Bug 997932 - using terminus console fonts with spice causes qemu to segfault
using terminus console fonts with spice causes qemu to segfault
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: spice (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Christophe Fergeau
Fedora Extras Quality Assurance
:
: 1025382 (view as bug list)
Depends On:
Blocks: 1003883
  Show dependency treegraph
 
Reported: 2013-08-16 10:34 EDT by Zing
Modified: 2015-02-18 06:04 EST (History)
19 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1003883 (view as bug list)
Environment:
Last Closed: 2015-02-18 06:04:46 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
gdb trace of qemu process (4.42 KB, text/plain)
2013-08-16 11:31 EDT, Zing
no flags Details

  None (edit)
Description Zing 2013-08-16 10:34:53 EDT
Running "setfont ter-118n" causes the qemu-kvm vm to immediately crash/shutdown and go into an "offline" state.  It only seems to be associated with the terminus fonts as I can use other console fonts ok, i.e. other lat2 sizes.

Version-Release number of selected component (if applicable):
qemu-1.4.2-5.fc19.x86_64
kernel-3.10.6-200.fc19.x86_64
virt-manager-0.10.0-1.fc19.noarch
terminus-fonts-console-4.36-4.fc19.noarch

How reproducible:
always

Steps to Reproduce:
1. install f19 into a qemu-kvm vm
2. install terminus fonts
3. run "setfont ter-118n"

Actual results:
crash/shutdown of vm

Expected results:
console font changed to terminus font

Additional info:
Not sure if this is the right component but starting here.  Outside of the kvm, I can change my console font to terminus fine.
Comment 1 Richard W.M. Jones 2013-08-16 11:11:49 EDT
I cannot reproduce this with a Fedora 20 guest on a Fedora 19 host.

Can you get a core dump / stack trace from qemu?  That's really
what we need here.
Comment 2 Zing 2013-08-16 11:31:09 EDT
Created attachment 787342 [details]
gdb trace of qemu process
Comment 3 Zing 2013-08-16 11:31:39 EDT
Here's a backtrace of the qemu process just after I run setfont.  Hope this helps. If there's more I can do, let me know and I can attempt it.  (strange... this crash also happens with me with a Fedora 20 guest)
Comment 4 Richard W.M. Jones 2013-08-16 11:33:47 EDT
Ah right, you're using spice (I'm using VNC).
Comment 5 Richard W.M. Jones 2013-08-16 11:37:08 EDT
The error that spice tries to emit just before the crash is:

red_parse_qxl.c:359: image stride too small for width: %d < ((%d * %d + 7) / 8) (%s=%d)

(the values are lost)
Comment 6 Hans de Goede 2013-08-26 04:34:49 EDT
Re-assigning this to Yonith, who probably knows this part of the code the best.
Comment 7 Yonit Halperin 2013-08-28 13:35:04 EDT
The bug is guest driver related: a DRAW_COPY command includes a bitmap with format SPICE_BITMAP_FMT_1BIT, width=10, and stride=1. The stride should be at least 2.
I'm moving the bug to qxl.
Comment 8 Richard W.M. Jones 2013-08-28 13:55:24 EDT
(In reply to Yonit Halperin from comment #7)
> The bug is guest driver related: a DRAW_COPY command includes a bitmap with
> format SPICE_BITMAP_FMT_1BIT, width=10, and stride=1. The stride should be
> at least 2.
> I'm moving the bug to qxl.

Hang on, the spice server on the host should *never* crash, even
if the X server in the guest sends bogus rubbish.
Comment 9 Richard W.M. Jones 2013-08-28 13:55:54 EDT
Also, the bug happens in the console.  How is X involved here?
Comment 10 Alon Levy 2013-08-28 14:46:09 EDT
Yonit,

 First I agree with Richard, we need to fix the server too - we should never crash. Second it's probaby the kernel driver, since X is not involved. So I suggest to clone this bug, and assign this one to the spice server and the clone to the kernel. You can assign me to the kernel one.

Alon
Comment 11 Daniel Berrange 2013-08-29 05:20:49 EDT
Yes, this bug is about stopping SPICE from crashing QEMU when the guest does something bad. If there's a bug in Xorg qxl driver that is triggering the host QEMU / SPICE crash that needs to be dealt with separately.
Comment 12 Uri Lublin 2013-09-03 08:24:20 EDT
A patch that fixes the issue is now committed in upstream spice git
http://cgit.freedesktop.org/spice/spice/commit/?id=eb09c25c628b5baba069aba3ff72ea71917f533f
Comment 13 Richard W.M. Jones 2013-09-03 09:03:33 EDT
There are 93 other calls to spice_error.  Are you sure none
of them can ever be triggered by client code?

