[jira] [Updated] (GUACAMOLE-428) segfault in guac_vnc_user_leave_handler

Aiden Luo (JIRA) Thu, 02 Nov 2017 07:01:49 -0700

     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-428?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Aiden Luo updated GUACAMOLE-428:
--------------------------------
    Description: 
1. core dump 

{code:c}
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f932c1763dc in guac_vnc_user_leave_handler (user=0x7f9328004980) at 
user.c:116
116         guac_common_cursor_remove_user(vnc_client->display->cursor, user);
(gdb) bt
#0  0x00007f932c1763dc in guac_vnc_user_leave_handler (user=0x7f9328004980) at 
user.c:116
#1  0x00007f93322d1f7f in guac_client_remove_user (client=0x7f92b800ad90, 
user=0x7f9328004980) at client.c:339
#2  0x0000000000405c60 in guacd_handle_user (user=0x7f9328004980) at user.c:304
#3  0x0000000000404ca2 in guacd_user_thread (data=0x7f92b801bac0) at proc.c:95
#4  0x00007f9331922064 in start_thread (arg=0x7f92b37fe700) at 
pthread_create.c:309
#5  0x00007f9330b0562d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) l
111     int guac_vnc_user_leave_handler(guac_user* user) {
112
113         guac_vnc_client* vnc_client = (guac_vnc_client*) user->client->data;
114
115         /* Update shared cursor state */
116         guac_common_cursor_remove_user(vnc_client->display->cursor, user);
117
118         /* Free settings if not owner (owner settings will be freed with 
client) */
119         if (!user->owner) {
120             guac_vnc_settings* settings = (guac_vnc_settings*) user->data;
(gdb) p *vnc_client
$1 = {client_thread = 140268061849344, rfb_client = 0x0, rfb_MallocFrameBuffer 
= 0x7f931f5f5030, copy_rect_used = 0,
  settings = 0x7f9328006890, display = 0x0, clipboard = 0x7f92b8035b60, audio = 
0x0, sftp_user = 0x0, sftp_session = 0x0,
  sftp_filesystem = 0x0, clipboard_reader = 0x7f932c1782de 
<GUAC_READ_ISO8859_1>,
  clipboard_writer = 0x7f932c178414 <GUAC_WRITE_ISO8859_1>}

(gdb) p *user
$2 = {client = 0x7f92b800ad90, socket = 0x7f932800af30, user_id = 
0x7f9328004c30 "@b4e03b65-8317-4049-9f73-61c9a92272f9",
  owner = 1, active = 0, __prev = 0x0, __next = 0x0, last_received_timestamp = 
1586735641, last_frame_duration = 0,
  processing_lag = 0, info = {optimal_width = 977, optimal_height = 668, 
audio_mimetypes = 0x7f932800b000,
    video_mimetypes = 0x7f932800b020, image_mimetypes = 0x7f9328004ae0, 
optimal_resolution = 96},
  __stream_pool = 0x7f9328004a90, __output_streams = 0x7f9328005670, 
__input_streams = 0x7f9328004c60,
  __object_pool = 0x7f932800afb0, __objects = 0x7f9328006080, data = 
0x7f9328006890,
  mouse_handler = 0x7f932c17592e <guac_vnc_user_mouse_handler>, key_handler = 
0x7f932c1759a7 <guac_vnc_user_key_handler>,
  clipboard_handler = 0x7f932c174ea1 <guac_vnc_clipboard_handler>, size_handler 
= 0x0, file_handler = 0x0,
  pipe_handler = 0x0, ack_handler = 0x0, blob_handler = 0x0, end_handler = 0x0, 
sync_handler = 0x0, leave_handler = 0x0,
  get_handler = 0x0, put_handler = 0x0, audio_handler = 0x0}
{code}

2.  analysis

When user connect to guacd, guacd will create a new process to handle the 
connection. In new process then create `static void* guacd_user_thread(void* 
data)` thread to do real work.

