Bug 1285469 - crash in lz_rgb16_decompress when resizing guest monitor to size not fitting to video memory
crash in lz_rgb16_decompress when resizing guest monitor to size not fitting ...
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: spice-gtk (Show other bugs)
Unspecified Unspecified
low Severity low
: rc
: 7.3
Assigned To: Default Assignee for SPICE Bugs
SPICE QE bug list
Depends On:
  Show dependency treegraph
Reported: 2015-11-25 11:35 EST by David Jaša
Modified: 2016-11-03 21:12 EDT (History)
7 users (show)

See Also:
Fixed In Version: spice-gtk-0.26-8.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-03 21:12:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
full backtrace (6.53 KB, text/plain)
2015-11-25 11:35 EST, David Jaša
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 92820 None None None Never
Red Hat Product Errata RHBA-2016:2229 normal SHIPPED_LIVE virt-viewer, libgovirt, spice-gtk, and usbredir bug fix and enhancement update 2016-11-03 09:26:58 EDT

  None (edit)
Description David Jaša 2015-11-25 11:35:27 EST
Created attachment 1098916 [details]
full backtrace

Description of problem:
a prewhql driver [1] allows resize beyond video memory limits on XP (bug 1285460). When attempting to do that, spice-gtk segfaults: #0  0x00007ffff55590fe in lz_rgb16_decompress (encoder=encoder@entry=0x1100c20, out_buf=out_buf@entry=0x7fffb95c3210, size=size@entry=8179200) at lz_decompress_tmpl.c:305

[1] https://brewweb.devel.redhat.com/buildinfo?buildID=457801

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. have a XP VM with default video memory settings (ram/vgamem/vram: 64/16/64 MB) and qxl driver from [1] installed
2. connect to the VM
3. change resolution from OS applet (right click Desktop -> Options) beyond 2560x1600 or 2048x2048

Actual results:
segfault occurs:
#0  0x00007ffff55590fe in lz_rgb16_decompress (encoder=encoder@entry=0x1100c20, out_buf=out_buf@entry=0x7fffb95c3210, size=size@entry=8179200) at lz_decompress_tmpl.c:305
#1  0x00007ffff5565990 in lz_decode (lz=0x1100c20, to_type=<optimized out>, buf=0x7fffb95c3210 <Address 0x7fffb95c3210 out of bounds>) at lz.c:684
#2  0x00007ffff5547a53 in canvas_get_lz (canvas=canvas@entry=0xbebcf0, image=image@entry=0xc450a4, want_original=want_original@entry=0, invers=0) at ../spice-common/common/canvas_base.c:821
#3  0x00007ffff5547d47 in canvas_get_image_internal (canvas=canvas@entry=0xbebcf0, image=0xc450a4, want_original=want_original@entry=0, real_get=real_get@entry=1) at ../spice-common/common/canvas_base.c:1110
#4  0x00007ffff554992d in canvas_draw_copy (want_original=0, image=<optimized out>, canvas=0xbebcf0) at ../spice-common/common/canvas_base.c:1285
#5  0x00007ffff554992d in canvas_draw_copy (spice_canvas=0xbebcf0, bbox=0xc45024, clip=<optimized out>, copy=0xc45048) at ../spice-common/common/canvas_base.c:2258
#6  0x00007ffff552da9a in display_handle_draw_copy (channel=0xa4fa60 [SpiceDisplayChannel], in=<optimized out>) at channel-display.c:1559
#7  0x00007ffff5524394 in spice_channel_recv_msg (channel=0xa4fa60 [SpiceDisplayChannel], msg_handler=0x7ffff5523c10 <spice_channel_handle_msg>, data=0x0) at spice-channel.c:1877
#8  0x00007ffff5524514 in spice_channel_iterate_read (channel=0xa4fa60 [SpiceDisplayChannel]) at spice-channel.c:2114
#9  0x00007ffff5525cd0 in spice_channel_coroutine (channel=0xa4fa60 [SpiceDisplayChannel]) at spice-channel.c:2152
#10 0x00007ffff5525cd0 in spice_channel_coroutine (data=0xa4fa60) at spice-channel.c:2429
#11 0x00007ffff554e7cb in coroutine_trampoline (cc=0xa4f110) at coroutine_ucontext.c:63
#12 0x00007ffff554e609 in continuation_trampoline (i0=<optimized out>, i1=<optimized out>) at continuation.c:55
#13 0x00007ffff3609110 in __start_context () at /lib64/libc.so.6
#14 0x0000000000a4f4d8 in  ()
#15 0x0000000000000000 in  ()

Expected results:
remote-viewer survives the condition and works normally after the guest reverts back to previous working resolution

Additional info:
low prio/sev because this bug is triggered by another bug (bug 1285460)
Comment 1 Pavel Grunt 2015-11-26 05:17:01 EST
It is most likely the upstream bug https://bugs.freedesktop.org/show_bug.cgi?id=92820

David, can you test it with a different image compression type ?
Comment 4 Frediano Ziglio 2016-04-14 12:22:20 EDT
in canvas_base.c line 870 stride is computed right only for 32 bit:

    stride = (n_comp_pixels / height) * 4;

this is causing memory corruption if top_down is false due to 

    if (!top_down) {
        stride = -stride;
        decomp_buf = src + stride * (height - 1);

I fixed replacing 

    stride = (n_comp_pixels / height) * 4;


    stride = pixman_image_get_stride(lz_data->decode_data.out_surface);
    stride = abs(stride);

note that I'm getting some glitches due to the fact that on pixman stride is always a multiple of 4 (but this is probably another issue).
Comment 5 Frediano Ziglio 2016-04-14 12:57:51 EDT
Posted a proposed patch at https://lists.freedesktop.org/archives/spice-devel/2016-April/028210.html
Comment 10 errata-xmlrpc 2016-11-03 21:12:38 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.