To pick one of these at random:

static void qxl_process_cursor(RedWorker *worker, RedCursorCmd *cursor_cmd, uint32_t group_id)
{
    CursorItem *cursor_item;
    int cursor_show = FALSE;

    cursor_item = get_cursor_item(worker, cursor_cmd, group_id);

    switch (cursor_cmd->type) {
    case QXL_CURSOR_SET:
[...]
        break;
    case QXL_CURSOR_MOVE:
[...]
        break;
    case QXL_CURSOR_HIDE:
[...]
        break;
    case QXL_CURSOR_TRAIL:
[...]
        break;
    default:
        spice_error("invalid cursor command %u", cursor_cmd->type);
    }

cursor_cmd->type is an 8 bit unsigned int.  Doesn't it get passed from
the guest (via get_virt)?  What if the guest passes an unexpected
value here?
Comment 14 Uri Lublin 2013-09-03 10:18:11 EDT
(In reply to Richard W.M. Jones from comment #13)
> There are 93 other calls to spice_error.  Are you sure none
> of them can ever be triggered by client code?

I did not go over all spice_error calls, only the one hit by this bug.
Christophe replaced some more spice_error calls with spice_warning.

Likely, some of the remaining spice_error calls are triggered by bad values from the client/driver.
Those remaining calls should be reviewed and handled if found problematic.
Comment 15 Marc-Andre Lureau 2013-09-03 10:30:13 EDT
(In reply to Richard W.M. Jones from comment #13)
> There are 93 other calls to spice_error.  Are you sure none
> of them can ever be triggered by client code?
> 
> To pick one of these at random:
> 
> static void qxl_process_cursor(RedWorker *worker, RedCursorCmd *cursor_cmd,
> uint32_t group_id)
> {
>     CursorItem *cursor_item;
>     int cursor_show = FALSE;
> 
>     cursor_item = get_cursor_item(worker, cursor_cmd, group_id);
> 
>     switch (cursor_cmd->type) {
>     case QXL_CURSOR_SET:
> [...]
>         break;
>     case QXL_CURSOR_MOVE:
> [...]
>         break;
>     case QXL_CURSOR_HIDE:
> [...]
>         break;
>     case QXL_CURSOR_TRAIL:
> [...]
>         break;
>     default:
>         spice_error("invalid cursor command %u", cursor_cmd->type);
>     }
> 
> cursor_cmd->type is an 8 bit unsigned int.  Doesn't it get passed from
> the guest (via get_virt)?  What if the guest passes an unexpected
> value here?

this will very likely abort(). There are tons of way to make the server code abort() from misbehaving client, but I was told we wanted that by default.I managed to convince to have runtime flag SPICE_ABORT_LEVEL to change that behaviour, but the server code is roted in its roots, and there are countless ways to make the server abort or simply crash. Few of us really focused on improving the current server code base...
Comment 18 Christophe Fergeau 2013-09-04 06:17:19 EDT
(In reply to Uri Lublin from comment #14)
> (In reply to Richard W.M. Jones from comment #13)
> > There are 93 other calls to spice_error.  Are you sure none
> > of them can ever be triggered by client code?
> 
> I did not go over all spice_error calls, only the one hit by this bug.
> Christophe replaced some more spice_error calls with spice_warning.

Fwiw, I only looked at the other spice_error() in the same file as that one (red_parse_qxl.c), while feeling bad at the same time not to go over more of these...
Comment 19 Zing 2013-10-31 14:23:07 EDT
*** Bug 1025382 has been marked as a duplicate of this bug. ***
Comment 20 Cole Robinson 2013-12-17 15:45:09 EST
Doesn't look like this is in fedora yet. Maybe time for another upstream spice bugfix release?
Comment 21 Fedora Admin XMLRPC Client 2014-03-17 05:26:16 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 22 Fedora End Of Life 2015-01-09 17:27:23 EST
This message is a notice that Fedora 19 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 19. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained. Approximately 4 (four) weeks from now this bug will
be closed as EOL if it remains open with a Fedora 'version' of '19'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 19 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 23 Fedora End Of Life 2015-02-18 06:04:46 EST
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.