 In guacd_user_thread thread, will create  a +void* 
guac_vnc_client_thread(void* data)+ thread to read frame from VNC server and 
write to guac_socket.   +vnc_client->clipboard_reader+, 
+vnc_client->rfb_client+ and +vnc_client->display+ will be setup in this thread.

Also guacd_user_thread will create another +void* guacd_user_input_thread(void* 
data)+ thread to receive data from client and send  to VNC sever.

guacd_user_thread will wait guacd_user_input_thread finished, then call +void 
guac_client_remove_user(guac_client* client, guac_user* user)+ function to 
remove  user which will call +int guac_vnc_user_leave_handler(guac_user* 
user)+.  

The segfault error caused by  line  
+guac_common_cursor_remove_user(vnc_client->display->cursor, user)+  in 
function +guac_vnc_user_leave_handler+，because +vnc_client->display+ is NLL.

Why this segfault will happen?

My guess is that there exist concurrently problem.  If guacd_user_input_thread 
exit before +vnc_client->display+ gets initialized in guac_vnc_client_thread, 
the +guac_common_cursor_remove_user+ function will do null pointer dereference.

We should check +vnc_client->display+ if is null in function +void 
guac_client_remove_user(guac_client* client, guac_user* user)+.



  was:
1. core dump 

{code:c}
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f932c1763dc in guac_vnc_user_leave_handler (user=0x7f9328004980) at 
user.c:116
116         guac_common_cursor_remove_user(vnc_client->display->cursor, user);
(gdb) bt
#0  0x00007f932c1763dc in guac_vnc_user_leave_handler (user=0x7f9328004980) at 
user.c:116
#1  0x00007f93322d1f7f in guac_client_remove_user (client=0x7f92b800ad90, 
user=0x7f9328004980) at client.c:339
#2  0x0000000000405c60 in guacd_handle_user (user=0x7f9328004980) at user.c:304
#3  0x0000000000404ca2 in guacd_user_thread (data=0x7f92b801bac0) at proc.c:95
#4  0x00007f9331922064 in start_thread (arg=0x7f92b37fe700) at 
pthread_create.c:309
#5  0x00007f9330b0562d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:111
(gdb) l
111     int guac_vnc_user_leave_handler(guac_user* user) {
112
113         guac_vnc_client* vnc_client = (guac_vnc_client*) user->client->data;
114
115         /* Update shared cursor state */
116         guac_common_cursor_remove_user(vnc_client->display->cursor, user);
117
118         /* Free settings if not owner (owner settings will be freed with 
client) */
119         if (!user->owner) {
120             guac_vnc_settings* settings = (guac_vnc_settings*) user->data;
(gdb) p *vnc_client
$1 = {client_thread = 140268061849344, rfb_client = 0x0, rfb_MallocFrameBuffer 
= 0x7f931f5f5030, copy_rect_used = 0,
  settings = 0x7f9328006890, display = 0x0, clipboard = 0x7f92b8035b60, audio = 
0x0, sftp_user = 0x0, sftp_session = 0x0,
  sftp_filesystem = 0x0, clipboard_reader = 0x7f932c1782de 
<GUAC_READ_ISO8859_1>,
  clipboard_writer = 0x7f932c178414 <GUAC_WRITE_ISO8859_1>}

