Bug 505641 - (CVE-2009-3616) CVE-2009-3616 Remote VNC client can cause any QEMU VNC server to crash with a double-free
CVE-2009-3616 Remote VNC client can cause any QEMU VNC server to crash with a...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kvm (Show other bugs)
5.4
All Linux
low Severity medium
: rc
: ---
Assigned To: Eduardo Habkost
Lawrence Lim
: Security
Depends On: 505640 537902 537903
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-12 13:53 EDT by Daniel Berrange
Modified: 2014-03-25 20:58 EDT (History)
15 users (show)

See Also:
Fixed In Version: kvm-83-82.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 505640
Environment:
Last Closed: 2009-09-02 05:33:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fix use after free. (5.37 KB, patch)
2009-06-16 06:10 EDT, Gerd Hoffmann
no flags Details | Diff
fix more use-after-free cases (1.43 KB, patch)
2009-06-16 08:01 EDT, Gerd Hoffmann
no flags Details | Diff
The two fixes combined into one patch. (6.36 KB, patch)
2009-06-16 08:22 EDT, Gerd Hoffmann
no flags Details | Diff
Delibrarely broken VNC audio client to crash server (1.31 KB, patch)
2009-06-16 09:50 EDT, Daniel Berrange
no flags Details | Diff

  None (edit)
Description Daniel Berrange 2009-06-12 13:53:24 EDT
+++ This bug was initially created as a clone of Bug #505640 +++

Description of problem:
I was attempting the implement the client side of QEMU's VNC extension for capturing audio streams. In doing so I typo'd and sent a uint8_t instead of a uint16_t for one of the fields. QEMU noticed the bogus data, printed a message and then crashed with  double-free memory corruption. It is trivially reproduceable and allows a remote client to crash any QEMU instance running VNC
I'm not sure whether this has security implications or not, so marked this bug security sensitive.


Version-Release number of selected component (if applicable):
qemu-0.10-16.fc11

How reproducible:
Always

Steps to Reproduce:
1. Run QEMU with 

  /usr/bin/qemu -cdrom boot.iso -soundhw ac97 -vnc :5

2. Take a regular VNC client and modify its code to...
3. Send server a SetEncodings message including psuedo-encoding -259
4. Wait for server to send back a framebuffer update with encoding -259
5. Send the following 3 bytes to the server

