From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1M8K0L-0003qa-BD
	for qemu-devel@nongnu.org; Sun, 24 May 2009 16:09:09 -0400
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1M8K0G-0003qD-Ko
	for qemu-devel@nongnu.org; Sun, 24 May 2009 16:09:08 -0400
Received: from [199.232.76.173] (port=35971 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1M8K0G-0003qA-E3
	for qemu-devel@nongnu.org; Sun, 24 May 2009 16:09:04 -0400
Received: from moutng.kundenserver.de ([212.227.126.187]:58479)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <weil@mail.berlios.de>) id 1M8K0F-0005oq-Rb
	for qemu-devel@nongnu.org; Sun, 24 May 2009 16:09:04 -0400
Received: from localhost ([127.0.0.1] ident=stefan)
	by flocke.weilnetz.de with esmtp (Exim 4.69)
	(envelope-from <weil@mail.berlios.de>) id 1M8K0B-0002ho-JL
	for qemu-devel@nongnu.org; Sun, 24 May 2009 22:08:59 +0200
Message-ID: <4A19A95A.2050801@mail.berlios.de>
Date: Sun, 24 May 2009 22:08:58 +0200
From: Stefan Weil <weil@mail.berlios.de>
MIME-Version: 1.0
Subject: [Qemu-devel] [STABLE] [BUG] VNC mode can crash QEMU
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: QEMU Developers <qemu-devel@nongnu.org>

Hello,

this scenario crashs the latest QEMU HEAD on Windows
(Linux users, please note that the bug is not Windows related,
so don't stop reading!):

* run qemu.exe -vnc :0
* connect using UltraVnc
* select fuzzy screen mode in UltraVnc

=> segfault of qemu.exe

The crash is caused by VNC protocols which are unsupported
by QEMU - in my case it was the fuzzy screen mode protocol.
These protocols trigger a call stack which releases the
VncState vs:

qemu_free(vs)
vnc_client_io_error(vs, ...)
vnc_client_error(vs, ...)
protocol_client_msg(vs, ...)
vnc_client_read
main_loop_wait
main_loop

The default handlers for unimplemented protocols in
protocol_client_msg call vnc_client_error which finally
calls qemu_free for the current VncState vs.

vs is then used in protocol_client_msg and vnc_client_read
although it is no longer valid. On Windows, this results
in a crash, for other host platforms, the result depends
on implementation details of the C library.

In any case, access to a data structure after a free()
is a bug.

The same bug seems to exist in the stable branch
(not tested, I only had a look into the code vnc.c).

I don't see a simple way to patch this, so I leave the
bug fixing to the VNC experts and the QEMU maintainers.

Regards

Stefan Weil