Re: [PATCH] ui/vnc: Fix NULL pointer dereference in vnc_disconnect_start

["Grant Millar | Cylo" <rid@cylo.io>]

Sure, no problem. This is on 10.0.3 (Debian 1:10.0.3+ds-0+deb13u1).

Sometimes I have to run the reproducer a few times for the race
condition to occur.

#0  object_get_class (obj=obj@entry=0x0) at qom/object.c:1043
#1  0x0000556a3b671655 in QIO_CHANNEL_GET_CLASS (obj=0x0) at
./include/io/channel.h:29
#2  qio_channel_close (ioc=0x0, errp=0x0) at io/channel.c:380
#3  0x0000556a3b2036d9 in vnc_disconnect_start (vs=0x556a463d96a0) at
ui/vnc.c:1310
#4  0x0000556a3b2063d5 in vnc_disconnect_start (vs=0x556a463d96a0) at
ui/vnc.c:1398
#5  0x0000556a3b21b096 in vncws_handshake_done (task=<optimized out>,
user_data=0x556a463d96a0) at ui/vnc-ws.c:105
#6  0x0000556a3b673f54 in qio_task_complete (task=0x556a469a7fc0) at
io/task.c:197
#7  0x0000556a3b670a50 in qio_channel_websock_handshake_io
(ioc=0x556a45ec60e0, condition=<optimized out>,
user_data=0x556a469a7fc0) at io/channel-websock.c:588
#8  0x00007f4f6dca9385 in ??? () at /lib/x86_64-linux-gnu/libglib-2.0.so.0
#9  0x00007f4f6dcabc78 in g_main_context_dispatch () at
/lib/x86_64-linux-gnu/libglib-2.0.so.0
#10 0x0000556a3b8015b8 in glib_pollfds_poll () at util/main-loop.c:287
#11 os_host_main_loop_wait (timeout=0) at util/main-loop.c:310
#12 main_loop_wait (nonblocking=nonblocking@entry=0) at util/main-loop.c:589
#13 0x0000556a3b44b360 in qemu_main_loop () at system/runstate.c:835
#14 0x0000556a3b746cb0 in qemu_default_main (opaque=opaque@entry=0x0)
at system/main.c:50
#15 0x0000556a3b1b4319 in main (argc=<optimized out>, argv=<optimized
out>) at system/main.c:80

On Tue, 30 Sept 2025 at 11:38, Marc-André Lureau
<marcandre.lureau@gmail.com> wrote:
>
> Hi
>
> On Tue, Sep 30, 2025 at 1:59 PM Grant Millar | Cylo <rid@cylo.io> wrote:
> >
> > From 0d1c4ac000a66ef22b4a0cd0c4bedd840192096a Mon Sep 17 00:00:00 2001
> > From: Rid <rid@cylo.io>
> > Date: Tue, 30 Sep 2025 10:23:58 +0100
> > Subject: [PATCH] ui/vnc: Fix NULL pointer dereference in vnc_disconnect_start
> >
> > When a WebSocket connection fails during the handshake, vs->ioc can be
> > NULL when vnc_disconnect_start() is called, leading to a segmentation
> > fault when qio_channel_close() tries to dereference it.
> >
> > This can be reproduced by sending incomplete HTTP requests to the
> > WebSocket port:
> >
> >   for i in {1..100}; do
> >     (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 <IP> <PORT> &
> >   done
> >
>
> I tried to reproduce without success.
>
> Could you provide a backtrace?
>
> > Add a NULL check before calling qio_channel_close() to prevent the crash.
> >
> > Signed-off-by: Rid <rid@cylo.io>
>
> Your mail is not properly formatted. git am fails.
> https://www.qemu.org/docs/master/devel/submitting-a-patch.html
>
>
> thanks
>
> > ---
> >  ui/vnc.c | 4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/ui/vnc.c b/ui/vnc.c
> > index 77c823bf2e..1669ed1b80 100644
> > --- a/ui/vnc.c
> > +++ b/ui/vnc.c
> > @@ -1301,7 +1301,9 @@ static void vnc_disconnect_start(VncState *vs)
> >          g_source_remove(vs->ioc_tag);
> >          vs->ioc_tag = 0;
> >      }
> > -    qio_channel_close(vs->ioc, NULL);
> > +    if (vs->ioc) {
> > +        qio_channel_close(vs->ioc, NULL);
> > +    }
> >      vs->disconnecting = TRUE;
> >  }
> >
> > --
> > 2.39.5
> >
>
>
> --
> Marc-André Lureau