    255
    1
    0

Actual results:
The server will now crash 
Invalid audio message 1
Msg: 1
*** glibc detected *** /usr/bin/qemu: double free or corruption (out): 0x000000000109e4a0 ***
Missing separate debuginfo for /lib64/libgcc_s.so.1
Try: yum --enablerepo='*-debuginfo' install /usr/lib/debug/.build-id/2d/71efecf2876da5ca07c3b5acf28fe281c96942.debug
======= Backtrace: =========
/lib64/libc.so.6[0x33b0075a26]
/usr/bin/qemu[0x496c83]
/usr/bin/qemu[0x4983da]
/usr/bin/qemu[0x496e8b]
/usr/bin/qemu[0x409572]
/usr/bin/qemu[0x40c59a]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x33b001ea2d]
/usr/bin/qemu[0x406e39]
======= Memory map: ========
00400000-005bc000 r-xp 00000000 fd:00 426968                             /usr/bin/qemu
007bc000-007c1000 rw-p 001bc000 fd:00 426968                             /usr/bin/qemu
007c1000-00b99000 rw-p 007c1000 00:00 0 
00b99000-00b9a000 rwxp 00b99000 00:00 0 
00b9a000-00bb0000 rw-p 00b9a000 00:00 0 
00f68000-010bf000 rw-p 00f68000 00:00 0                                  [heap]
41bfc000-440fc000 rwxp 41bfc000 00:00 0 
33afc00000-33afc1f000 r-xp 00000000 fd:00 408034                         /lib64/ld-2.10.1.so
33afe1e000-33afe1f000 r--p 0001e000 fd:00 408034                         /lib64/ld-2.10.1.so
33afe1f000-33afe20000 rw-p 0001f000 fd:00 408034                         /lib64/ld-2.10.1.so
33b0000000-33b0164000 r-xp 00000000 fd:00 408128                         /lib64/libc-2.10.1.so
33b0164000-33b0364000 ---p 00164000 fd:00 408128                         /lib64/libc-2.10.1.so
33b0364000-33b0368000 r--p 00164000 fd:00 408128                         /lib64/libc-2.10.1.so
33b0368000-33b0369000 rw-p 00168000 fd:00 408128                         /lib64/libc-2.10.1.so
33b0369000-33b036e000 rw-p 33b0369000 00:00 0 
33b0400000-33b0482000 r-xp 00000000 fd:00 844388                         /lib64/libm-2.10.1.so
33b0482000-33b0682000 ---p 00082000 fd:00 844388                         /lib64/libm-2.10.1.so
33b0682000-33b0683000 r--p 00082000 fd:00 844388                         /lib64/libm-2.10.1.so
33b0683000-33b0684000 rw-p 00083000 fd:00 844388                         /lib64/libm-2.10.1.so
33b0800000-33b0802000 r-xp 00000000 fd:00 844364                         /lib64/libdl-2.10.1.so
33b0802000-33b0a02000 ---p 00002000 fd:00 844364                         /lib64/libdl-2.10.1.so
33b0a02000-33b0a03000 r--p 00002000 fd:00 844364                         /lib64/libdl-2.10.1.so
33b0a03000-33b0a04000 rw-p 00003000 fd:00 844364                         /lib64/libdl-2.10.1.so
33b0c00000-33b0c17000 r-xp 00000000 fd:00 844472                         /lib64/libpthread-2.10.1.so
33b0c17000-33b0e16000 ---p 00017000 fd:00 844472                         /lib64/libpthread-2.10.1.so
33b0e16000-33b0e17000 r--p 00016000 fd:00 844472                         /lib64/libpthread-2.10.1.so
33b0e17000-33b0e18000 rw-p 00017000 fd:00 844472                         /lib64/libpthread-2.10.1.so
33b0e18000-33b0e1c000 rw-p 33b0e18000 00:00 0 
33b1000000-33b1015000 r-xp 00000000 fd:00 956376                         /lib64/libz.so.1.2.3
33b1015000-33b1214000 ---p 00015000 fd:00 956376                         /lib64/libz.so.1.2.3
33b1214000-33b1215000 rw-p 00014000 fd:00 956376                         /lib64/libz.so.1.2.3
33b1400000-33b1407000 r-xp 00000000 fd:00 844474                         /lib64/librt-2.10.1.so
33b1407000-33b1606000 ---p 00007000 fd:00 844474                         /lib64/librt-2.10.1.so
33b1606000-33b1607000 r--p 00006000 fd:00 844474                         /lib64/librt-2.10.1.so
33b1607000-33b1608000 rw-p 00007000 fd:00 844474                         /lib64/librt-2.10.1.so
33b1800000-33b181c000 r-xp 00000000 fd:00 408070                         /lib64/libselinux.so.1
33b181c000-33b1a1b000 ---p 0001c000 fd:00 408070                         /lib64/libselinux.so.1
33b1a1b000-33b1a1c000 r--p 0001b000 fd:00 408070                         /lib64/libselinux.so.1
33b1a1c000-33b1a1d000 rw-p 0001c000 fd:00 408070                         /lib64/libselinux.so.1
33b1a1d000-33b1a1e000 rw-p 33b1a1d000 00:00 0 
33b2000000-33b206b000 r-xp 00000000 fd:00 163003                         /usr/lib64/libSDL-1.2.so.0.11.2
33b206b000-33b226a000 ---p 0006b000 fd:00 163003                         /usr/lib64/libSDL-1.2.so.0.11.2
33b226a000-33b226d000 rw-p 0006a000 fd:00 163003                         /usr/lib64/libSDL-1.2.so.0.11.2
33b226d000-33b229d000 rw-p 33b226d000 00:00 0 
33b2800000-33b2804000 r-xp 00000000 fd:00 844273                         /lib64/libcap.so.2.16
33b2804000-33b2a03000 ---p 00004000 fd:00 844273                         /lib64/libcap.so.2.16
33b2a03000-33b2a04000 rw-p 00003000 fd:00 844273                         /lib64/libcap.so.2.16
33b2c00000-33b2c02000 r-xp 00000000 fd:00 427455                         /usr/lib64/libXau.so.6.0.0
