[jira] [Created] (GUACAMOLE-467) Rare segfault when joining SSH session

Mon, 25 Dec 2017 07:40:31 -0800 

Or Cohen created GUACAMOLE-467:
----------------------------------

             Summary: Rare segfault when joining SSH session
                 Key: GUACAMOLE-467
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-467
             Project: Guacamole
          Issue Type: Bug
          Components: guacd, SSH
    Affects Versions: 0.9.13-incubating
            Reporter: Or Cohen
            Priority: Minor


A rare segfault, essentially a race-condition, when joining a user to an 
existing connection.
On our system, users (non-owners) are being connected automatically as soon as 
the owner creates a new connection.

There's a slight window between the {{ready}} instruction and 
{{ssh_client->term}} still being NULL, other users can join the connection with 
the connection ID. In which case, they are being sent to 
{{guac_terminal_dup()}} with a NULL term.

To re-produce (not very easy):
1. Create a new connection (owner).
2. Use the connection ID ASAP with a new connection and {{select}} instruction.

I was thinking about a solution here, something that should be "safer" than 
checking if term is NULL in the long term. i.e. something that should be future 
proof in case there are more potential race-conditions like this. I was 
wondering if (at {{guac_client_add_user()}}) placing the join handler inside 
the rwlock would be a proper fix as well, albeit not the best place naming-wise.

{noformat}
$ gdb /usr/local/sbin/guacd core
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-100.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/local/sbin/guacd...done.
[New LWP 38]
[New LWP 32]
[New LWP 33]
[New LWP 29]
[New LWP 34]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `guacd -fb 0.0.0.0'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f3c02612656 in guac_terminal_repaint_default_layer (terminal=0x0, 
socket=0x7f3bec0008c0) at terminal.c:204
204         int width = terminal->width;
Missing separate debuginfos, use: debuginfo-install cairo-1.14.8-2.el7.x86_64 
expat-2.1.0-10.el7_3.x86_64 fontconfig-2.10.95-11.el7.x86_64 
freetype-2.4.11-15.el7.x86_64 glib2-2.50.3-3.el7.x86_64 
glibc-2.17-196.el7_4.2.x86_64 graphite2-1.3.10-1.el7_3.x86_64 
harfbuzz-1.3.2-1.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 
krb5-libs-1.15.1-8.el7.x86_64 libX11-1.6.5-1.el7.x86_64 
libXau-1.0.8-2.1.el7.x86_64 libXdamage-1.1.4-4.1.el7.x86_64 
libXext-1.3.3-3.el7.x86_64 libXfixes-5.0.3-1.el7.x86_64 
libXrender-0.9.10-1.el7.x86_64 libXxf86vm-1.1.4-1.el7.x86_64 
libcom_err-1.42.9-10.el7.x86_64 libdrm-2.4.74-1.el7.x86_64 
libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-16.el7_4.1.x86_64 
libjpeg-turbo-1.2.90-5.el7.x86_64 libogg-1.3.0-7.el7.x86_64 
libpng-1.5.13-7.el7_2.x86_64 libselinux-2.5-11.el7.x86_64 
libssh2-1.4.3-10.el7_2.1.x86_64 libthai-0.1.14-9.el7.x86_64 
libvorbis-1.3.3-8.el7.x86_64 libwebp-0.3.0-7.el7.x86_64 
libxcb-1.12-1.el7.x86_64 libxshmfence-1.2-1.el7.x86_64 
mesa-libEGL-17.0.1-6.20170307.el7.x86_64 
mesa-libGL-17.0.1-6.20170307.el7.x86_64 
mesa-libgbm-17.0.1-6.20170307.el7.x86_64 
mesa-libglapi-17.0.1-6.20170307.el7.x86_64 openssl-libs-1.0.2k-8.el7.x86_64 
pango-1.40.4-1.el7.x86_64 pcre-8.32-17.el7.x86_64 pixman-0.34.0-1.el7.x86_64 
uuid-1.6.2-26.el7.x86_64 zlib-1.2.7-17.el7.x86_64
(gdb) bt
#0  0x00007f3c02612656 in guac_terminal_repaint_default_layer (terminal=0x0, 
socket=0x7f3bec0008c0) at terminal.c:204
#1  0x00007f3c02615e4e in guac_terminal_dup (term=0x0, user=0x7f3bec0029a0, 
socket=0x7f3bec0008c0) at terminal.c:1969
#2  0x00007f3c0260778e in guac_ssh_user_join_handler (user=0x7f3bec0029a0, 
argc=18, argv=0x7f3bec0048e0) at user.c:74
#3  0x00007f3c0a2d6e66 in guac_client_add_user (client=0x7f3bfc00ac40, 
user=0x7f3bec0029a0, argc=18, argv=0x7f3bec0048e0) at client.c:285
#4  0x0000000000405bd8 in guacd_handle_user (user=0x7f3bec0029a0) at user.c:289
#5  0x0000000000404cca in guacd_user_thread (data=0x7f3bfc01cde0) at proc.c:95
#6  0x00007f3c09913e25 in start_thread () at /lib64/libpthread.so.0
#7  0x00007f3c088e134d in clone () at /lib64/libc.so.6
(gdb)
{noformat}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to