(gdb) p *user
$2 = {client = 0x7f92b800ad90, socket = 0x7f932800af30, user_id = 
0x7f9328004c30 "@b4e03b65-8317-4049-9f73-61c9a92272f9",
  owner = 1, active = 0, __prev = 0x0, __next = 0x0, last_received_timestamp = 
1586735641, last_frame_duration = 0,
  processing_lag = 0, info = {optimal_width = 977, optimal_height = 668, 
audio_mimetypes = 0x7f932800b000,
    video_mimetypes = 0x7f932800b020, image_mimetypes = 0x7f9328004ae0, 
optimal_resolution = 96},
  __stream_pool = 0x7f9328004a90, __output_streams = 0x7f9328005670, 
__input_streams = 0x7f9328004c60,
  __object_pool = 0x7f932800afb0, __objects = 0x7f9328006080, data = 
0x7f9328006890,
  mouse_handler = 0x7f932c17592e <guac_vnc_user_mouse_handler>, key_handler = 
0x7f932c1759a7 <guac_vnc_user_key_handler>,
  clipboard_handler = 0x7f932c174ea1 <guac_vnc_clipboard_handler>, size_handler 
= 0x0, file_handler = 0x0,
  pipe_handler = 0x0, ack_handler = 0x0, blob_handler = 0x0, end_handler = 0x0, 
sync_handler = 0x0, leave_handler = 0x0,
  get_handler = 0x0, put_handler = 0x0, audio_handler = 0x0}
{code}

2.  analysis

When user connect to guacd, guacd will create a new process to handle the 
connection. In new process then create `static void* guacd_user_thread(void* 
data)` thread to do real work.

 In guacd_user_thread thread, will create  a *void* 
guac_vnc_client_thread(void* data)* thread to read frame from VNC server and 
write to guac_socket.   *vnc_client->clipboard_reader*, 
*vnc_client->rfb_client* and *vnc_client->display* will be setup in this thread.

Also guacd_user_thread will create another *void* guacd_user_input_thread(void* 
data)* thread to receive data from client and send  to VNC sever.

guacd_user_thread will wait guacd_user_input_thread finished, then call *void 
guac_client_remove_user(guac_client* client, guac_user* user)* function to 
remove  user which will call *int guac_vnc_user_leave_handler(guac_user* 
user)*.  

The segfault error caused by  line  
*guac_common_cursor_remove_user(vnc_client->display->cursor, user)*  in 
function *guac_vnc_user_leave_handler*，because *vnc_client->display* is NLL.

Why this segfault will happen?

My guess is that there exist concurrently problem.  If guacd_user_input_thread 
exit before *vnc_client->display* gets initialized in guac_vnc_client_thread, 
the *guac_common_cursor_remove_user* function will do null pointer dereference.

We should check *vnc_client->display* if is null in function *void 
guac_client_remove_user(guac_client* client, guac_user* user)*.