33b2c02000-33b2e01000 ---p 00002000 fd:00 427455                         /usr/lib64/libXau.so.6.0.0
33b2e01000-33b2e02000 rw-p 00001000 fd:00 427455                         /usr/lib64/libXau.so.6.0.0
33b3000000-33b301a000 r-xp 00000000 fd:00 430096                         /usr/lib64/libxcb.so.1.1.0
33b301a000-33b321a000 ---p 0001a000 fd:00 430096                         /usr/lib64/libxcb.so.1.1.0
33b321a000-33b321b000 rw-p 0001a000 fd:00 430096                         /usr/lib64/libxcb.so.1.1.0
33b3400000-33b343d000 r-xp 00000000 fd:00 844324                         /lib64/libdbus-1.so.3.4.0
33b343d000-33b363c000 ---p 0003d000 fd:00 844324                         /lib64/libdbus-1.so.3.4.0
33b363c000-33b363d000 r--p 0003c000 fd:00 844324                         /lib64/libdbus-1.so.3.4.0
33b363d000-33b363e000 rw-p 0003d000 fd:00 844324                         /lib64/libdbus-1.so.3.4.0
33b3800000-33b3935000 r-xp 00000000 fd:00 430236                         /usr/lib64/libX11.so.6.2.0
33b3935000-33b3b35000 ---p 00135000 fd:00 430236                         /usr/lib64/libX11.so.6.2.0
33b3b35000-33b3b3b000 rw-p 00135000 fd:00 430236                         /usr/lib64/libX11.so.6.2.0
33b4400000-33b4411000 r-xp 00000000 fd:00 429607                         /usr/lib64/libXext.so.6.4.0
33b4411000-33b4611000 ---p 00011000 fd:00 429607                         /usr/lib64/libXext.so.6.4.0
33b4611000-33b4612000 rw-p 00011000 fd:00 429607                         /usr/lib64/libXext.so.6.4.0
33b5c00000-33b5c15000 r-xp 00000000 fd:00 956393                         /lib64/libresolv-2.10.1.so
33b5c15000-33b5e15000 ---p 00015000 fd:00 956393                         /lib64/libresolv-2.10.1.so
33b5e15000-33b5e16000 r--p 00015000 fd:00 956393                         /lib64/libresolv-2.10.1.so
33b5e16000-33b5e17000 rw-p 00016000 fd:00 956393                         /lib64/libresolv-2.10.1.so
33b5e17000-33b5e19000 rw-p 33b5e17000 00:00 0 
33b6000000-33b6003000 r-xp 00000000 fd:00 864380                         /lib64/libuuid.so.1.2
33b6003000-33b6203000 ---p 00003000 fd:00 864380                         /lib64/libuuid.so.1.2
33b6203000-33b6204000 rw-p 00003000 fd:00 864380                         /lib64/libuuid.so.1.2
33b8400000-33b8419000 r-xp 00000000 fd:00 956383                         /lib64/libgcc_s-4.4.0-20090506.so.1
33b8419000-33b8619000 ---p 00019000 fd:00 956383                         /lib64/libgcc_s-4.4.0-20090506.so.1
33b8619000-33b861a000 rw-p 00019000 fd:00 956383                         /lib64/libgcc_s-4.4.0-20090506.so.1
33ba400000-33ba407000 r-xp 00000000 fd:00 161524                         /usr/lib64/libSM.so.6.0.0
33ba407000-33ba607000 ---p 00007000 fd:00 161524                         /usr/lib64/libSM.so.6.0.0
33ba607000-33ba608000 rw-p 00007000 fd:00 161524                         /usr/lib64/libSM.so.6.0.0
33bac00000-33bac17000 r-xp 00000000 fd:00 158488                         /usr/lib64/libICE.so.6.3.0
33bac17000-33bae17000 ---p 00017000 fd:00 158488                         /usr/lib64/libICE.so.6.3.0
33bae17000-33bae18000 rw-p 00017000 fd:00 158488                         /usr/lib64/libICE.so.6.3.0
33bae18000-33bae1c000 rw-p 33bae18000 00:00 0 
33bc200000-33bc206000 r-xp 00000000 fd:00 431351                         /usr/lib64/libgdbm.so.2.0.0
33bc206000-33bc405000 ---p 00006000 fd:00 431351                         /usr/lib64/libgdbm.so.2.0.0
33bc405000-33bc406000 rw-p 00005000 fd:00 431351                         /usr/lib64/libgdbm.so.2.0.0
33bc600000-33bc608000 r-xp 00000000 fd:00 844403                         /lib64/libwrap.so.0.7.6
33bc608000-33bc807000 ---p 00008000 fd:00 844403                         /lib64/libwrap.so.0.7.6
33bc807000-33bc809000 rw-p 00007000 fd:00 844403                         /lib64/libwrap.so.0.7.6
33bca00000-33bca0e000 r-xp 00000000 fd:00 425528                         /usr/lib64/liblber-2.4.so.2.4.1
33bca0e000-33bcc0e000 ---p 0000e000 fd:00 425528                         /usr/lib64/liblber-2.4.so.2.4.1
33bcc0e000-33bcc0f000 rw-p 0000e000 fd:00 425528                         /usr/lib64/liblber-2.4.so.2.4.1
33bce00000-33bce05000 r-xp 00000000 fd:00 155202                         /usr/lib64/libasyncns.so.0.3.1
33bce05000-33bd004000 ---p 00005000 fd:00 155202                         /usr/lib64/libasyncns.so.0.3.1
33bd004000-33bd005000 rw-p 00004000 fd:00 155202                         /usr/lib64/libasyncns.so.0.3.1
33bd200000-33bd259000 r-xp 00000000 fd:00 158446                         /usr/lib64/libpulsecommon-0.9.15.so
33bd259000-33bd458000 ---p 00059000 fd:00 158446                         /usr/lib64/libpulsecommon-0.9.15.so
33bd458000-33bd45a000 rw-p 00058000 fd:00 158446                         /usr/lib64/libpulsecommon-0.9.15.so
33bd600000-33bd647000 r-xp 00000000 fd:00 427502                         /usr/lib64/libpulse.so.0.8.0
33bd647000-33bd847000 ---p 00047000 fd:00 427502                         /usr/lib64/libpulse.so.0.8.0
