[ https://issues.apache.org/jira/browse/GUACAMOLE-1053?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17092399#comment-17092399 ]
Nick Couchman commented on GUACAMOLE-1053: ------------------------------------------ Can you try with the staging/1.2.0 branch and see if you can reproduce? I know this may not be possible if you're seeing it in your production environment, but if you can that'd be great. > Segfault in gaucd (race between RDP client and user threads) > ------------------------------------------------------------ > > Key: GUACAMOLE-1053 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-1053 > Project: Guacamole > Issue Type: Bug > Components: guacd > Affects Versions: 1.1.0 > Environment: RHEL 7.7 (x86_64) > Reporter: Grigory Trenin > Priority: Minor > > {noformat} > Program terminated with signal 11, Segmentation fault. > #0 guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, > pressed=0) at keyboard.c:444 > 444 if (!keyboard->synchronized) { > (gdb) p keyboard->synchronized > Cannot access memory at address 0x7faa4c36401c > (gdb) bt > #0 guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, > pressed=0) at keyboard.c:444 > #1 0x00007faae2f50bf0 in guac_user_input_thread (data=<optimized out>) at > user-handshake.c:165 > #2 0x00007faae2372ea5 in start_thread () from /lib64/libpthread.so.0 > #3 0x00007faae0c678cd in clone () from /lib64/libc.so.6 > (gdb) info threads > Id Target Id Frame > 3 Thread 0x7fa9eb7fe700 (LWP 7379) 0x00007faae2374017 in pthread_join () > from /lib64/libpthread.so.0 > 2 Thread 0x7fa9ebfff700 (LWP 7376) (Exiting) 0x00007faae2379bad in > recvmsg () from /lib64/libpthread.so.0 > * 1 Thread 0x7fa9f8ff9700 (LWP 7381) guac_rdp_keyboard_update_keysym > (keyboard=0x7faa4c364010, keysym=65288, pressed=0) > at keyboard.c:444 > {noformat} > "info threads" shows that there are only 3 threads running: > # guac_user_input_thread (the thread segfault occured in) > # guacd_connection_thread > # guacd_user_thread waiting for guac_user_input_thread > Note that there is no client thread running. > So here is what happenned: *guac_rdp_client_thread* exited and freed > *rdp_client->keyboard* structure, while user input thread was still running > and tried to access *rdp_client->keyboard* after it was freed. > This is an old bug. Found a 2-year old GUACAMOLE-433 which looks exactly the > same, but it was closed as "Cannot reproduce". It does not happen often > indeed. We have 120 users actively using Guacamole (since COVID-19) and have > seen this segfault only twice within the last month. > As a relief, a NULL value can be assigned to *rdp_client->keyboard* > immediately after freeing it. It will decrease segfault probability, but of > course, the race condition between a client and user input threads remains. > To fix it reliably we probably need to introduce a mutex that will not allow > to run a user input handlers concurrently with RDP connection setup/cleanup > code. -- This message was sent by Atlassian Jira (v8.3.4#803005)