Bug 867248

Summary: virt-viewer crashed when connect to a spice guest with incorrect graphic password.
Product: Red Hat Enterprise Linux 6 Reporter: Geyang Kong <gkong>
Component: virt-viewerAssignee: Daniel Berrangé <berrange>
Status: CLOSED ERRATA QA Contact: Virtualization Bugs <virt-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: cfergeau, dallan, dblechte, dyasny, mjenner, mzhan, tzheng, yupzhang, zpeng
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: virt-viewer-0.5.2-15.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 09:33:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Geyang Kong 2012-10-17 06:53:24 UTC 
Description of problem:
  virt-viewer crashed when connect to a spice guest with incorrect graphic password.

Version-Release number of selected component (if applicable):
virt-viewer-0.5.2-14.el6.x86_64
spice-gtk-0.14-3.el6.x86_64
spice-server-0.12.0-1.el6.x86_64
spice-vdagent-0.8.1-3.el6.x86_64
spice-gtk-python-0.14-3.el6.x86_64
spice-glib-0.14-3.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Have a spice+qxl guest with graphic password
2. Run virt-viewer $guestname --debug
3. Input a wrong password and press OK.
4. Input the right password and paress OK.

Actual results:
1. After step 4, virt-viewer crashed and closed.

Expected results:
1. After step 4, virt-viewer stayed alive and connect to the guest

