group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #23498
[Bug 1705743] Re: qemu-system-x86 crashes when VNC connection is established
This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu10.26
---------------
qemu (1:2.5+dfsg-5ubuntu10.26) xenial; urgency=medium
* d/p/ubuntu/lp-1705743-fix-vnc-crash.patch: fix crash when using long or
invalid vnc connection setups (LP: #1705743)
-- Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> Mon, 23 Apr
2018 10:18:51 +0200
** Changed in: qemu (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1705743
Title:
qemu-system-x86 crashes when VNC connection is established
Status in qemu package in Ubuntu:
Fix Released
Status in qemu source package in Xenial:
Fix Released
Bug description:
[Impact]
* some more uncommon vnc configurations (e.g. very long names, but also
potentially various other cases that make
vnc_init_basic_info_from_server_addr fail) will lead to random data
(after alloc) in a struct that will then be used on calls (e.g to free)
* The fix would avoid hard crashes (due to freeing random or null
pointers) in qemu of xenial
[Test Case]
* To trigger the issue you can use e.g. a very long vnc string.
Console 1
$ mkdir /tmp/service
$ qemu-system-x86_64 -enable-kvm -vnc unix:/tmp/service/../service/../service/../service/vnc-sock
Console 2
$ socat - UNIX:/tmp/service/vnc-sock
[Regression Potential]
* I'd consider the regression potential very low for the following
reasons:
- small change (easier to review)
- changing alloc to zeroing alloc (to avoid random data in struct)
- the change is from upstream and quite old without being reverted or
post-fixed
* What could happen?
Overall due to the change now just initializing memory the only
regression I could think of would be something that required !=0
content and worked all the time by accident (since random has so many
changes to be !=0 but only one to be =0, but TBH I can't think
of such an issue in that area of the code
[Other Info]
* pre testable in ppa https://launchpad.net/~ci-train-ppa-
service/+archive/ubuntu/3245
Following minimal test case crashes qemu-system-i386 on amd64 host:
qemu-system-i386 -name test -nodefconfig -no-user-config -nodefaults
-sandbox off -machine none -m 256 -balloon none -no-acpi -parallel
none -vga virtio -display "vnc=unix:vnc.socket" -boot menu=on
and open the connection (not even real VNC client needed):
socat - UNIX:vnc.socket
Result:
*** Error in `qemu-system-i386': free(): invalid pointer: 0x00007fbad024eb78 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fbacff017e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fbacff0a37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fbacff0e53c]
qemu-system-i386(+0x4a630d)[0x56145bd6930d]
qemu-system-i386(visit_type_VncServerInfo+0xa2)[0x56145bd7b342]
qemu-system-i386(qapi_free_VncServerInfo+0x30)[0x56145bd68910]
qemu-system-i386(+0x4358fa)[0x56145bcf88fa]
qemu-system-i386(+0x43aa03)[0x56145bcfda03]
qemu-system-i386(+0x43abe5)[0x56145bcfdbe5]
qemu-system-i386(aio_dispatch+0x68)[0x56145bd1f9e8]
qemu-system-i386(+0x44fcce)[0x56145bd12cce]
/lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x2a7)[0x7fbad0be2197]
...
$ lsb_release -rd
Description: Ubuntu 16.04.2 LTS
Release: 16.04
$ apt-cache policy qemu-system-x86
qemu-system-x86:
Installed: 1:2.5+dfsg-5ubuntu10.14
Candidate: 1:2.5+dfsg-5ubuntu10.14
Version table:
*** 1:2.5+dfsg-5ubuntu10.14 500
500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
500 http://archive.ubuntu.com/ubuntu xenial-security/main amd64 Packages
100 /var/lib/dpkg/status
1:2.5+dfsg-5ubuntu10 500
500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1705743/+subscriptions