33bd847000-33bd849000 rw-p 00047000 fd:00 427502                         /usr/lib64/libpulse.so.0.8.0
33bda00000-33bda2b000 r-xp 00000000 fd:00 162798                         /usr/lib64/libgssapi_krb5.so.2.2
33bda2b000-33bdc2a000 ---p 0002b000 fd:00 162798                         /usr/lib64/libgssapi_krb5.so.2.2
33bdc2a000-33bdc2c000 rw-p 0002a000 fd:00 162798                         /usr/lib64/libgssapi_krb5.so.2.2
33be600000-33be64b000 r-xp 00000000 fd:00 163001                         /usr/lib64/libssl.so.0.9.8k
33be64b000-33be84a000 ---p 0004b000 fd:00 163001                         /usr/lib64/libssl.so.0.9.8k
33be84a000-33be851000 rw-p 0004a000 fd:00 163001                         /usr/lib64/libssl.so.0.9.8k
33bea00000-33bea02000 r-xp 00000000 fd:00 956398                         /lib64/libutil-2.10.1.so
33bea02000-33bec01000 ---p 00002000 fd:00 956398                         /lib64/libutil-2.10.1.so
33bec01000-33bec02000 r--p 00001000 fd:00 956398                         /lib64/libutil-2.10.1.so
33bec02000-33bec03000 rw-p 00002000 fd:00 956398                         /lib64/libutil-2.10.1.so
33bee00000-33bef5d000 r-xp 00000000 fd:00 163000                         /usr/lib64/libcrypto.so.0.9.8k
33bef5d000-33bf15c000 ---p 0015d000 fd:00 163000                         /usr/lib64/libcrypto.so.0.9.8k
33bf15c000-33bf182000 rw-p 0015c000 fd:00 163000                         /usr/lib64/libcrypto.so.0.9.8k
33bf182000-33bf186000 rw-p 33bf182000 00:00 0 
33bf200000-33bf203000 r-xp 00000000 fd:00 956396                         /lib64/libgpg-error.so.0.4.0
33bf203000-33bf402000 ---p 00003000 fd:00 956396                         /lib64/libgpg-error.so.0.4.0
33bf402000-33bf403000 rw-p 00002000 fd:00 956396                         /lib64/libgpg-error.so.0.4.0
33bfa00000-33bfa70000 r-xp 00000000 fd:00 956397                         /lib64/libgcrypt.so.11.5.2
33bfa70000-33bfc6f000 ---p 00070000 fd:00 956397                         /lib64/libgcrypt.so.11.5.2
33bfc6f000-33bfc73000 rw-p 0006f000 fd:00 956397                         /lib64/libgcrypt.so.11.5.2
33c1a00000-33c1a16000 r-xp 00000000 fd:00 844339                         /lib64/libnsl-2.10.1.so
33c1a16000-33c1c16000 ---p 00016000 fd:00 844339                         /lib64/libnsl-2.10.1.so
33c1c16000-33c1c17000 r--p 00016000 fd:00 844339                         /lib64/libnsl-2.10.1.so
33c1c17000-33c1c18000 rw-p 00017000 fd:00 844339                         /lib64/libnsl-2.10.1.so
33c1c18000-33c1c1a000 rw-p 33c1c18000 00:00 0 
33c1e00000-33c1e05000 r-xp 00000000 fd:00 425807                         /usr/lib64/libXtst.so.6.1.0
33c1e05000-33c2005000 ---p 00005000 fd:00 425807                         /usr/lib64/libXtst.so.6.1.0
33c2005000-33c2006000 rw-p 00005000 fd:00 425807                         /usr/lib64/libXtst.so.6.1.0
33c2600000-33c269f000 r-xp 00000000 fd:00 163002                         /usr/lib64/libgnutls.so.26.11.7
33c269f000-33c289f000 ---p 0009f000 fd:00 163002                         /usr/lib64/libgnutls.so.26.11.7
33c289f000-33c28aa000 rw-p 0009f000 fd:00 163002                         /usr/lib64/libgnutls.so.26.11.7
33c2a00000-33c2a10000 r-xp 00000000 fd:00 430214                         /usr/lib64/libtasn1.so.3.1.2
33c2a10000-33c2c10000 ---p 00010000 fd:00 430214                         /usr/lib64/libtasn1.so.3.1.2
33c2c10000-33c2c11000 rw-p 00010000 fd:00 430214                         /usr/lib64/libtasn1.so.3.1.2
33c6a00000-33c6add000 r-xp 00000000 fd:00 956395                         /lib64/libasound.so.2.0.0
33c6add000-33c6cdc000 ---p 000dd000 fd:00 956395                         /lib64/libasound.so.2.0.0
33c6cdc000-33c6ce4000 rw-p 000dc000 fd:00 956395                         /lib64/libasound.so.2.0.0
37f1a00000-37f1a19000 r-xp 00000000 fd:00 157602                         /usr/lib64/libsasl2.so.2.0.22
37f1a19000-37f1c19000 ---p 00019000 fd:00 157602                         /usr/lib64/libsasl2.so.2.0.22
37f1c19000-37f1c1a000 rw-p 00019000 fd:00 157602                         /usr/lib64/libsasl2.so.2.0.22
7f64fc000000-7f64fc021000 rw-p 7f64fc000000 00:00 0 
7f64fc021000-7f6500000000 ---p 7f64fc021000 00:00 0 
7f6501a03000-7f6501a04000 ---p 7f6501a03000 00:00 0 
7f6501a04000-7f6502404000 rw-p 7f6501a04000 00:00 0 
7f6503158000-7f6503159000 rw-p 7f6503158000 00:00 0 
7f6503286000-7f6503327000 rw-p 7f6503286000 00:00 0 
7f6503327000-7f650332a000 r-xp 00000000 fd:00 429437                     /usr/lib64/libdes425.so.3.0
7f650332a000-7f6503529000 ---p 00003000 fd:00 429437                     /usr/lib64/libdes425.so.3.0
7f6503529000-7f650352a000 rw-p 00002000 fd:00 429437                     /usr/lib64/libdes425.so.3.0
7f650352a000-7f6503544000 r-xp 00000000 fd:00 425581                     /usr/lib64/libkrb4.so.2.0
7f6503544000-7f6503744000 ---p 0001a000 fd:00 425581                     /usr/lib64/libkrb4.so.2.0
