From: "Daniel P. Berrangé" <berrange@redhat.com>
To: "Marc-André Lureau" <marcandre.lureau@gmail.com>
Cc: Michael Tokarev <mjt@tls.msk.ru>,
qemu-devel@nongnu.org, stefanha@redhat.com,
Gerd Hoffmann <kraxel@redhat.com>
Subject: Re: [PULL 13/14] ui: fix crash when there are no active_console
Date: Tue, 12 Sep 2023 12:15:08 +0100 [thread overview]
Message-ID: <ZQBIPKuj8x/fTUqQ@redhat.com> (raw)
In-Reply-To: <CAJ+F1CKUnK_J0CKYhogeS5JyEFTOShKTnWRqC-Ppia+TMjoZFg@mail.gmail.com>
On Tue, Sep 12, 2023 at 03:09:29PM +0400, Marc-André Lureau wrote:
> Hi
>
> On Tue, Sep 12, 2023 at 3:01 PM Michael Tokarev <mjt@tls.msk.ru> wrote:
> >
> > 12.09.2023 13:46, marcandre.lureau@redhat.com пишет:
> > > From: Marc-André Lureau <marcandre.lureau@redhat.com>
> > >
> > > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> > > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> > > 812 return con->hw_ops->ui_info != NULL;
> > > (gdb) bt
> > > #0 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> > > #1 0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585
> > > #2 0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607
> > > #3 0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635
> > >
> > > Fixes:
> > > https://issues.redhat.com/browse/RHEL-2600
> >
> > FWIW, this link does not work for me (requires auth).
>
> hmm, should be ok now.
>
> >
> > Is there a commit which introduced this issue?
>
> It was reported against v6.2 (2021). I think it was introduced with
> commit 763deea7e9 ("vnc: add support for extended desktop resize"),
> but it might have been reproducible earlier.
Since its in a release, this probably ought to be tagged as a (denial
of service) CVE, since it enables a remote VNC client to crash the
whole VM. Fortunately it is only triggerable /after/ authentication
so the severity is relatively low.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
next prev parent reply other threads:[~2023-09-12 11:16 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-12 10:46 [PULL 00/14] Ui patches marcandre.lureau
2023-09-12 10:46 ` [PULL 01/14] docs: vhost-user-gpu: add protocol changes for dmabuf modifiers marcandre.lureau
2023-09-12 10:46 ` [PULL 02/14] contrib/vhost-user-gpu: add support for sending " marcandre.lureau
2023-09-12 10:46 ` [PULL 03/14] vhost-user-gpu: support " marcandre.lureau
2023-09-12 10:46 ` [PULL 04/14] vmmouse: replace DPRINTF with tracing marcandre.lureau
2023-09-12 10:46 ` [PULL 05/14] vmmouse: use explicit code marcandre.lureau
2023-09-12 10:46 ` [PULL 06/14] ui/vc: remove kbd_put_keysym() and update function calls marcandre.lureau
2023-09-12 10:46 ` [PULL 07/14] ui/vc: rename kbd_put to qemu_text_console functions marcandre.lureau
2023-09-12 10:46 ` [PULL 08/14] ui/console: remove redundant format field marcandre.lureau
2023-09-12 10:46 ` [PULL 09/14] ui/vc: preliminary QemuTextConsole changes before split marcandre.lureau
2023-09-12 10:46 ` [PULL 10/14] ui/vc: split off the VC part from console.c marcandre.lureau
2023-09-12 10:46 ` [PULL 11/14] ui/console: move DisplaySurface to its own header marcandre.lureau
2023-09-12 10:46 ` [PULL 12/14] virtio-gpu/win32: set the destroy function on load marcandre.lureau
2023-09-12 10:46 ` [PULL 13/14] ui: fix crash when there are no active_console marcandre.lureau
2023-09-12 11:00 ` Michael Tokarev
2023-09-12 11:09 ` Marc-André Lureau
2023-09-12 11:15 ` Daniel P. Berrangé [this message]
2023-09-12 11:09 ` Daniel P. Berrangé
2023-09-12 10:46 ` [PULL 14/14] ui: add precondition for dpy_get_ui_info() marcandre.lureau
2023-09-14 11:52 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZQBIPKuj8x/fTUqQ@redhat.com \
--to=berrange@redhat.com \
--cc=kraxel@redhat.com \
--cc=marcandre.lureau@gmail.com \
--cc=mjt@tls.msk.ru \
--cc=qemu-devel@nongnu.org \
--cc=stefanha@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).