** Description changed: [Impact] - * some more uncommon vnc configurations (e.g. very long names, but also - potentially various other cases that make - vnc_init_basic_info_from_server_addr fail) will lead to random data - (after alloc) in a struct that will then be used on calls (e.g to free) + * some more uncommon vnc configurations (e.g. very long names, but also + potentially various other cases that make + vnc_init_basic_info_from_server_addr fail) will lead to random data + (after alloc) in a struct that will then be used on calls (e.g to free) - * The fix would avoid hard crashes (due to freeing random or null - pointers) in qemu of xenial + * The fix would avoid hard crashes (due to freeing random or null + pointers) in qemu of xenial [Test Case] - * To trigger the issue you can use e.g. a very long vnc string. - Console 1 - $ mkdir /tmp/service - $ qemu-system-x86_64 -enable-kvm -vnc unix:/tmp/service/../service/../service/../service/vnc-sock - Console 2 - $ socat - UNIX:/tmp/service/vnc-sock + * To trigger the issue you can use e.g. a very long vnc string. + Console 1 + $ mkdir /tmp/service + $ qemu-system-x86_64 -enable-kvm -vnc unix:/tmp/service/../service/../service/../service/vnc-sock + Console 2 + $ socat - UNIX:/tmp/service/vnc-sock [Regression Potential] - * I'd consider the regression potential very low for the following - reasons: - - small change (easier to review) - - changing alloc to zeroing alloc (to avoid random data in struct) - - the change is from upstream and quite old without being reverted or - post-fixed + * I'd consider the regression potential very low for the following + reasons: + - small change (easier to review) + - changing alloc to zeroing alloc (to avoid random data in struct) + - the change is from upstream and quite old without being reverted or + post-fixed + * What could happen? + Overall due to the change now just initializing memory the only + regression I could think of would be something that required !=0 + content and worked all the time by accident (since random has so many + changes to be !=0 but only one to be =0, but TBH I can't think + of such an issue in that area of the code [Other Info] - - * pre testable in ppa https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3245 + * pre testable in ppa https://launchpad.net/~ci-train-ppa- + service/+archive/ubuntu/3245 Following minimal test case crashes qemu-system-i386 on amd64 host: qemu-system-i386 -name test -nodefconfig -no-user-config -nodefaults -sandbox off -machine none -m 256 -balloon none -no-acpi -parallel none -vga virtio -display "vnc=unix:vnc.socket" -boot menu=on and open the connection (not even real VNC client needed): socat - UNIX:vnc.socket Result: *** Error in `qemu-system-i386': free(): invalid pointer: 0x00007fbad024eb78 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7fbacff017e5] /lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7fbacff0a37a] /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7fbacff0e53c] qemu-system-i386(+0x4a630d)[0x56145bd6930d] qemu-system-i386(visit_type_VncServerInfo+0xa2)[0x56145bd7b342] qemu-system-i386(qapi_free_VncServerInfo+0x30)[0x56145bd68910] qemu-system-i386(+0x4358fa)[0x56145bcf88fa] qemu-system-i386(+0x43aa03)[0x56145bcfda03] qemu-system-i386(+0x43abe5)[0x56145bcfdbe5] qemu-system-i386(aio_dispatch+0x68)[0x56145bd1f9e8] qemu-system-i386(+0x44fcce)[0x56145bd12cce] /lib/x86_64-linux-gnu/libglib-2.0.so.0(g_main_context_dispatch+0x2a7)[0x7fbad0be2197] ... $ lsb_release -rd Description: Ubuntu 16.04.2 LTS Release: 16.04 $ apt-cache policy qemu-system-x86 qemu-system-x86: Installed: 1:2.5+dfsg-5ubuntu10.14 Candidate: 1:2.5+dfsg-5ubuntu10.14 Version table: *** 1:2.5+dfsg-5ubuntu10.14 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://archive.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 1:2.5+dfsg-5ubuntu10 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1705743 Title: qemu-system-x86 crashes when VNC connection is established To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1705743/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
