Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 855870

Summary: Remote-viewer segfaults during spice migration with SSL when running from cli
Product: Red Hat Enterprise Linux 6 Reporter: Marian Krcmarik <mkrcmari>
Component: spice-gtkAssignee: Marc-Andre Lureau <marcandre.lureau>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: low    
Version: 6.4CC: acathrow, bili, cfergeau, dblechte, lnovich, marcandre.lureau, mjenner, pvine
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-gtk-0.20-1.el6 Doc Type: Bug Fix
Doc Text:
No description necessary
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 08:24:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marian Krcmarik 2012-09-10 13:19:20 UTC 
Description of problem:
Remote-viewer segfaults during spice migration with encrypted channels when It is started from command line. It prevents us to use our SSL migration automated test with remote-viewer connected in autotest framework successfully.

remote-viewer command line:
remote-viewer spice://localhost?tls-port=3002,port=3001 --spice-ca-file=/tmp/spice_x509d/ca-cert.pem  --spice-host-subject="C=CZ,L=BRNO,O=SPICE,CN=my Server"

source qemu command line:
/usr/libexec/qemu-kvm -m 1024 -smp 1 -vga qxl -enable-kvm -spice port=3001,tls-port=3002,password=123,x509-dir=/tmp/spice_x509d/,x509-key-password=testPassPhrase,tls-channel=inputs -device virtio-serial-pci,id=virtio-serial0,bus=pci.0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device AC97 /dev/rootvg/Windows7_test -monitor stdio

qemu monitor commands fro migrating:
__com.redhat_spice_migrate_info localhost 3011 3012 "C=CZ,L=BRNO,O=SPICE,CN=my Server"
migrate -d tcp:0:5811

From gdb:
Program received signal SIGSEGV, Segmentation fault.
SSL_write (s=0x0, buf=0x1ce1c08, num=6) at ssl_lib.c:974
974		if (s->handshake_func == 0)
(gdb) thread apply all bt

Thread 1 (Thread 0x7f12afeb8940 (LWP 26674)):
#0  SSL_write (s=0x0, buf=0x1ce1c08, num=6) at ssl_lib.c:974
#1  0x000000379aa17363 in spice_channel_flush_wire (channel=<value optimized out>, data=
    0x1ce1c08, datalen=6) at spice-channel.c:766
#2  0x000000379aa17558 in spice_channel_write (channel=0x1c64040 [SpiceMainChannel], 
    data=<value optimized out>, len=<value optimized out>) at spice-channel.c:843
#3  0x000000379aa17d67 in spice_channel_write_msg (channel=<value optimized out>, out=
    0x1cbed20) at spice-channel.c:869
#4  0x000000379aa1ae3e in spice_channel_iterate_write (channel=
    0x1c64040 [SpiceMainChannel]) at spice-channel.c:1983
#5  0x000000379aa18ff1 in spice_channel_iterate (data=0x1c64040) at spice-channel.c:2044
#6  spice_channel_coroutine (data=0x1c64040) at spice-channel.c:2225
#7  0x000000379aa3f72b in coroutine_trampoline (cc=0x1c640f8) at coroutine_ucontext.c:56
#8  0x000000379aa3f6e3 in continuation_trampoline (i0=<value optimized out>, 
    i1=<value optimized out>) at continuation.c:49
#9  0x00000037b4643630 in ?? () from /lib64/libc.so.6
#10 0x0000000001c644c0 in ?? ()
#11 0x0000000000000000 in ?? ()

Version-Release number of selected component (if applicable):
All RHEL6.3 packages
As well as on latest:
spice-gtk-0.13.29-1.el6.x86_64
virt-viewer-0.5.2-10.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Start qemu-kvm istance with SSL support.
2. Start remote-viewer from command line and successfully connect to the guest.
3. Migrate
  
