Re: [Qemu-devel] vnc: heap-use-after-free in vnc_client_io() after vnc_disconnect_finish()

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@redhat.com>
Cc: "Philippe Mathieu-Daudé" <f4bug@amsat.org>,
	"Gerd Hoffmann" <kraxel@redhat.com>,
	"qemu-devel@nongnu.org" <qemu-devel@nongnu.org>,
	"Stefan Hajnoczi" <stefanha@redhat.com>
Subject: Re: [Qemu-devel] vnc: heap-use-after-free in vnc_client_io() after vnc_disconnect_finish()
Date: Thu, 19 Apr 2018 17:40:03 +0100	[thread overview]
Message-ID: <20180419164003.GV10259@redhat.com> (raw)
In-Reply-To: <CAMxuvaz40mfpVRhy+GggTveNB+qvXG=sA+g=9w7RyjYAHktXDg@mail.gmail.com>

On Thu, Apr 19, 2018 at 06:37:12PM +0200, Marc-André Lureau wrote:
> Hi
> 
> On Tue, Apr 17, 2018 at 7:52 PM, Philippe Mathieu-Daudé <f4bug@amsat.org> wrote:
> > running commit ce8d4082054519f2eaac39958edde502860a7fc6:
> >
> > qemu-system-mips -M malta -m 512 \
> >   -kernel vmlinux-3.2.0-4-4kc-malta \
> >   -append 'root=/dev/sda1 console=ttyS0' \
> >   -hda debian_wheezy_mips_standard.qcow2 \
> >   -redir tcp:5556::22 -serial stdio
> >
> > and connecting with "xtightvncviewer :0" I get when closing vnc:
> 
> This is also true with other targets, ex:
> x86_64-softmmu/qemu-system-x86_64 -vnc :0
> 
> Daniel, Gerd, are you looking at it? this looks like a 2.12 regression.

I've not had toime to look at it - would be useful if someone can bisect
it at least if its a regression since 2.11

> 
> >
> > ==27686==ERROR: AddressSanitizer: heap-use-after-free on address
> > 0x63100003c814 at pc 0x55eed918362a bp 0x7ffdf5c36c80 sp 0x7ffdf5c36c78
> > READ of size 4 at 0x63100003c814 thread T0
> >     #0 0x55eed9183629 in vnc_client_io /source/qemu/ui/vnc.c:1549
> >     #1 0x55eed94ae26c in qio_channel_fd_source_dispatch
> > /source/qemu/io/channel-watch.c:84
> >     #2 0x7f3e181860f4 in g_main_context_dispatch
> > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c0f4)
> >     #3 0x55eed95b9799 in glib_pollfds_poll /source/qemu/util/main-loop.c:215
> >     #4 0x55eed95b9989 in os_host_main_loop_wait
> > /source/qemu/util/main-loop.c:263
> >     #5 0x55eed95b9b5f in main_loop_wait /source/qemu/util/main-loop.c:522
> >     #6 0x55eed898f7dd in main_loop /source/qemu/vl.c:1943
> >     #7 0x55eed89a1f0b in main /source/qemu/vl.c:4734
> >     #8 0x7f3dfe094a86 in __libc_start_main
> > (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
> >     #9 0x55eed8518db9 in _start
> > (/build/qemu/mips-softmmu/qemu-system-mips+0x14f3db9)
> >
> > 0x63100003c814 is located 20 bytes inside of 75744-byte region
> > [0x63100003c800,0x63100004efe0)
> > freed by thread T0 here:
> >     #0 0x7f3e18b878c8 in __interceptor_free
> > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
> >     #1 0x55eed9181bb0 in vnc_disconnect_finish /source/qemu/ui/vnc.c:1278
> >     #2 0x55eed9183225 in vnc_client_read /source/qemu/ui/vnc.c:1511
> >     #3 0x55eed91835a9 in vnc_client_io /source/qemu/ui/vnc.c:1541
> >     #4 0x55eed94ae26c in qio_channel_fd_source_dispatch
> > /source/qemu/io/channel-watch.c:84
> >     #5 0x7f3e181860f4 in g_main_context_dispatch
> > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c0f4)
> >
> > previously allocated by thread T0 here:
> >     #0 0x7f3e18b87df8 in calloc
> > (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9df8)
> >     #1 0x7f3e1818b8b0 in g_malloc0
> > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x518b0)
> >     #2 0x55eed9192aa0 in vnc_listen_io /source/qemu/ui/vnc.c:3186
> >     #3 0x55eed94b9fd7 in qio_net_listener_channel_func
> > /source/qemu/io/net-listener.c:57
> >     #4 0x55eed94ae26c in qio_channel_fd_source_dispatch
> > /source/qemu/io/channel-watch.c:84
> >     #5 0x7f3e181860f4 in g_main_context_dispatch
> > (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4c0f4)
> >
> > SUMMARY: AddressSanitizer: heap-use-after-free
> > /source/qemu/ui/vnc.c:1549 in vnc_client_io
> > Shadow bytes around the buggy address:
> >   0x0c627ffff8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> >   0x0c627ffff8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> >   0x0c627ffff8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> >   0x0c627ffff8e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> >   0x0c627ffff8f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> > =>0x0c627ffff900: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
> >   0x0c627ffff910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> >   0x0c627ffff920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> >   0x0c627ffff930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> >   0x0c627ffff940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> >   0x0c627ffff950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> >
> > Shadow byte legend (one shadow byte represents 8 application bytes):
> >   Heap left redzone:       fa
> >   Freed heap region:       fd
> > ==26606==ABORTING
> >

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

next prev parent reply	other threads:[~2018-04-19 16:40 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-04-17 17:52 [Qemu-devel] vnc: heap-use-after-free in vnc_client_io() after vnc_disconnect_finish() Philippe Mathieu-Daudé
2018-04-19 16:37 ` Marc-André Lureau
2018-04-19 16:40   ` Daniel P. Berrangé [this message]
2018-04-20  0:39     ` Philippe Mathieu-Daudé
2018-04-20  2:24       ` Philippe Mathieu-Daudé

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180419164003.GV10259@redhat.com \
    --to=berrange@redhat.com \
    --cc=f4bug@amsat.org \
    --cc=kraxel@redhat.com \
    --cc=marcandre.lureau@redhat.com \
    --cc=qemu-devel@nongnu.org \
    --cc=stefanha@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).