Bug 1283925 - segfault in network::TcpListener::TcpListener
segfault in network::TcpListener::TcpListener
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: tigervnc (Show other bugs)
Unspecified Unspecified
high Severity medium
: rc
: ---
Assigned To: Jan Grulich
Desktop QE
: ZStream
: 1302324 1415028 (view as bug list)
Depends On:
Blocks: 1203710 1297830 1304700
  Show dependency treegraph
Reported: 2015-11-20 05:03 EST by Jim Minter
Modified: 2017-01-20 01:06 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1304700 (view as bug list)
Last Closed: 2016-11-03 21:29:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to fix the crash in TcpListener (562 bytes, patch)
2015-12-09 03:34 EST, Jan Grulich
no flags Details | Diff

  None (edit)
Description Jim Minter 2015-11-20 05:03:05 EST
Description of problem:

Xvnc segfaults when launched from inetd

Version-Release number of selected component (if applicable):

Latest RHEL 7.2 - tigervnc-server-1.3.1-3.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Add following to /etc/xinetd.d/rfb:

service rfb
        protocol = tcp
        wait = no
        user = nobody
        server = /usr/bin/Xvnc
        server_args = -inetd -query localhost -once -SecurityTypes None

2. Attempt to vnc to box on :5900

Actual results:

VNC session fails to launch, Xvnc segfaults

Expected results:

VNC session launches, GDM screen presented (this worked fine in RHEL 7.1)

Additional info:

Running GDB on core file created shows segfault in this line:

Core was generated by `Xvnc -inetd -query localhost -once -SecurityTypes None'.
Program terminated with signal 11, Segmentation fault.
#0  network::TcpListener::TcpListener (this=0x7ffe72cbda20, listenaddr=0x0, listenaddrlen=6000)
    at /usr/src/debug/tigervnc-1.3.1/common/network/TcpSocket.cxx:426
426	  if ((sock = socket (listenaddr->sa_family, SOCK_STREAM, 0)) < 0)

It turns out that listenaddr is NULL.

(gdb) bt
#0  network::TcpListener::TcpListener (this=0x7ffe72cbda20, listenaddr=0x0, listenaddrlen=6000)
    at /usr/src/debug/tigervnc-1.3.1/common/network/TcpSocket.cxx:426
#1  0x000000000044794e in displayNumFree (num=num@entry=0) at xvnc.cc:355
#2  0x000000000044d2eb in ddxProcessArgument (argc=argc@entry=7, argv=argv@entry=0x7ffe72cbdd98, i=i@entry=1) at xvnc.cc:580
#3  0x00000000005bf34f in ProcessCommandLine (argc=argc@entry=7, argv=argv@entry=0x7ffe72cbdd98) at utils.c:689
#4  0x000000000056d629 in dix_main (argc=7, argv=0x7ffe72cbdd98, envp=0x7ffe72cbddd8) at main.c:146
#5  0x00007f0eef251b15 in __libc_start_main (main=0x449ad0 <main>, argc=7, ubp_av=0x7ffe72cbdd98, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7ffe72cbdd88) at libc-start.c:274
#6  0x000000000044ad8d in _start ()

In displayNumFree, the logic repeatedly tries to find a display number, but NULL is passed directly into network::TcpListener::TcpListener and then dereferenced.  This is a clear logic bug.

(gdb) l xvnc.cc:355
351	static 
352	bool displayNumFree(int num)
353	{
354	    try {
355		network::TcpListener l(NULL, 6000+num);
356	    } catch (rdr::Exception& e) {
357		return false;
358	    }
359	    char file[256];

A sort of workaround is to change

        server_args = -inetd -query localhost -once -SecurityTypes None


        server_args = :1 -inetd -query localhost -once -SecurityTypes None

in /etc/xinetd.d/rfb, as this bypasses the flawed logic.  However this prevents multiple concurrent logins via VNC/XDM to the box.
Comment 2 Jonathan Billings 2015-12-07 11:25:20 EST
We have also encountered this bug.

You can trigger it by simply running:

/usr/bin/Xvnc -inetd
Comment 3 Jan Grulich 2015-12-09 03:34 EST
Created attachment 1103810 [details]
Patch to fix the crash in TcpListener

Here is proposed patch to fix this crash. It actually comes from upstream and I just forgot to backport this part to our IPv6 patch for tigervnc.
Comment 4 Jonathan Billings 2015-12-09 08:36:44 EST
I built a version of the package with that patch added, and have tested it on our systems that run Xvnc with the -inetd option, and they no longer segfault when starting, so I can confirm that the patch works.
Comment 5 John Hodrien 2016-01-11 07:25:02 EST
Another confirmation of the patch solving the problem.
Comment 7 Paul 2016-01-14 21:42:15 EST
We have two client sites that are experiencing this issue. VNC server is a critical component of our product. When would this patch be included in an official Red Hat update?
Comment 8 Jan Grulich 2016-01-28 03:28:45 EST
*** Bug 1302324 has been marked as a duplicate of this bug. ***
Comment 10 Jan Grulich 2016-02-02 15:29:31 EST
Fix commited to y-stream branch (rhel-7.3).
Comment 14 sengork 2016-05-18 02:07:51 EDT
We too are affected by this bug. Please note that disabling IPv6 will not fix this issue.

We'd love to have this working again without any interim workarounds. When will this patch be released?
Comment 15 Jan Grulich 2016-05-18 03:48:14 EDT
I don't know when this will be released, it is supposed to be fixed in RHEL 7.3 and RHEL 7.2 as z-stream fix.
Comment 16 Tomas Pelka 2016-05-18 04:31:57 EDT
(In reply to Jan Grulich from comment #15)
> I don't know when this will be released, it is supposed to be fixed in RHEL
> 7.3 and RHEL 7.2 as z-stream fix.

As Jan mentioned the fix was published within 7.2.z, see https://rhn.redhat.com/errata/RHBA-2016-0543.html, it will be automatically included in upcomming 7.3 too.
Comment 21 errata-xmlrpc 2016-11-03 21:29:30 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Comment 22 Jan Grulich 2017-01-20 01:06:03 EST
*** Bug 1415028 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.