debcrafters-packages team mailing list archive

Thread
Date
[Bug 2122660] [NEW] gnome-remote-desktop-daemon crashes with SIGSEGV in libei ei_ref() during RDP connection

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: hsk <2122660@xxxxxxxxxxxxxxxxxx>
Date: Fri, 12 Sep 2025 10:13:57 -0000
Reply-to: Bug 2122660 <2122660@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

Title: gnome-remote-desktop-daemon crashes with SIGSEGV in libei
ei_ref() during RDP connection

=== SUMMARY ===
gnome-remote-desktop-daemon crashes repeatedly with segmentation fault when attempting RDP connections.
The crash occurs in the libei library's ei_ref function, causing the service to restart multiple times.

=== ENVIRONMENT ===
Ubuntu Version: 25.10 (Questing Quokka) development branch
Kernel: Linux 6.16.0-16-generic x86_64
Architecture: x86_64

Package Versions:
- gnome-remote-desktop: 49~rc-0ubuntu1
- libei1: 1.3.901-1
- libeis1: 1.3.901-1
- libfreerdp3-3: 3.16.0+dfsg-2
- libfreerdp-server3-3: 3.16.0+dfsg-2
- pipewire: 1.4.7-3ubuntu2
- libglib2.0-0: 2.85.3-1

=== STEPS TO REPRODUCE ===
1. Install Ubuntu 25.10 (Questing Quokka development branch)
2. Enable Remote Desktop via GNOME Settings (Sharing -> Remote Desktop)
3. Set up RDP with username/password authentication
4. Attempt to connect via RDP client from another machine (Windows/Linux)
5. Connection attempt triggers crash

=== EXPECTED BEHAVIOR ===
RDP connection should be established successfully without crashes.

=== ACTUAL BEHAVIOR ===
- gnome-remote-desktop-daemon crashes with SIGSEGV
- systemd restarts the service repeatedly (restart counter reached 5)
- RDP connections fail to establish
- Service shows "Process 189183 (gnome-remote-de) of user 985 dumped core"

=== ERROR MESSAGES ===
Before crash:
- "Init TPM credentials failed because No TPM device found, using GKeyFile as fallback"
- "[WARN][com.freerdp.api] - [peer_unexpected_client_message]: Unexpected client message in state CONNECTION_STATE_FINALIZATION_FONT_LIST, missing flag FINALIZE_CS_FONT_LIST_PDU [0x00000100]"
- "[ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail"
- "[ERROR][com.freerdp.core.transport] - BIO_should_retry returned an error: error:80000020:system library::Broken pipe"

=== COMPLETE STACK TRACE ===
Main thread (Thread 189183) - CRASHED HERE:
#0  0x00007895e4086fd4 ei_ref (libei.so.1 + 0x6fd4)
#1  0x00007895e408b2ac ei_new_ping (libei.so.1 + 0xb2ac)
#2  0x00005aed2f022bf6 n/a (/usr/libexec/gnome-remote-desktop-daemon + 0x59bf6)
#3  0x00005aed2f022d4f n/a (/usr/libexec/gnome-remote-desktop-daemon + 0x59d4f)
#4  0x00007895e4249b7b n/a (libglib-2.0.so.0 + 0x60b7b)
#5  0x00007895e424b1b7 n/a (libglib-2.0.so.0 + 0x621b7)
#6  0x00007895e424b3a3 g_main_context_iteration (libglib-2.0.so.0 + 0x623a3)
#7  0x00007895e3ef1f2d g_application_run (libgio-2.0.so.0 + 0xf1f2d)
#8  0x00005aed2efe415d n/a (/usr/libexec/gnome-remote-desktop-daemon + 0x1b15d)
#9  0x00007895e262a5b5 __libc_start_call_main (libc.so.6 + 0x2a5b5)
#10 0x00007895e262a668 __libc_start_main_impl (libc.so.6 + 0x2a668)
#11 0x00005aed2efe4365 n/a (/usr/libexec/gnome-remote-desktop-daemon + 0x1b365)

Other threads (RDP worker threads):
Multiple threads (203907-203920) in libwinpr3/libfreerdp3 waiting on WaitForMultipleObjectsEx/poll
Thread 203920 also shows gnome-remote-desktop-daemon offset 0x77663

