From: "Daniel P. Berrangé" <berrange@redhat.com>
To: Grant Millar | Cylo <rid@cylo.io>
Cc: qemu-devel@nongnu.org, qemu-trivial@nongnu.org
Subject: Re: [PATCH] ui/vnc: Fix NULL pointer dereference in vnc_disconnect_start
Date: Tue, 30 Sep 2025 11:46:50 +0100 [thread overview]
Message-ID: <aNu1GnwmAOi0SOAm@redhat.com> (raw)
In-Reply-To: <CANdvy3dH9bBdopj_KUqaLD0Viq7uKn0jPObjqz6H7XvMgRnPrw@mail.gmail.com>
On Tue, Sep 30, 2025 at 10:35:01AM +0100, Grant Millar | Cylo wrote:
> From 0d1c4ac000a66ef22b4a0cd0c4bedd840192096a Mon Sep 17 00:00:00 2001
> From: Rid <rid@cylo.io>
> Date: Tue, 30 Sep 2025 10:23:58 +0100
> Subject: [PATCH] ui/vnc: Fix NULL pointer dereference in vnc_disconnect_start
>
> When a WebSocket connection fails during the handshake, vs->ioc can be
> NULL when vnc_disconnect_start() is called, leading to a segmentation
> fault when qio_channel_close() tries to dereference it.
>
> This can be reproduced by sending incomplete HTTP requests to the
> WebSocket port:
>
> for i in {1..100}; do
> (echo -n "GET / HTTP/1.1" && sleep 0.05) | nc -w 1 <IP> <PORT> &
> done
>
> Add a NULL check before calling qio_channel_close() to prevent the crash.
>
> Signed-off-by: Rid <rid@cylo.io>
> ---
> ui/vnc.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/ui/vnc.c b/ui/vnc.c
> index 77c823bf2e..1669ed1b80 100644
> --- a/ui/vnc.c
> +++ b/ui/vnc.c
> @@ -1301,7 +1301,9 @@ static void vnc_disconnect_start(VncState *vs)
> g_source_remove(vs->ioc_tag);
> vs->ioc_tag = 0;
> }
> - qio_channel_close(vs->ioc, NULL);
> + if (vs->ioc) {
> + qio_channel_close(vs->ioc, NULL);
> + }
> vs->disconnecting = TRUE;
The NULL here is just a symptom of a bigger problem earlier on and
thus the wrong thing to fix.
The QIOChannelWebsock is not unregistering the GSource callback when
it is closed. So we have closed the QIOChannel client connection,
freed the VncState struct, but still have a (now closed) FD registered
with the event loop for poll(). This eventually triggers the callback
which does a use-after-free on VncState which happens to not crash,
but returns a NULL QIOChannel which is passed to vnc_disconnect_start
We need to fix QIOChannelWebsock to remove the GSource.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
prev parent reply other threads:[~2025-09-30 10:49 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-30 9:35 [PATCH] ui/vnc: Fix NULL pointer dereference in vnc_disconnect_start Grant Millar | Cylo
2025-09-30 10:38 ` Marc-André Lureau
2025-09-30 10:41 ` Grant Millar | Cylo
2025-09-30 10:48 ` Daniel P. Berrangé
2025-09-30 10:46 ` Daniel P. Berrangé [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aNu1GnwmAOi0SOAm@redhat.com \
--to=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-trivial@nongnu.org \
--cc=rid@cylo.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).