7f6503744000-7f6503746000 rw-p 0001a000 fd:00 425581                     /usr/lib64/libkrb4.so.2.0
7f6503746000-7f650374b000 rw-p 7f6503746000 00:00 0 
7f650374b000-7f6503751000 r-xp 00000000 fd:00 449066                     /usr/lib64/sasl2/libkerberos4.so.2.0.22
7f6503751000-7f6503950000 ---p 00006000 fd:00 449066                     /usr/lib64/sasl2/libkerberos4.so.2.0.22
7f6503950000-7f6503951000 rw-p 00005000 fd:00 449066                     /usr/lib64/sasl2/libkerberos4.so.2.0.22
7f6503951000-7f6503955000 r-xp 00000000 fd:00 450859                     /usr/lib64/sasl2/libcrammd5.so.2.0.22
7f6503955000-7f6503b55000 ---p 00004000 fd:00 450859                     /usr/lib64/sasl2/libcrammd5.so.2.0.22
7f6503b55000-7f6503b56000 rw-p 00004000 fd:00 450859                     /usr/lib64/sasl2/libcrammd5.so.2.0.22
7f6503b56000-7f6503b9a000 r-xp 00000000 fd:00 161564                     /usr/lib64/libldap-2.4.so.2.4.1
7f6503b9a000-7f6503d99000 ---p 00044000 fd:00 161564                     /usr/lib64/libldap-2.4.so.2.4.1
7f6503d99000-7f6503d9c000 rw-p 00043000 fd:00 161564                     /usr/lib64/libldap-2.4.so.2.4.1
7f6503d9c000-7f6503da0000 r-xp 00000000 fd:00 449078                     /usr/lib64/sasl2/libldapdb.so.2.0.22
7f6503da0000-7f6503f9f000 ---p 00004000 fd:00 449078                     /usr/lib64/sasl2/libldapdb.so.2.0.22
7f6503f9f000-7f6503fa0000 rw-p 00003000 fd:00 449078                     /usr/lib64/sasl2/libldapdb.so.2.0.22
7f6503fa0000-7f6503fa7000 r-xp 00000000 fd:00 449069                     /usr/lib64/sasl2/libgssapiv2.so.2.0.22
7f6503fa7000-7f65041a6000 ---p 00007000 fd:00 449069                     /usr/lib64/sasl2/libgssapiv2.so.2.0.22
7f65041a6000-7f65041a7000 rw-p 00006000 fd:00 449069                     /usr/lib64/sasl2/libgssapiv2.so.2.0.22
7f65041a7000-7f65041ab000 r-xp 00000000 fd:00 450474                     /usr/lib64/sasl2/libplain.so.2.0.22
7f65041ab000-7f65043aa000 ---p 00004000 fd:00 450474                     /usr/lib64/sasl2/libplain.so.2.0.22
7f65043aa000-7f65043ab000 rw-p 00003000 fd:00 450474                     /usr/lib64/sasl2/libplain.so.2.0.22
7f65043ab000-7f65043b3000 r-xp 00000000 fd:00 449072                     /usr/lib64/sasl2/libntlm.so.2.0.22
7f65043b3000-7f65045b2000 ---p 00008000 fd:00 449072                     /usr/lib64/sasl2/libntlm.so.2.0.22
7f65045b2000-7f65045b3000 rw-p 00007000 fd:00 449072                     /usr/lib64/sasl2/libntlm.so.2.0.22
7f65045b3000-7f65045b7000 r-xp 00000000 fd:00 450471                     /usr/lib64/sasl2/liblogin.so.2.0.22
7f65045b7000-7f65047b6000 ---p 00004000 fd:00 450471                     /usr/lib64/sasl2/liblogin.so.2.0.22
7f65047b6000-7f65047b7000 rw-p 00003000 fd:00 450471                     /usr/lib64/sasl2/liblogin.so.2.0.22
7f65047b7000-7f65047b9000 r-xp 00000000 fd:00 956392                     /lib64/libkeyutils-1.2.so
7f65047b9000-7f65049b8000 ---p 00002000 fd:00 956392                     /lib64/libkeyutils-1.2.so
7f65049b8000-7f65049b9000 rw-p 00001000 fd:00 956392                     /lib64/libkeyutils-1.2.so
7f65049b9000-7f65049c2000 r-xp 00000000 fd:00 430940                     /usr/lib64/libkrb5support.so.0.1
7f65049c2000-7f6504bc1000 ---p 00009000 fd:00 430940                     /usr/lib64/libkrb5support.so.0.1
7f6504bc1000-7f6504bc2000 rw-p 00008000 fd:00 430940                     /usr/lib64/libkrb5support.so.0.1
7f6504bc2000-7f6504be6000 r-xp 00000000 fd:00 162060                     /usr/lib64/libk5crypto.so.3.1
7f6504be6000-7f6504de6000 ---p 00024000 fd:00 162060                     /usr/lib64/libk5crypto.so.3.1
7f6504de6000-7f6504de8000 rw-p 00024000 fd:00 162060                     /usr/lib64/libk5crypto.so.3.1
7f6504de8000-7f6504e31000 r-xp 00000000 fd:00 161566                     /usr/lib64/libldap_r-2.4.so.2.4.1
7f6504e31000-7f6505031000 ---p 00049000 fd:00 161566                     /usr/lib64/libldap_r-2.4.so.2.4.1
7f6505031000-7f6505034000 rw-p 00049000 fd:00 161566                     /usr/lib64/libldap_r-2.4.so.2.4.1
7f6505034000-7f6505037000 rw-p 7f6505034000 00:00 0 
7f6505037000-7f650503a000 r-xp 00000000 fd:00 956394                     /lib64/libcom_err.so.2.1
7f650503a000-7f6505239000 ---p 00003000 fd:00 956394                     /lib64/libcom_err.so.2.1
7f6505239000-7f650523a000 rw-p 00002000 fd:00 956394                     /lib64/libcom_err.so.2.1
7f650523a000-7f65052d5000 r-xp 00000000 fd:00 162171                     /usr/lib64/libkrb5.so.3.3
7f65052d5000-7f65054d5000 ---p 0009b000 fd:00 162171                     /usr/lib64/libkrb5.so.3.3
7f65054d5000-7f65054d9000 rw-p 0009b000 fd:00 162171                     /usr/lib64/libkrb5.so.3.3
7f65054d9000-7f65054fb000 r-xp 00000000 fd:00 161620                     /usr/lib64/libpq.so.5.1
7f65054fb000-7f65056fb000 ---p 00022000 fd:00 161620                     /usr/lib64/libpq.so.5.1
