1283925 – segfault in network::TcpListener::TcpListener

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1283925 - segfault in network::TcpListener::TcpListener

Summary: segfault in network::TcpListener::TcpListener

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	tigervnc
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Grulich
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1302324 1415028 (view as bug list)
Depends On:
Blocks:	1203710 1297830 1304700
TreeView+	depends on / blocked

Reported:	2015-11-20 10:03 UTC by Jim Minter
Modified:	2020-03-11 14:59 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1304700 (view as bug list)
Environment:
Last Closed:	2016-11-04 01:29:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Patch to fix the crash in TcpListener (562 bytes, patch) 2015-12-09 08:34 UTC, Jan Grulich	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2237	0	normal	SHIPPED_LIVE	tigervnc bug fix and enhancement update	2016-11-03 13:28:30 UTC

Description Jim Minter 2015-11-20 10:03:05 UTC

Description of problem:

Xvnc segfaults when launched from inetd

Version-Release number of selected component (if applicable):

Latest RHEL 7.2 - tigervnc-server-1.3.1-3.el7.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Add following to /etc/xinetd.d/rfb:

service rfb
{
        protocol = tcp
        wait = no
        user = nobody
        server = /usr/bin/Xvnc
        server_args = -inetd -query localhost -once -SecurityTypes None
}

2. Attempt to vnc to box on :5900

Actual results:

VNC session fails to launch, Xvnc segfaults

Expected results:

VNC session launches, GDM screen presented (this worked fine in RHEL 7.1)

Additional info:

Running GDB on core file created shows segfault in this line:

Core was generated by `Xvnc -inetd -query localhost -once -SecurityTypes None'.
Program terminated with signal 11, Segmentation fault.
#0  network::TcpListener::TcpListener (this=0x7ffe72cbda20, listenaddr=0x0, listenaddrlen=6000)
    at /usr/src/debug/tigervnc-1.3.1/common/network/TcpSocket.cxx:426
426	  if ((sock = socket (listenaddr->sa_family, SOCK_STREAM, 0)) < 0)

It turns out that listenaddr is NULL.

(gdb) bt
#0  network::TcpListener::TcpListener (this=0x7ffe72cbda20, listenaddr=0x0, listenaddrlen=6000)
    at /usr/src/debug/tigervnc-1.3.1/common/network/TcpSocket.cxx:426
#1  0x000000000044794e in displayNumFree (num=num@entry=0) at xvnc.cc:355
#2  0x000000000044d2eb in ddxProcessArgument (argc=argc@entry=7, argv=argv@entry=0x7ffe72cbdd98, i=i@entry=1) at xvnc.cc:580
#3  0x00000000005bf34f in ProcessCommandLine (argc=argc@entry=7, argv=argv@entry=0x7ffe72cbdd98) at utils.c:689
#4  0x000000000056d629 in dix_main (argc=7, argv=0x7ffe72cbdd98, envp=0x7ffe72cbddd8) at main.c:146
#5  0x00007f0eef251b15 in __libc_start_main (main=0x449ad0 <main>, argc=7, ubp_av=0x7ffe72cbdd98, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7ffe72cbdd88) at libc-start.c:274
#6  0x000000000044ad8d in _start ()

In displayNumFree, the logic repeatedly tries to find a display number, but NULL is passed directly into network::TcpListener::TcpListener and then dereferenced.  This is a clear logic bug.

(gdb) l xvnc.cc:355
350	
351	static 
352	bool displayNumFree(int num)
353	{
354	    try {
355		network::TcpListener l(NULL, 6000+num);
356	    } catch (rdr::Exception& e) {
357		return false;
358	    }
359	    char file[256];

A sort of workaround is to change

        server_args = -inetd -query localhost -once -SecurityTypes None

to

        server_args = :1 -inetd -query localhost -once -SecurityTypes None

in /etc/xinetd.d/rfb, as this bypasses the flawed logic.  However this prevents multiple concurrent logins via VNC/XDM to the box.

Comment 2 Jonathan Billings 2015-12-07 16:25:20 UTC

We have also encountered this bug.

You can trigger it by simply running:

/usr/bin/Xvnc -inetd

Comment 3 Jan Grulich 2015-12-09 08:34:29 UTC

Created attachment 1103810 [details]
Patch to fix the crash in TcpListener

Here is proposed patch to fix this crash. It actually comes from upstream and I just forgot to backport this part to our IPv6 patch for tigervnc.

Comment 4 Jonathan Billings 2015-12-09 13:36:44 UTC

I built a version of the package with that patch added, and have tested it on our systems that run Xvnc with the -inetd option, and they no longer segfault when starting, so I can confirm that the patch works.

Comment 5 John Hodrien 2016-01-11 12:25:02 UTC

Another confirmation of the patch solving the problem.

Comment 7 Paul 2016-01-15 02:42:15 UTC

We have two client sites that are experiencing this issue. VNC server is a critical component of our product. When would this patch be included in an official Red Hat update?

Comment 8 Jan Grulich 2016-01-28 08:28:45 UTC

*** Bug 1302324 has been marked as a duplicate of this bug. ***

Comment 10 Jan Grulich 2016-02-02 20:29:31 UTC

Fix commited to y-stream branch (rhel-7.3).

Comment 14 sengork 2016-05-18 06:07:51 UTC

We too are affected by this bug. Please note that disabling IPv6 will not fix this issue.

We'd love to have this working again without any interim workarounds. When will this patch be released?

Comment 15 Jan Grulich 2016-05-18 07:48:14 UTC

I don't know when this will be released, it is supposed to be fixed in RHEL 7.3 and RHEL 7.2 as z-stream fix.

Comment 16 Tomas Pelka 2016-05-18 08:31:57 UTC

(In reply to Jan Grulich from comment #15)
> I don't know when this will be released, it is supposed to be fixed in RHEL
> 7.3 and RHEL 7.2 as z-stream fix.

As Jan mentioned the fix was published within 7.2.z, see https://rhn.redhat.com/errata/RHBA-2016-0543.html, it will be automatically included in upcomming 7.3 too.

Comment 21 errata-xmlrpc 2016-11-04 01:29:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2237.html

Comment 22 Jan Grulich 2017-01-20 06:06:03 UTC

*** Bug 1415028 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.