Message ID | 20230912104649.1638640-14-marcandre.lureau@redhat.com |
---|---|
State | New |
Headers | show |
Series | [PULL,01/14] docs: vhost-user-gpu: add protocol changes for dmabuf modifiers | expand |
12.09.2023 13:46, marcandre.lureau@redhat.com пишет: > From: Marc-André Lureau <marcandre.lureau@redhat.com> > > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 > 812 return con->hw_ops->ui_info != NULL; > (gdb) bt > #0 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 > #1 0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585 > #2 0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607 > #3 0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635 > > Fixes: > https://issues.redhat.com/browse/RHEL-2600 FWIW, this link does not work for me (requires auth). Is there a commit which introduced this issue? Thanks, /mjt
Hi On Tue, Sep 12, 2023 at 3:01 PM Michael Tokarev <mjt@tls.msk.ru> wrote: > > 12.09.2023 13:46, marcandre.lureau@redhat.com пишет: > > From: Marc-André Lureau <marcandre.lureau@redhat.com> > > > > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. > > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 > > 812 return con->hw_ops->ui_info != NULL; > > (gdb) bt > > #0 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 > > #1 0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585 > > #2 0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607 > > #3 0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635 > > > > Fixes: > > https://issues.redhat.com/browse/RHEL-2600 > > FWIW, this link does not work for me (requires auth). hmm, should be ok now. > > Is there a commit which introduced this issue? It was reported against v6.2 (2021). I think it was introduced with commit 763deea7e9 ("vnc: add support for extended desktop resize"), but it might have been reproducible earlier. thanks
On Tue, Sep 12, 2023 at 02:00:46PM +0300, Michael Tokarev wrote: > 12.09.2023 13:46, marcandre.lureau@redhat.com пишет: > > From: Marc-André Lureau <marcandre.lureau@redhat.com> > > > > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. > > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 > > 812 return con->hw_ops->ui_info != NULL; > > (gdb) bt > > #0 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 > > #1 0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585 > > #2 0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607 > > #3 0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635 > > > > Fixes: > > https://issues.redhat.com/browse/RHEL-2600 > > FWIW, this link does not work for me (requires auth). This particular bug is marked as Red Hat employee access only, so should be dropped from the commit message. FWIW, it says in terms of reproducability Steps to reproduce 1. Boot up guest, but only add vnc device and without graphics device /usr/libexec/qemu-kvm \ -name guest=gg \ -machine pc-q35-rhel8.6.0,kernel_irqchip=split \ -cpu host \ -m 8192 \ -smp 4,maxcpus=4,cores=2,threads=1,dies=1,sockets=2 \ -nodefaults \ -boot menu=on \ -device pcie-root-port,port=16,chassis=1,id=pci.1,bus=pcie.0,addr=0x2 \ -blockdev '\{"driver":"file","filename":"/home/kvm_autotest_root/images/rhel890-64-virtio-scsi.qcow2","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \ -blockdev '\{"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2","file":"libvirt-1-storage","backing":null}' \ -device virtio-blk-pci,bus=pci.1,addr=0x0,drive=libvirt-1-format,id=virtio-disk0 \ -enable-kvm \ -monitor stdio \ -vnc :0 \ 2. Try to connect this guest remote-viewer vnc://10.73.210.78:5900 3. About 10 seconds to trigger qemu core dump. The trigger appears to be the lack of any VGA device hardware present, despite having VNC enabled. With regards, Daniel
On Tue, Sep 12, 2023 at 03:09:29PM +0400, Marc-André Lureau wrote: > Hi > > On Tue, Sep 12, 2023 at 3:01 PM Michael Tokarev <mjt@tls.msk.ru> wrote: > > > > 12.09.2023 13:46, marcandre.lureau@redhat.com пишет: > > > From: Marc-André Lureau <marcandre.lureau@redhat.com> > > > > > > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault. > > > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 > > > 812 return con->hw_ops->ui_info != NULL; > > > (gdb) bt > > > #0 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812 > > > #1 0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585 > > > #2 0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607 > > > #3 0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635 > > > > > > Fixes: > > > https://issues.redhat.com/browse/RHEL-2600 > > > > FWIW, this link does not work for me (requires auth). > > hmm, should be ok now. > > > > > Is there a commit which introduced this issue? > > It was reported against v6.2 (2021). I think it was introduced with > commit 763deea7e9 ("vnc: add support for extended desktop resize"), > but it might have been reproducible earlier. Since its in a release, this probably ought to be tagged as a (denial of service) CVE, since it enables a remote VNC client to crash the whole VM. Fortunately it is only triggerable /after/ authentication so the severity is relatively low. With regards, Daniel
diff --git a/ui/console.c b/ui/console.c index da341f08da..aa1e09462c 100644 --- a/ui/console.c +++ b/ui/console.c @@ -806,6 +806,9 @@ bool dpy_ui_info_supported(QemuConsole *con) if (con == NULL) { con = active_console; } + if (con == NULL) { + return false; + } return con->hw_ops->ui_info != NULL; }