[Qemu-devel] [STABLE] [BUG] VNC mode can crash QEMU

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Stefan Weil <weil@mail.berlios.de>
To: QEMU Developers <qemu-devel@nongnu.org>
Subject: [Qemu-devel] [STABLE] [BUG] VNC mode can crash QEMU
Date: Sun, 24 May 2009 22:08:58 +0200	[thread overview]
Message-ID: <4A19A95A.2050801@mail.berlios.de> (raw)

Hello,

this scenario crashs the latest QEMU HEAD on Windows
(Linux users, please note that the bug is not Windows related,
so don't stop reading!):

* run qemu.exe -vnc :0
* connect using UltraVnc
* select fuzzy screen mode in UltraVnc

=> segfault of qemu.exe

The crash is caused by VNC protocols which are unsupported
by QEMU - in my case it was the fuzzy screen mode protocol.
These protocols trigger a call stack which releases the
VncState vs:

qemu_free(vs)
vnc_client_io_error(vs, ...)
vnc_client_error(vs, ...)
protocol_client_msg(vs, ...)
vnc_client_read
main_loop_wait
main_loop

The default handlers for unimplemented protocols in
protocol_client_msg call vnc_client_error which finally
calls qemu_free for the current VncState vs.

vs is then used in protocol_client_msg and vnc_client_read
although it is no longer valid. On Windows, this results
in a crash, for other host platforms, the result depends
on implementation details of the C library.

In any case, access to a data structure after a free()
is a bug.

The same bug seems to exist in the stable branch
(not tested, I only had a look into the code vnc.c).

I don't see a simple way to patch this, so I leave the
bug fixing to the VNC experts and the QEMU maintainers.

Regards

Stefan Weil

next             reply	other threads:[~2009-05-24 20:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-05-24 20:08 Stefan Weil [this message]
2009-05-25  8:33 ` [Qemu-devel] [STABLE] [BUG] VNC mode can crash QEMU Mark McLoughlin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A19A95A.2050801@mail.berlios.de \
    --to=weil@mail.berlios.de \
    --cc=qemu-devel@nongnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.