7f65056fb000-7f65056fd000 rw-p 00022000 fd:00 161620                     /usr/lib64/libpq.so.5.1
7f65056fd000-7f6505831000 r-xp 00000000 fd:00 2744066                    /usr/lib64/mysql/libmysqlclient.so.16.0.0
7f6505831000-7f6505a30000 ---p 00134000 fd:00 2744066                    /usr/lib64/mysql/libmysqlclient.so.16.0.0
7f6505a30000-7f6505a7d000 rw-p 00133000 fd:00 2744066                    /usr/lib64/mysql/libmysqlclient.so.16.0.0
7f6505a7d000-7f6505a7e000 rw-p 7f6505a7d000 00:00 0 
7f6505a7e000-7f6505a84000 r-xp 00000000 fd:00 449075                     /usr/lib64/sasl2/libsql.so.2.0.22
7f6505a84000-7f6505c83000 ---p 00006000 fd:00 449075                     /usr/lib64/sasl2/libsql.so.2.0.22
7f6505c83000-7f6505c84000 rw-p 00005000 fd:00 449075                     /usr/lib64/sasl2/libsql.so.2.0.22
7f6505c84000-7f6505c88000 r-xp 00000000 fd:00 450216                     /usr/lib64/sasl2/libanonymous.so.2.0.22
7f6505c88000-7f6505e87000 ---p 00004000 fd:00 450216                     /usr/lib64/sasl2/libanonymous.so.2.0.22
7f6505e87000-7f6505e88000 rw-p 00003000 fd:00 450216                     /usr/lib64/sasl2/libanonymous.so.2.0.22
7f6505e88000-7f6505e94000 r-xp 00000000 fd:00 450862                     /usr/lib64/sasl2/libdigestmd5.so.2.0.22
7f6505e94000-7f6506093000 ---p 0000c000 fd:00 450862                     /usr/lib64/sasl2/libdigestmd5.so.2.0.22
7f6506093000-7f6506094000 rw-p 0000b000 fd:00 450862                     /usr/lib64/sasl2/libdigestmd5.so.2.0.22
7f6506094000-7f6506201000 r-xp 00000000 fd:00 844471                     /lib64/libdb-4.7.so
7f6506201000-7f6506400000 ---p 0016d000 fd:00 844471                     /lib64/libdb-4.7.so
7f6506400000-7f6506406000 rw-p 0016c000 fd:00 844471                     /lib64/libdb-4.7.so
7f6506406000-7f650640b000 r-xp 00000000 fd:00 450219                     /usr/lib64/sasl2/libsasldb.so.2.0.22
7f650640b000-7f650660a000 ---p 00005000 fd:00 450219                     /usr/lib64/sasl2/libsasldb.so.2.0.22
7f650660a000-7f650660b000 rw-p 00004000 fd:00 450219                     /usr/lib64/sasl2/libsasldb.so.2.0.22
7f650660b000-7f650660f000 r-xp 00000000 fd:00 844251                     /lib64/libattr.so.1.1.0
7f650660f000-7f650680e000 ---p 00004000 fd:00 844251                     /lib64/libattr.so.1.1.0
7f650680e000-7f650680f000 rw-p 00003000 fd:00 844251                     /lib64/libattr.so.1.1.0
7f650680f000-7f6506813000 r-xp 00000000 fd:00 430687                     /usr/lib64/libpulse-simple.so.0.0.2
7f6506813000-7f6506a12000 ---p 00004000 fd:00 430687                     /usr/lib64/libpulse-simple.so.0.0.2
7f6506a12000-7f6506a13000 rw-p 00003000 fd:00 430687                     /usr/lib64/libpulse-simple.so.0.0.2
7f6506a2d000-7f65120e2000 rw-p 7f6506a2d000 00:00 0 
7f65120e2000-7f65120e7000 r-xp 00000000 fd:00 958096                     /lib64/libnss_dns-2.10.1.so
7f65120e7000-7f65122e6000 ---p 00005000 fd:00 958096                     /lib64/libnss_dns-2.10.1.so
7f65122e6000-7f65122e7000 r--p 00004000 fd:00 958096                     /lib64/libnss_dns-2.10.1.so
7f65122e7000-7f65122e8000 rw-p 00005000 fd:00 958096                     /lib64/libnss_dns-2.10.1.so
7f65122e8000-7f65122f4000 r-xp 00000000 fd:00 958097                     /lib64/libnss_files-2.10.1.so
7f65122f4000-7f65124f3000 ---p 0000c000 fd:00 958097                     /lib64/libnss_files-2.10.1.so
7f65124f3000-7f65124f4000 r--p 0000b000 fd:00 958097                     /lib64/libnss_files-2.10.1.so
7f65124f4000-7f65124f5000 rw-p 0000c000 fd:00 958097                     /lib64/libnss_files-2.10.1.so
7f65124f5000-7f65124f8000 rw-p 7f65124f5000 00:00 0 
7f65124f8000-7f6512551000 r-xp 00000000 fd:00 957313                     /lib64/libfreebl3.so
7f6512551000-7f6512750000 ---p 00059000 fd:00 957313                     /lib64/libfreebl3.so
7f6512750000-7f6512751000 rw-p 00058000 fd:00 957313                     /lib64/libfreebl3.so
7f6512751000-7f6512757000 rw-p 7f6512751000 00:00 0 
7f6512757000-7f651275f000 r-xp 00000000 fd:00 957069                     /lib64/libcrypt-2.10.1.so
7f651275f000-7f651295e000 ---p 00008000 fd:00 957069                     /lib64/libcrypt-2.10.1.so
7f651295e000-7f651295f000 r--p 00007000 fd:00 957069                     /lib64/libcrypt-2.10.1.so
7f651295f000-7f6512960000 rw-p 00008000 fd:00 957069                     /lib64/libcrypt-2.10.1.so
7f6512960000-7f6512993000 rw-p 7f6512960000 00:00 0 
7f65129a6000-7f65129ad000 r--s 00000000 fd:00 472373                     /usr/lib64/gconv/gconv-modules.cache
7f65129ad000-7f65129af000 rw-p 7f65129ad000 00:00 0 
7fff1a999000-7fff1a9ae000 rw-p 7ffffffea000 00:00 0                      [stack]
7fff1a9fe000-7fff1a9ff000 r-xp 7fff1a9fe000 00:00 0                      [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Program received signal SIGABRT, Aborted.
0x00000033b00332f5 in raise () from /lib64/libc.so.6