Additional info:
1. This bug cannot be reproduced by virt-viewer-0.5.2-13.el6.x86_64
2. Following is the debug info and backtrace.
[root@KP-T1 ~]# virt-viewer T1 --debug
** (virt-viewer:10077): DEBUG: Insert window 0 0x13690c0
** (virt-viewer:10077): DEBUG: fullscreen display 0: 0
** (virt-viewer:10077): DEBUG: fullscreen display 0: 0
** (virt-viewer:10077): DEBUG: Opening connection to libvirt with URI <null>
** (virt-viewer:10077): DEBUG: Add handle 7 1 0x13ca100
** (virt-viewer:10077): DEBUG: notebook show status 0x13681e0
** (virt-viewer:10077): DEBUG: notebook show status 0x13681e0
** (virt-viewer:10077): DEBUG: Guest T1 is running, determining display
** (virt-viewer:10077): DEBUG: Set connect info: (null),(null),(null),-1,(null),(null),(null),0
** (virt-viewer:10077): DEBUG: Guest T1 has a spice display
** (virt-viewer:10077): DEBUG: Guest graphics address is 0.0.0.0:5900
** (virt-viewer:10077): DEBUG: Guest graphics listen '0.0.0.0' is NULL or a wildcard, replacing with 'localhost'
** (virt-viewer:10077): DEBUG: Set connect info: localhost,localhost,5900,-1,(null),(null),(null),0
** (virt-viewer:10077): DEBUG: Error operation virDomainOpenGraphics forbidden for read only access
** (virt-viewer:10077): DEBUG: After open connection callback fd=-1
** (virt-viewer:10077): DEBUG: Opening direct TCP connection to display at localhost:5900:-1
** (virt-viewer:10077): DEBUG: New spice channel 0x13ee930 SpiceMainChannel 0
** (virt-viewer:10077): DEBUG: Checking full screen auto-conf
** (virt-viewer:10077): DEBUG: notebook show status 0x13681e0
** (virt-viewer:10077): DEBUG: notebook show status 0x13681e0
** (virt-viewer:10077): DEBUG: Add timeout 0x13edc70 -1 0x7f5b3df13990 0x13ca8c0 1
** (virt-viewer:10077): DEBUG: main channel: auth failure (wrong password?)
** (virt-viewer:10077): DEBUG: New spice channel 0x15210e0 SpiceMainChannel 0
** (virt-viewer:10077): DEBUG: Checking full screen auto-conf
** (virt-viewer:10077): DEBUG: notebook show status 0x13681e0
** (virt-viewer:10077): DEBUG: Destroy SPICE channel SpiceMainChannel 0
** (virt-viewer:10077): DEBUG: zap main channel
** (virt-viewer:10077): DEBUG: main channel: auth failure (wrong password?)
** (virt-viewer:10077): DEBUG: New spice channel 0x1521ca0 SpiceMainChannel 0
** (virt-viewer:10077): DEBUG: Checking full screen auto-conf
** (virt-viewer:10077): DEBUG: notebook show status 0x13681e0
** (virt-viewer:10077): DEBUG: Destroy SPICE channel SpiceMainChannel 0
** (virt-viewer:10077): DEBUG: zap main channel
*** glibc detected *** virt-viewer: free(): invalid pointer: 0x000000000151d510 ***
======= Backtrace: =========
/lib64/libc.so.6[0x395dc75366]
/lib64/libglib-2.0.so.0(g_array_free+0x7a)[0x3d4c813dda]
/usr/lib64/libspice-client-glib-2.0.so.8[0x3dfc41aa40]
/lib64/libgobject-2.0.so.0(g_object_unref+0x15f)[0x3d4d40dacf]
/usr/lib64/libspice-client-glib-2.0.so.8[0x3dfc41957d]
/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x22e)[0x3d4c838f0e]
/lib64/libglib-2.0.so.0[0x3d4c83c938]
/lib64/libglib-2.0.so.0(g_main_loop_run+0x195)[0x3d4c83cd55]
/usr/lib64/libgtk-x11-2.0.so.0(gtk_main+0xa7)[0x3d4fd4c307]
virt-viewer(main+0x6fa)[0x41df5a]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x395dc1ecdd]
virt-viewer[0x40b999]
======= Memory map: ========
00400000-00428000 r-xp 00000000 08:03 407485                             /usr/bin/virt-viewer
00627000-00629000 rw-p 00027000 08:03 407485                             /usr/bin/virt-viewer
012f2000-01811000 rw-p 00000000 00:00 0                                  [heap]
3162800000-3162840000 r-xp 00000000 08:03 417075                         /usr/lib64/libibus.so.2.0.0
3162840000-3162a40000 ---p 00040000 08:03 417075                         /usr/lib64/libibus.so.2.0.0
3162a40000-3162a42000 rw-p 00040000 08:03 417075                         /usr/lib64/libibus.so.2.0.0
3162a42000-3162a43000 rw-p 00000000 00:00 0 
3162c00000-3162c17000 r-xp 00000000 08:03 400425                         /usr/lib64/libgvfscommon.so.0.0.0
3162c17000-3162e16000 ---p 00017000 08:03 400425                         /usr/lib64/libgvfscommon.so.0.0.0
3162e16000-3162e17000 rw-p 00016000 08:03 400425                         /usr/lib64/libgvfscommon.so.0.0.0
3164800000-3164804000 r-xp 00000000 08:03 417856                         /usr/lib64/libcanberra-gtk.so.0.1.5
3164804000-3164a03000 ---p 00004000 08:03 417856                         /usr/lib64/libcanberra-gtk.so.0.1.5
3164a03000-3164a04000 rw-p 00003000 08:03 417856                         /usr/lib64/libcanberra-gtk.so.0.1.5
395d400000-395d420000 r-xp 00000000 08:03 664415                         /lib64/ld-2.12.so
395d61f000-395d620000 r--p 0001f000 08:03 664415                         /lib64/ld-2.12.so
395d620000-395d621000 rw-p 00020000 08:03 664415                         /lib64/ld-2.12.so
395d621000-395d622000 rw-p 00000000 00:00 0 
395d800000-395d802000 r-xp 00000000 08:03 664420                         /lib64/libdl-2.12.so
