.redhat.com/show_bug.cgi?id=867248

even with that double-free reverted, I still can't reproduce the crash.

Please Marian, provide additional informations as requested.

Comment 16 RHEL Program Management 2012-12-14 08:46:27 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 18 Marc-Andre Lureau 2013-02-20 16:33:23 UTC

I couldn't reproduce because the command line for virt-viewer was using "," instead of "&", so in fact, all the channels were connected in tls, and after migration, switched to plain connection.

This triggers a code path that crash ultimately in SSL_write (s=0x0...), all we need to do is swap the channel tls state.

patch sent to ML

Comment 19 Marc-Andre Lureau 2013-02-20 17:10:20 UTC

also it would be nice to warn if URI parsing is invalid, patch on the ML

Comment 28 errata-xmlrpc 2013-11-21 08:24:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1577.html