(gdb) bt
#0  0x00000033b00332f5 in raise () from /lib64/libc.so.6
#1  0x00000033b0034b20 in abort () from /lib64/libc.so.6
#2  0x00000033b007005d in __libc_message () from /lib64/libc.so.6
#3  0x00000033b0075a26 in malloc_printerr () from /lib64/libc.so.6
#4  0x0000000000496c83 in vnc_client_io_error (vs=0x1096020, ret=<value optimized out>, last_errno=<value optimized out>)
    at vnc.c:870
#5  0x00000000004983da in protocol_client_msg (vs=0x1096020, data=0x109e4a0 "\1", len=<value optimized out>)
    at vnc.c:1729
#6  0x0000000000496e8b in vnc_client_read (opaque=<value optimized out>) at vnc.c:1095
#7  0x0000000000409572 in main_loop_wait (timeout=<value optimized out>) at /usr/src/debug/qemu-kvm-0.10/qemu/vl.c:3774
#8  0x000000000040c59a in main_loop () at /usr/src/debug/qemu-kvm-0.10/qemu/vl.c:3972
#9  main () at /usr/src/debug/qemu-kvm-0.10/qemu/vl.c:6126



Expected results:
Server reports invalid message and drops the client connection

Additional info:
Comment 1 Daniel Berrange 2009-06-12 13:54:05 EDT
I've reproduced this crash on the RHELV/RHEL-5.4 trees too with kvm-83-59.el5ovirt
Comment 2 Dor Laor 2009-06-14 07:41:15 EDT
Let's fix it in future releases. I don't see any security issue since if someone can access the host network it can only crash qemu the most.
Comment 3 Tomas Hoger 2009-06-15 09:40:43 EDT
I believe there are 2 things to consider here:

- This can be an issue in setups where user has VNC console access to the system where (s)he does not have admin privileges.  I believe this VNC crash takes qemu process, hence effectively kills VM.  Given that VNC access is console access, hence allowing things like reboot to single user mode, I presume such access is never granted to any untrusted user, and hence bug only gives sufficiently privileged user yet another way to shoot herself in the foot.

- Is this limited to double-free?  Possible exploitable memory corruptions in this case may need to be treated as possible guest -> host escape.

Does the same affect EL5 Xen's qemu?
Comment 4 Daniel Berrange 2009-06-15 09:55:06 EDT
Agree with point 1, that if a user has VNC console access they can be assumed to be the guest administrator. It was the point 2 that I'm not so sure of yet, so I'm doing a build of QEMU with VNC debugging enabled to figure out the  precise sequence of errors.

RHEL-5 Xen's QEMU is not impacted. It is a much older codebase without the audio capture code present at all.
Comment 5 Daniel Berrange 2009-06-15 10:30:47 EDT
Ok, here's what's going on in QEMU's  vnc.c file

First to clarify my original steps to reproduce. 

When I said to reproduce 

> 5. Send the following 3 bytes to the server
>
>    255
>    1
>    0

You actually need to send one extra byte, where the 4th byte is > 2, eg this will do the trick

    255
    1
    0
    255


When the client message arrives in the server, it invokes:

  static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)



This particular audio extension message gets handled by the last case statement , which expects a u8 followed by a u16. The bug involves sending an unhandled value for the u16 field 


[...snip...]

    case 255:
        if (len == 1)
            return 2;

        switch (read_u8(data, 1)) {
        case 0:
            if (len == 2)
                return 12;

            ext_key_event(vs, read_u16(data, 2),
                          read_u32(data, 4), read_u32(data, 8));
            break;
        case 1:
            if (len == 2)
                return 4;

            switch (read_u16 (data, 2)) {


[...snip...]

            default:
                printf ("Invalid audio message %d\n", read_u8(data, 4));
                vnc_client_error(vs);
                break;
            }
            break;

        default:
            printf("Msg: %d\n", read_u16(data, 0));
            vnc_client_error(vs);
            break;
        }
        break;
    default:
        printf("Msg: %d\n", data[0]);
        vnc_client_error(vs);
        break;
    }

    vnc_read_when(vs, protocol_client_msg, 1);
    return 0;
}


So in this bug, we get the 'Invalid audio message' and then call 'vnc_client_error(vs)'.  This function actually *frees* the 'vs' parameter.