395d802000-395da02000 ---p 00002000 08:03 664420                         /lib64/libdl-2.12.so
395da02000-395da03000 r--p 00002000 08:03 664420                         /lib64/libdl-2.12.so
395da03000-395da04000 rw-p 00003000 08:03 664420                         /lib64/libdl-2.12.so
395dc00000-395dd89000 r-xp 00000000 08:03 664416                         /lib64/libc-2.12.so
395dd89000-395df88000 ---p 00189000 08:03 664416                         /lib64/libc-2.12.so
395df88000-395df8c000 r--p 00188000 08:03 664416                         /lib64/libc-2.12.so
395df8c000-395df8d000 rw-p 0018c000 08:03 664416                         /lib64/libc-2.12.so
395df8d000-395df92000 rw-p 00000000 00:00 0 
395e000000-395e017000 r-xp 00000000 08:03 664427                         /lib64/libpthread-2.12.so
395e017000-395e217000 ---p 00017000 08:03 664427                         /lib64/libpthread-2.12.so
395e217000-395e218000 r--p 00017000 08:03 664427                         /lib64/libpthread-2.12.so
395e218000-395e219000 rw-p 00018000 08:03 664427                         /lib64/libpthread-2.12.so
395e219000-395e21d000 rw-p 00000000 00:00 0 
395e400000-395e407000 r-xp 00000000 08:03 664428                         /lib64/librt-2.12.so
395e407000-395e606000 ---p 00007000 08:03 664428                         /lib64/librt-2.12.so
395e606000-395e607000 r--p 00006000 08:03 664428                         /lib64/librt-2.12.so
395e607000-395e608000 rw-p 00007000 08:03 664428                         /lib64/librt-2.12.so
395e800000-395e883000 r-xp 00000000 08:03 664417                         /lib64/libm-2.12.so
395e883000-395ea82000 ---p 00083000 08:03 664417                         /lib64/libm-2.12.so
395ea82000-395ea83000 r--p 00082000 08:03 664417                         /lib64/libm-2.12.so
395ea83000-395ea84000 rw-p 00083000 08:03 664417                         /lib64/libm-2.12.so
395f000000-395f015000 r-xp 00000000 08:03 664419                         /lib64/libz.so.1.2.3
395f015000-395f214000 ---p 00015000 08:03 664419                         /lib64/libz.so.1.2.3
395f214000-395f215000 r--p 00014000 08:03 664419                         /lib64/libz.so.1.2.3
395f215000-395f216000 rw-p 00015000 08:03 664419                         /lib64/libz.so.1.2.3
395f400000-395f41d000 r-xp 00000000 08:03 664425                         /lib64/libselinux.so.1
395f41d000-395f61c000 ---p 0001d000 08:03 664425                         /lib64/libselinux.so.1
395f61c000-395f61d000 r--p 0001c000 08:03 664425                         /lib64/libselinux.so.1
395f61d000-395f61e000 rw-p 0001d000 08:03 664425                         /lib64/libselinux.so.1
395f61e000-395f61f000 rw-p 00000000 00:00 0 
395f800000-395f83f000 r-xp 00000000 08:03 664439                         /lib64/libdbus-1.so.3.4.0
395f83f000-395fa3f000 ---p 0003f000 08:03 664439                         /lib64/libdbus-1.so.3.4.0
395fa3f000-395fa40000 r--p 0003f000 08:03 664439                         /lib64/libdbus-1.so.3.4.0
395fa40000-395fa41000 rw-p 00040000 08:03 664439                         /lib64/libdbus-1.so.3.4.0
395fc00000-395fc16000 r-xp 00000000 08:03 664424                         /lib64/libresolv-2.12.so
395fc16000-395fe16000 ---p 00016000 08:03 664424                         /lib64/libresolv-2.12.so
395fe16000-395fe17000 r--p 00016000 08:03 664424                         /lib64/libresolv-2.12.so
395fe17000-395fe18000 rw-p 00017000 08:03 664424                         /lib64/libresolv-2.12.so
395fe18000-395fe1a000 rw-p 00000000 00:00 0 
3961800000-3961802000 r-xp 00000000 08:03 416984                         /usr/lib64/libXau.so.6.0.0
3961802000-3961a02000 ---p 00002000 08:03 416984                         /usr/lib64/libXau.so.6.0.0
3961a02000-3961a03000 rw-p 00002000 08:03 416984                         /usr/lib64/libXau.so.6.0.0
3961c00000-3961c34000 r-xp 00000000 08:03 664468                         /lib64/libdevmapper.so.1.02
3961c34000-3961e34000 ---p 00034000 08:03 664468                         /lib64/libdevmapper.so.1.02
3961e34000-3961e37000 rw-p 00034000 08:03 664468                         /lib64/libdevmapper.so.1.02
3961e37000-3961e38000 rw-p 00000000 00:00 0 
3962800000-3962898000 r-xp 00000000 08:03 404960                         /usr/lib64/libfreetype.so.6.3.22Aborted (core dumped)
Comment 3 Christophe Fergeau 2012-10-17 08:56:55 UTC 
Patch 34 "Don-t-leak-SPICE-ticket.patch" should not be there as it is wrong and reverted upstream by http://git.fedorahosted.org/cgit/virt-viewer.git/commit/?id=a4e588e3eacf4e5590ff98171a495f8fa0e37375
Comment 6 Geyang Kong 2012-10-26 10:41:45 UTC 
Verified pass on the following build:
virt-viewer-0.5.2-16.el6

Reproduced steps:
Same as Comment 0

Actual result:
virt-viewer can connect to guest after inputting correct password and stayed operational.

So mark this bug as VERIFIED.
Comment 8 errata-xmlrpc 2013-02-21 09:33:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0361.html