=== LOADED MODULES ===
Key modules involved in crash:
- /usr/libexec/gnome-remote-desktop-daemon
- libei.so.1 (Emulated Input client library)
- libeis.so.1 (Emulated Input server library)
- libfreerdp3.so.3 (FreeRDP library)
- libfreerdp-server3.so.3 (FreeRDP server library)
- libwinpr3.so.3 (Windows Portable Runtime)
- libglib-2.0.so.0
- libgio-2.0.so.0
- libpipewire-0.3.so.0

=== ANALYSIS ===
The crash occurs in libei's ei_ref() function, which is part of the reference counting mechanism.
This appears to be triggered during RDP connection negotiation, specifically when handling input emulation.
The crash happens in the main event loop while processing ei_new_ping, suggesting a possible:
1. Use-after-free in libei reference counting
2. NULL pointer dereference in ei_ref
3. Race condition between RDP connection threads and libei initialization

=== ADDITIONAL INFORMATION ===
- Service configuration shows it runs with --system flag
- Multiple RDP threads are active at crash time
- The crash is reproducible across multiple connection attempts
- No TPM device available (fallback to GKeyFile)

=== WORKAROUND ===
Currently no known workaround. Service keeps crashing on RDP connection attempts.

=== SEVERITY ===
High - Complete service failure, prevents remote desktop functionality

=== FREQUENCY ===
Always reproducible when attempting RDP connection

=== REGRESSION ===
Unknown - This is on Ubuntu 25.10 development branch with gnome-remote-desktop 49~rc
Previous stable versions not tested

=== FILES ===
Core dump available: Process 189183 (gnome-remote-de) of user 985
Journal logs: Available via journalctl -u gnome-remote-desktop.service

---
Reporter: User via Claude Code assistant
Date: 2025-09-12⏎

** Affects: gnome-remote-desktop (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: crash gnome-remote-desktop libei questing rdp

** Attachment added: "gnome-remote-desktop.bug"
   https://bugs.launchpad.net/bugs/2122660/+attachment/5908641/+files/gnome-remote-desktop.bug

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to gnome-remote-desktop in
Ubuntu.
https://bugs.launchpad.net/bugs/2122660

Title:
  gnome-remote-desktop-daemon crashes with SIGSEGV in libei ei_ref()
  during RDP connection

Status in gnome-remote-desktop package in Ubuntu:
  New

Bug description:
  Title: gnome-remote-desktop-daemon crashes with SIGSEGV in libei
  ei_ref() during RDP connection

  === SUMMARY ===
  gnome-remote-desktop-daemon crashes repeatedly with segmentation fault when attempting RDP connections.
  The crash occurs in the libei library's ei_ref function, causing the service to restart multiple times.

  === ENVIRONMENT ===
  Ubuntu Version: 25.10 (Questing Quokka) development branch
  Kernel: Linux 6.16.0-16-generic x86_64
  Architecture: x86_64

  Package Versions:
  - gnome-remote-desktop: 49~rc-0ubuntu1
  - libei1: 1.3.901-1
  - libeis1: 1.3.901-1
  - libfreerdp3-3: 3.16.0+dfsg-2
  - libfreerdp-server3-3: 3.16.0+dfsg-2
  - pipewire: 1.4.7-3ubuntu2
  - libglib2.0-0: 2.85.3-1

  === STEPS TO REPRODUCE ===
  1. Install Ubuntu 25.10 (Questing Quokka development branch)
  2. Enable Remote Desktop via GNOME Settings (Sharing -> Remote Desktop)
  3. Set up RDP with username/password authentication
  4. Attempt to connect via RDP client from another machine (Windows/Linux)
  5. Connection attempt triggers crash

  === EXPECTED BEHAVIOR ===
  RDP connection should be established successfully without crashes.