Now protocol_client_msg goes onto call vnc_read_when(vs,...), which scribbles on the just-freed memory. Control returns to vnc_client_read, which reads just-freed memory, and because we didn't reset vs->csock back to -1 after closing the socket, vnc_client_read does another loop iteration, calling back into protocol_client_msg. This causes the second error message on console 'Msg: 0', and then calls vnc_client_error again, resulting in the double free. You can probably exercise other codepaths in protocol_client_msg() with careful choice of data on the wire.

So there are reads & writes to free'd memory, and then the subsequent double-free.
Comment 6 Daniel Berrange 2009-06-15 11:45:46 EDT
This problem appears much much more widespread than just the audio extension. It appears Mark has separately identified countless other scenarios in which a client can crash the server

https://bugzilla.redhat.com/show_bug.cgi?id=501131

this all stems from the recent change to split client & server state out into separate structs. Previously all this usage was safe because the 'vs' object would never be freed.
Comment 7 Gerd Hoffmann 2009-06-16 06:10:22 EDT
Created attachment 348075 [details]
fix use after free.

Can you give it a spin?
Comment 8 Gerd Hoffmann 2009-06-16 08:01:15 EDT
Created attachment 348096 [details]
fix more use-after-free cases

Found a few more places where we have to take care while preparing a version for upstream.
Comment 9 Gerd Hoffmann 2009-06-16 08:22:46 EDT
Created attachment 348099 [details]
The two fixes combined into one patch.
Comment 10 Daniel Berrange 2009-06-16 09:50:58 EDT
Created attachment 348111 [details]
Delibrarely broken VNC audio client to crash server

To reproduce the problem, apply the attached patch, to this commit of gtk-vnc client, rebuild and run its demo client app ./examples/gvncviewer localhost:1 (assuming you have QEMU on localhost:1 too of course)

http://git.gnome.org/cgit/gtk-vnc/commit/?id=6634acb2ccaf01e237fc03ed9f15b25e6f9897b6
Comment 11 Gerd Hoffmann 2009-06-16 10:07:28 EDT
Gives me just a "Invalid audio message 255" on stderr (with patch #9 applied).
No qemu crash, guest continues to run.
Comment 12 Daniel Berrange 2009-06-16 10:13:06 EDT
Try it again. It usually crashes first time for me, but occassionally needs to be run a couple of times, since it is a tiny bit susceptible to kernel schedular variations
Comment 13 Eduardo Habkost 2009-06-18 11:40:25 EDT
As we have a patch, I will propose this for rhel-5.4.0/rhev-2.1, in case it get positive results and reviews.
Comment 20 Daniel Berrange 2009-07-07 07:02:39 EDT
FYI, a much easier way to demonstrate the crash is using the rdesktop program, eg

 rdesktop  hostname:port

It exercises the same basic problem, although not quite the same codepath as my original demo
Comment 21 lihuang 2009-07-07 11:00:36 EDT
using the steps in comment #20. 

reproduce the bug in kvm-83-80.el5  ( host RHEL5u4 beta )
verified in kvm-83-83.el5 

steps :
1. start guest by command : /usr/libexec/qemu-kvm -cdrom ~/boot.iso -vnc :15
2. run ` rdesktop host_ip:15 ` in another terminal.

effect :
1 kvm-83-80.el5 : 
segfault.
(gdb) bt
 #0  qemu_del_timer (ts=0x13f2dd0)
     at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/vl.c:1191
 #1  0x000000000049336a in vnc_client_io_error (vs=0x1502010, 
     ret=<value optimized out>, last_errno=<value optimized out>) at vnc.c:804
 #2  0x0000000000493a95 in protocol_version (vs=0x1502010, 
     version=<value optimized out>, len=<value optimized out>) at vnc.c:2321
 #3  0x000000000049657b in vnc_client_read (opaque=<value optimized out>)
     at vnc.c:912
 #4  0x00000000004098f2 in main_loop_wait (timeout=<value optimized out>)
     at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/vl.c:3910
 #5  0x0000000000516eaa in kvm_main_loop ()
     at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/qemu-kvm.c:599
 #6  0x000000000040e415 in main (argc=5, argv=0x7fff47ea1858, 
     envp=<value optimized out>)
     at /usr/src/debug/kvm-83-maint-snapshot-20090205/qemu/vl.c:3967


3 kvm-83-83.el5
# rdesktop 10.66.70.3:5901
Autoselected keyboard map en-us
ERROR: Connection closed

qemu-kvm not crash.
Comment 23 errata-xmlrpc 2009-09-02 05:33:36 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1272.html
Comment 24 Vincent Danen 2009-11-16 13:20:26 EST
This was corrected in upstream qemu 0.11.0, however qemu in Fedora 10 and 11 is still affected by this issue (0.9.1-12.fc10 and 0.10.6-9.fc11 respectively).  So Fedora still requires the fix.

Note You need to log in before you can comment on or make changes to this bug.