Actual results:
Segfault of remote-viewer

Expected results:
No segfault

Additional info:
it does not happen without SSL or with spicec and SSL
Comment 2 Marian Krcmarik 2012-09-11 08:42:50 UTC 
*** Bug 856068 has been marked as a duplicate of this bug. ***
Comment 3 Marc-Andre Lureau 2012-10-17 09:36:14 UTC 
Can you reproduce with current rhel? spice-gtk 0.14-3 & virt-viewer 0.5.2-13? (I can't)
Comment 4 Marian Krcmarik 2012-10-17 12:12:39 UTC 
(In reply to comment #3)
> Can you reproduce with current rhel? spice-gtk 0.14-3 & virt-viewer
> 0.5.2-13? (I can't)

Yes I can, I'll attach certs I am using, otherwise everything is valid as described in description which means:

1 Running a qemu like:
/usr/libexec/qemu-kvm -m 1024 -smp 1 -vga qxl -enable-kvm -spice port=3001,tls-port=3002,password=123,x509-dir=/tmp/spice_x509d/,x509-key-password=testPassPhrase,tls-channel=inputs -device virtio-serial-pci,id=virtio-serial0,bus=pci.0 -chardev spicevmc,id=charchannel0,name=vdagent -device virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0 -device AC97 /dev/rootvg/Windows7_test -monitor stdio

2. Connecting to the guest like:
remote-viewer spice://localhost?tls-port=3002,port=3001 --spice-ca-file=/tmp/spice_x509d/ca-cert.pem  --spice-host-subject="C=CZ,L=BRNO,O=SPICE,CN=my Server"

3. Starting destionation qemu.

4. Migrating:
__com.redhat_spice_migrate_info localhost 3011 3012 "C=CZ,L=BRNO,O=SPICE,CN=my Server"
migrate -d tcp:0:5811
Comment 9 Marc-Andre Lureau 2012-10-18 10:41:16 UTC 
I am afraid I really can't reproduce the issue. I am using the same cert, same command line argument and monitor command, with

spice-server-0.12.0-1.el6.x86_64
qemu-kvm-0.12.1.2-2.325.el6.x86_64
spice-gtk-0.14-3.el6.x86_64
virt-viewer-0.5.2-14.el6.x86_64
Comment 10 Marc-Andre Lureau 2012-10-18 10:42:45 UTC 
please provide full log of both qemu instance and remote-viewer with G_MESSAGES_DEBUG=all SPICE_DEBUG=1
Comment 11 Marc-Andre Lureau 2012-10-18 10:47:09 UTC 
I just noticed that the spice server is not checking password when using cert, I will try to dig in that direction
Comment 12 Marc-Andre Lureau 2012-10-18 10:52:05 UTC 
(In reply to comment #11)
> I just noticed that the spice server is not checking password when using
> cert, I will try to dig in that direction

ok, my bad, I had disable-ticketing...
- we should error out if both disable-ticketing and password arguments are given
- now remote-viewer crashes immediately with double free error!
Comment 13 Christophe Fergeau 2012-10-18 11:26:16 UTC 
remote-viewer has this known double-free related to setting the SPICE ticket, dunno if that's is what you are experiencing https://bugzilla.redhat.com/show_bug.cgi?id=867248
Comment 14 Marc-Andre Lureau 2012-10-18 12:07:56 UTC 
(In reply to comment #13)
> remote-viewer has this known double-free related to setting the SPICE
> ticket, dunno if that's is what you are experiencing
> https://bugzilla.redhat.com/show_bug.cgi?id=867248

even with that double-free reverted, I still can't reproduce the crash.

Please Marian, provide additional informations as requested.
Comment 16 RHEL Program Management 2012-12-14 08:46:27 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 18 Marc-Andre Lureau 2013-02-20 16:33:23 UTC 
I couldn't reproduce because the command line for virt-viewer was using "," instead of "&", so in fact, all the channels were connected in tls, and after migration, switched to plain connection.

This triggers a code path that crash ultimately in SSL_write (s=0x0...), all we need to do is swap the channel tls state.

patch sent to ML
Comment 19 Marc-Andre Lureau 2013-02-20 17:10:20 UTC 
also it would be nice to warn if URI parsing is invalid, patch on the ML
Comment 28 errata-xmlrpc 2013-11-21 08:24:47 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1577.html