[jira] [Updated] (GUACAMOLE-1053) Segfault in gaucd (race between RDP client user threads)

Grigory Trenin (Jira) Sat, 25 Apr 2020 13:47:39 -0700


     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Grigory Trenin updated GUACAMOLE-1053:
--------------------------------------
    Description: 
{noformat}
Program terminated with signal 11, Segmentation fault.
#0  guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, 
pressed=0) at keyboard.c:444
444         if (!keyboard->synchronized) {

(gdb) p keyboard->synchronized
Cannot access memory at address 0x7faa4c36401c

(gdb) bt
#0  guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, 
pressed=0) at keyboard.c:444
#1  0x00007faae2f50bf0 in guac_user_input_thread (data=<optimized out>) at 
user-handshake.c:165
#2  0x00007faae2372ea5 in start_thread () from /lib64/libpthread.so.0
#3  0x00007faae0c678cd in clone () from /lib64/libc.so.6

(gdb) info threads
  Id   Target Id         Frame
  3    Thread 0x7fa9eb7fe700 (LWP 7379) 0x00007faae2374017 in pthread_join () 
from /lib64/libpthread.so.0
  2    Thread 0x7fa9ebfff700 (LWP 7376) (Exiting) 0x00007faae2379bad in recvmsg 
() from /lib64/libpthread.so.0
* 1    Thread 0x7fa9f8ff9700 (LWP 7381) guac_rdp_keyboard_update_keysym 
(keyboard=0x7faa4c364010, keysym=65288, pressed=0)
    at keyboard.c:444
{noformat}
"info threads" shows that there are only 3 threads running:
 # guac_user_input_thread (the thread segfault occured in)
 # guacd_connection_thread
 # guacd_user_thread waiting for guac_user_input_thread

Note that there is no client thread running.
 So here is what happenned: *guac_rdp_client_thread* exited and freed 
*rdp_client->keyboard* structure, while user input thread was still running and 
tried to access *rdp_client->keyboard* after it was freed.

This is an old bug. Found a 2-year old GUACAMOLE-433 which looks exactly the 
same, but it was closed as "Cannot reproduce". It does not happen often indeed. 
We have 120 users actively using Guacamole (since COVID-19) and have seen this 
segfault only twice within the last month.

As a relief, a NULL value can be assigned to *rdp_client->keyboard* immediately 
after freeing it. It will decrease segfault probability, but of course, the 
race condition between a client and user input threads remains.

To fix it reliably we probably need to introduce a mutex that will not allow to 
run a user input handlers concurrently with RDP connection setup/cleanup code.

  was:
{noformat}
Program terminated with signal 11, Segmentation fault.
#0  guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, 
pressed=0) at keyboard.c:444
444         if (!keyboard->synchronized) {

(gdb) p keyboard->synchronized
Cannot access memory at address 0x7faa4c36401c

(gdb) bt
#0  guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, 
pressed=0) at keyboard.c:444
#1  0x00007faae2f50bf0 in guac_user_input_thread (data=<optimized out>) at 
user-handshake.c:165
#2  0x00007faae2372ea5 in start_thread () from /lib64/libpthread.so.0
#3  0x00007faae0c678cd in clone () from /lib64/libc.so.6

(gdb) info threads
  Id   Target Id         Frame
  3    Thread 0x7fa9eb7fe700 (LWP 7379) 0x00007faae2374017 in pthread_join () 
from /lib64/libpthread.so.0
  2    Thread 0x7fa9ebfff700 (LWP 7376) (Exiting) 0x00007faae2379bad in recvmsg 
() from /lib64/libpthread.so.0
* 1    Thread 0x7fa9f8ff9700 (LWP 7381) guac_rdp_keyboard_update_keysym 
(keyboard=0x7faa4c364010, keysym=65288, pressed=0)
    at keyboard.c:444
{noformat}
"info threads" shows that there are only 3 threads running:
 # guac_user_input_thread (the thread segfault occured in)
 # guacd_connection_thread
 # guacd_user_thread waiting for guac_user_input_thread

Note that there is no client thread running.
So here is what happenned: *guac_rdp_client_thread* exited and freed 
*rdp_client->keyboard* structure, while user input thread was still running and 
tried to access *rdp_client->keyboard* after it was freed.

This is an old bug. Found a 2-year old GUACAMOLE-433 which looks exactly the 
same, but it was closed as "Cannot reproduce". It does not happen often indeed. 
We have 120 users actively using Guacamole (since COVID-19) and have seen this 
segfault only twice within the last month.

As a relief, a NULL value can be assigned to *rdp_client->keyboard* immediately 
after freeing it. It will decrease segfault probability, but of course, the 
race condition between a client and user input threads remains.

To fix it reliably we probably need to introduce a mutex that will not allow to 
run 
a user input handlers concurrently with RDP connection setup/cleanup code.


> Segfault in gaucd (race between RDP client user threads)
> --------------------------------------------------------
>
>                 Key: GUACAMOLE-1053
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1053
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacd
>    Affects Versions: 1.1.0
>         Environment: RHEL 7.7 (x86_64)
>            Reporter: Grigory Trenin
>            Priority: Major
>
> {noformat}
> Program terminated with signal 11, Segmentation fault.
> #0  guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, 
> pressed=0) at keyboard.c:444
> 444         if (!keyboard->synchronized) {
> (gdb) p keyboard->synchronized
> Cannot access memory at address 0x7faa4c36401c
> (gdb) bt
> #0  guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, 
> pressed=0) at keyboard.c:444
> #1  0x00007faae2f50bf0 in guac_user_input_thread (data=<optimized out>) at 
> user-handshake.c:165
> #2  0x00007faae2372ea5 in start_thread () from /lib64/libpthread.so.0
> #3  0x00007faae0c678cd in clone () from /lib64/libc.so.6
> (gdb) info threads
>   Id   Target Id         Frame
>   3    Thread 0x7fa9eb7fe700 (LWP 7379) 0x00007faae2374017 in pthread_join () 
> from /lib64/libpthread.so.0
>   2    Thread 0x7fa9ebfff700 (LWP 7376) (Exiting) 0x00007faae2379bad in 
> recvmsg () from /lib64/libpthread.so.0
> * 1    Thread 0x7fa9f8ff9700 (LWP 7381) guac_rdp_keyboard_update_keysym 
> (keyboard=0x7faa4c364010, keysym=65288, pressed=0)
>     at keyboard.c:444
> {noformat}
> "info threads" shows that there are only 3 threads running:
>  # guac_user_input_thread (the thread segfault occured in)
>  # guacd_connection_thread
>  # guacd_user_thread waiting for guac_user_input_thread
> Note that there is no client thread running.
>  So here is what happenned: *guac_rdp_client_thread* exited and freed 
> *rdp_client->keyboard* structure, while user input thread was still running 
> and tried to access *rdp_client->keyboard* after it was freed.
> This is an old bug. Found a 2-year old GUACAMOLE-433 which looks exactly the 
> same, but it was closed as "Cannot reproduce". It does not happen often 
> indeed. We have 120 users actively using Guacamole (since COVID-19) and have 
> seen this segfault only twice within the last month.
> As a relief, a NULL value can be assigned to *rdp_client->keyboard* 
> immediately after freeing it. It will decrease segfault probability, but of 
> course, the race condition between a client and user input threads remains.
> To fix it reliably we probably need to introduce a mutex that will not allow 
> to run a user input handlers concurrently with RDP connection setup/cleanup 
> code.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (GUACAMOLE-1053) Segfault in gaucd (race between RDP client user threads)

Reply via email to