  === ACTUAL BEHAVIOR ===
  - gnome-remote-desktop-daemon crashes with SIGSEGV
  - systemd restarts the service repeatedly (restart counter reached 5)
  - RDP connections fail to establish
  - Service shows "Process 189183 (gnome-remote-de) of user 985 dumped core"

  === ERROR MESSAGES ===
  Before crash:
  - "Init TPM credentials failed because No TPM device found, using GKeyFile as fallback"
  - "[WARN][com.freerdp.api] - [peer_unexpected_client_message]: Unexpected client message in state CONNECTION_STATE_FINALIZATION_FONT_LIST, missing flag FINALIZE_CS_FONT_LIST_PDU [0x00000100]"
  - "[ERROR][com.freerdp.api] - [peer_recv_callback_internal]: CONNECTION_STATE_NEGO - rdp_server_accept_nego() fail"
  - "[ERROR][com.freerdp.core.transport] - BIO_should_retry returned an error: error:80000020:system library::Broken pipe"

  === COMPLETE STACK TRACE ===
  Main thread (Thread 189183) - CRASHED HERE:
  #0  0x00007895e4086fd4 ei_ref (libei.so.1 + 0x6fd4)
  #1  0x00007895e408b2ac ei_new_ping (libei.so.1 + 0xb2ac)
  #2  0x00005aed2f022bf6 n/a (/usr/libexec/gnome-remote-desktop-daemon + 0x59bf6)
  #3  0x00005aed2f022d4f n/a (/usr/libexec/gnome-remote-desktop-daemon + 0x59d4f)
  #4  0x00007895e4249b7b n/a (libglib-2.0.so.0 + 0x60b7b)
  #5  0x00007895e424b1b7 n/a (libglib-2.0.so.0 + 0x621b7)
  #6  0x00007895e424b3a3 g_main_context_iteration (libglib-2.0.so.0 + 0x623a3)
  #7  0x00007895e3ef1f2d g_application_run (libgio-2.0.so.0 + 0xf1f2d)
  #8  0x00005aed2efe415d n/a (/usr/libexec/gnome-remote-desktop-daemon + 0x1b15d)
  #9  0x00007895e262a5b5 __libc_start_call_main (libc.so.6 + 0x2a5b5)
  #10 0x00007895e262a668 __libc_start_main_impl (libc.so.6 + 0x2a668)
  #11 0x00005aed2efe4365 n/a (/usr/libexec/gnome-remote-desktop-daemon + 0x1b365)

  Other threads (RDP worker threads):
  Multiple threads (203907-203920) in libwinpr3/libfreerdp3 waiting on WaitForMultipleObjectsEx/poll
  Thread 203920 also shows gnome-remote-desktop-daemon offset 0x77663

  === LOADED MODULES ===
  Key modules involved in crash:
  - /usr/libexec/gnome-remote-desktop-daemon
  - libei.so.1 (Emulated Input client library)
  - libeis.so.1 (Emulated Input server library)
  - libfreerdp3.so.3 (FreeRDP library)
  - libfreerdp-server3.so.3 (FreeRDP server library)
  - libwinpr3.so.3 (Windows Portable Runtime)
  - libglib-2.0.so.0
  - libgio-2.0.so.0
  - libpipewire-0.3.so.0

  === ANALYSIS ===
  The crash occurs in libei's ei_ref() function, which is part of the reference counting mechanism.
  This appears to be triggered during RDP connection negotiation, specifically when handling input emulation.
  The crash happens in the main event loop while processing ei_new_ping, suggesting a possible:
  1. Use-after-free in libei reference counting
  2. NULL pointer dereference in ei_ref
  3. Race condition between RDP connection threads and libei initialization

  === ADDITIONAL INFORMATION ===
  - Service configuration shows it runs with --system flag
  - Multiple RDP threads are active at crash time
  - The crash is reproducible across multiple connection attempts
  - No TPM device available (fallback to GKeyFile)

  === WORKAROUND ===
  Currently no known workaround. Service keeps crashing on RDP connection attempts.

  === SEVERITY ===
  High - Complete service failure, prevents remote desktop functionality

  === FREQUENCY ===
  Always reproducible when attempting RDP connection

  === REGRESSION ===
  Unknown - This is on Ubuntu 25.10 development branch with gnome-remote-desktop 49~rc
  Previous stable versions not tested

  === FILES ===
  Core dump available: Process 189183 (gnome-remote-de) of user 985
  Journal logs: Available via journalctl -u gnome-remote-desktop.service

  ---
  Reporter: User via Claude Code assistant
  Date: 2025-09-12⏎

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnome-remote-desktop/+bug/2122660/+subscriptions