> segfault in guac_vnc_user_leave_handler
> ---------------------------------------
>
>                 Key: GUACAMOLE-428
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-428
>             Project: Guacamole
>          Issue Type: Bug
>          Components: VNC
>    Affects Versions: 0.9.13-incubating
>         Environment: guacd with container
>            Reporter: Aiden Luo
>            Priority: Major
>
> 1. core dump 
> {code:c}
> Program terminated with signal SIGSEGV, Segmentation fault.
> #0  0x00007f932c1763dc in guac_vnc_user_leave_handler (user=0x7f9328004980) 
> at user.c:116
> 116         guac_common_cursor_remove_user(vnc_client->display->cursor, user);
> (gdb) bt
> #0  0x00007f932c1763dc in guac_vnc_user_leave_handler (user=0x7f9328004980) 
> at user.c:116
> #1  0x00007f93322d1f7f in guac_client_remove_user (client=0x7f92b800ad90, 
> user=0x7f9328004980) at client.c:339
> #2  0x0000000000405c60 in guacd_handle_user (user=0x7f9328004980) at 
> user.c:304
> #3  0x0000000000404ca2 in guacd_user_thread (data=0x7f92b801bac0) at proc.c:95
> #4  0x00007f9331922064 in start_thread (arg=0x7f92b37fe700) at 
> pthread_create.c:309
> #5  0x00007f9330b0562d in clone () at 
> ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
> (gdb) l
> 111     int guac_vnc_user_leave_handler(guac_user* user) {
> 112
> 113         guac_vnc_client* vnc_client = (guac_vnc_client*) 
> user->client->data;
> 114
> 115         /* Update shared cursor state */
> 116         guac_common_cursor_remove_user(vnc_client->display->cursor, user);
> 117
> 118         /* Free settings if not owner (owner settings will be freed with 
> client) */
> 119         if (!user->owner) {
> 120             guac_vnc_settings* settings = (guac_vnc_settings*) user->data;
> (gdb) p *vnc_client
> $1 = {client_thread = 140268061849344, rfb_client = 0x0, 
> rfb_MallocFrameBuffer = 0x7f931f5f5030, copy_rect_used = 0,
>   settings = 0x7f9328006890, display = 0x0, clipboard = 0x7f92b8035b60, audio 
> = 0x0, sftp_user = 0x0, sftp_session = 0x0,
>   sftp_filesystem = 0x0, clipboard_reader = 0x7f932c1782de 
> <GUAC_READ_ISO8859_1>,
>   clipboard_writer = 0x7f932c178414 <GUAC_WRITE_ISO8859_1>}
> (gdb) p *user
> $2 = {client = 0x7f92b800ad90, socket = 0x7f932800af30, user_id = 
> 0x7f9328004c30 "@b4e03b65-8317-4049-9f73-61c9a92272f9",
>   owner = 1, active = 0, __prev = 0x0, __next = 0x0, last_received_timestamp 
> = 1586735641, last_frame_duration = 0,
>   processing_lag = 0, info = {optimal_width = 977, optimal_height = 668, 
> audio_mimetypes = 0x7f932800b000,
>     video_mimetypes = 0x7f932800b020, image_mimetypes = 0x7f9328004ae0, 
> optimal_resolution = 96},
>   __stream_pool = 0x7f9328004a90, __output_streams = 0x7f9328005670, 
> __input_streams = 0x7f9328004c60,
>   __object_pool = 0x7f932800afb0, __objects = 0x7f9328006080, data = 
> 0x7f9328006890,
>   mouse_handler = 0x7f932c17592e <guac_vnc_user_mouse_handler>, key_handler = 
> 0x7f932c1759a7 <guac_vnc_user_key_handler>,
>   clipboard_handler = 0x7f932c174ea1 <guac_vnc_clipboard_handler>, 
> size_handler = 0x0, file_handler = 0x0,
>   pipe_handler = 0x0, ack_handler = 0x0, blob_handler = 0x0, end_handler = 
> 0x0, sync_handler = 0x0, leave_handler = 0x0,
>   get_handler = 0x0, put_handler = 0x0, audio_handler = 0x0}
> {code}
> 2.  analysis
> When user connect to guacd, guacd will create a new process to handle the 
> connection. In new process then create `static void* guacd_user_thread(void* 
> data)` thread to do real work.
>  In guacd_user_thread thread, will create  a +void* 
> guac_vnc_client_thread(void* data)+ thread to read frame from VNC server and 
> write to guac_socket.   +vnc_client->clipboard_reader+, 
> +vnc_client->rfb_client+ and +vnc_client->display+ will be setup in this 
> thread.
> Also guacd_user_thread will create another +void* 
> guacd_user_input_thread(void* data)+ thread to receive data from client and 
> send  to VNC sever.
> guacd_user_thread will wait guacd_user_input_thread finished, then call +void 
> guac_client_remove_user(guac_client* client, guac_user* user)+ function to 
> remove  user which will call +int guac_vnc_user_leave_handler(guac_user* 
> user)+.  
> The segfault error caused by  line  
> +guac_common_cursor_remove_user(vnc_client->display->cursor, user)+  in 
> function +guac_vnc_user_leave_handler+，because +vnc_client->display+ is NLL.
> Why this segfault will happen?
> My guess is that there exist concurrently problem.  If 
> guacd_user_input_thread exit before +vnc_client->display+ gets initialized in 
> guac_vnc_client_thread, the +guac_common_cursor_remove_user+ function will do 
> null pointer dereference.
> We should check +vnc_client->display+ if is null in function +void 
> guac_client_remove_user(guac_client* client, guac_user* user)+.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Updated] (GUACAMOLE-428) segfault in guac_vnc_user_leave_handler

Reply via email to