[PULL,13/14] ui: fix crash when there are no active_console

Message ID	20230912104649.1638640-14-marcandre.lureau@redhat.com
State	New
Headers	show Return-Path: <qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org> From: marcandre.lureau@redhat.com To: qemu-devel@nongnu.org Cc: stefanha@redhat.com, =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>, Gerd Hoffmann <kraxel@redhat.com> Subject: [PULL 13/14] ui: fix crash when there are no active_console Date: Tue, 12 Sep 2023 14:46:47 +0400 Message-ID: <20230912104649.1638640-14-marcandre.lureau@redhat.com> In-Reply-To: <20230912104649.1638640-1-marcandre.lureau@redhat.com> References: <20230912104649.1638640-1-marcandre.lureau@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=170.10.129.124; envelope-from=marcandre.lureau@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Precedence: list Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Series	[PULL,01/14] docs: vhost-user-gpu: add protocol changes for dmabuf modifiers \| expand [PULL,01/14] docs: vhost-user-gpu: add protocol changes for dmabuf modifiers [PULL,02/14] contrib/vhost-user-gpu: add support for sending dmabuf modifiers [PULL,03/14] vhost-user-gpu: support dmabuf modifiers [PULL,04/14] vmmouse: replace DPRINTF with tracing [PULL,05/14] vmmouse: use explicit code [PULL,06/14] ui/vc: remove kbd_put_keysym() and update function calls [PULL,07/14] ui/vc: rename kbd_put to qemu_text_console functions [PULL,08/14] ui/console: remove redundant format field [PULL,09/14] ui/vc: preliminary QemuTextConsole changes before split [PULL,10/14] ui/vc: split off the VC part from console.c [PULL,11/14] ui/console: move DisplaySurface to its own header [PULL,12/14] virtio-gpu/win32: set the destroy function on load [PULL,13/14] ui: fix crash when there are no active_console [PULL,14/14] ui: add precondition for dpy_get_ui_info()

Message ID

20230912104649.1638640-14-marcandre.lureau@redhat.com

State

New

Headers

From: marcandre.lureau@redhat.com
To: qemu-devel@nongnu.org
Cc: stefanha@redhat.com,
 =?utf-8?q?Marc-Andr=C3=A9_Lureau?= <marcandre.lureau@redhat.com>,
 Gerd Hoffmann <kraxel@redhat.com>
Subject: [PULL 13/14] ui: fix crash when there are no active_console
Date: Tue, 12 Sep 2023 14:46:47 +0400
Message-ID: <20230912104649.1638640-14-marcandre.lureau@redhat.com>
In-Reply-To: <20230912104649.1638640-1-marcandre.lureau@redhat.com>
References: <20230912104649.1638640-1-marcandre.lureau@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=170.10.129.124;
 envelope-from=marcandre.lureau@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: qemu-devel@nongnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <https://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
 <mailto:qemu-devel-request@nongnu.org?subject=subscribe>
Errors-To: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org
Sender: qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org

Series

[PULL,01/14] docs: vhost-user-gpu: add protocol changes for dmabuf modifiers | expand

Commit Message

Marc-André Lureau Sept. 12, 2023, 10:46 a.m. UTC

From: Marc-André Lureau <marcandre.lureau@redhat.com>

Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
812	    return con->hw_ops->ui_info != NULL;
(gdb) bt
#0  0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
#1  0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585
#2  0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607
#3  0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635

Fixes:
https://issues.redhat.com/browse/RHEL-2600

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
Reviewed-by: Albert Esteve <aesteve@redhat.com>
---
 ui/console.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Michael Tokarev Sept. 12, 2023, 11 a.m. UTC | #1

12.09.2023 13:46, marcandre.lureau@redhat.com пишет:
> From: Marc-André Lureau <marcandre.lureau@redhat.com>
> 
> Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> 812	    return con->hw_ops->ui_info != NULL;
> (gdb) bt
> #0  0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> #1  0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585
> #2  0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607
> #3  0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635
> 
> Fixes:
> https://issues.redhat.com/browse/RHEL-2600

FWIW, this link does not work for me (requires auth).

Is there a commit which introduced this issue?

Thanks,

/mjt

Marc-André Lureau Sept. 12, 2023, 11:09 a.m. UTC | #2

Hi

On Tue, Sep 12, 2023 at 3:01 PM Michael Tokarev <mjt@tls.msk.ru> wrote:
>
> 12.09.2023 13:46, marcandre.lureau@redhat.com пишет:
> > From: Marc-André Lureau <marcandre.lureau@redhat.com>
> >
> > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> > 812       return con->hw_ops->ui_info != NULL;
> > (gdb) bt
> > #0  0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> > #1  0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585
> > #2  0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607
> > #3  0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635
> >
> > Fixes:
> > https://issues.redhat.com/browse/RHEL-2600
>
> FWIW, this link does not work for me (requires auth).

hmm, should be ok now.

>
> Is there a commit which introduced this issue?

It was reported against v6.2 (2021). I think it was introduced with
commit 763deea7e9 ("vnc: add support for extended desktop resize"),
but it might have been reproducible earlier.

thanks

Daniel P. Berrangé Sept. 12, 2023, 11:09 a.m. UTC | #3

On Tue, Sep 12, 2023 at 02:00:46PM +0300, Michael Tokarev wrote:
> 12.09.2023 13:46, marcandre.lureau@redhat.com пишет:
> > From: Marc-André Lureau <marcandre.lureau@redhat.com>
> > 
> > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> > 812	    return con->hw_ops->ui_info != NULL;
> > (gdb) bt
> > #0  0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> > #1  0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585
> > #2  0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607
> > #3  0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635
> > 
> > Fixes:
> > https://issues.redhat.com/browse/RHEL-2600
> 
> FWIW, this link does not work for me (requires auth).

This particular bug is marked as Red Hat employee access only, so
should be dropped from the commit message.

FWIW, it says in terms of reproducability

Steps to reproduce
1. Boot up guest, but only add vnc device and without graphics device
/usr/libexec/qemu-kvm \
-name guest=gg \
-machine pc-q35-rhel8.6.0,kernel_irqchip=split \
-cpu host \
-m 8192 \
-smp 4,maxcpus=4,cores=2,threads=1,dies=1,sockets=2  \
-nodefaults \
-boot menu=on \
-device pcie-root-port,port=16,chassis=1,id=pci.1,bus=pcie.0,addr=0x2 \
-blockdev '\{"driver":"file","filename":"/home/kvm_autotest_root/images/rhel890-64-virtio-scsi.qcow2","node-name":"libvirt-1-storage","auto-read-only":true,"discard":"unmap"}' \
-blockdev '\{"node-name":"libvirt-1-format","read-only":false,"driver":"qcow2","file":"libvirt-1-storage","backing":null}' \
-device virtio-blk-pci,bus=pci.1,addr=0x0,drive=libvirt-1-format,id=virtio-disk0 \
-enable-kvm \
-monitor stdio \
-vnc :0 \

2. Try to connect this guest
remote-viewer vnc://10.73.210.78:5900

3. About 10 seconds to trigger qemu core dump.


The trigger appears to be the lack of any VGA device hardware
present, despite having VNC enabled.

With regards,
Daniel

Daniel P. Berrangé Sept. 12, 2023, 11:15 a.m. UTC | #4

On Tue, Sep 12, 2023 at 03:09:29PM +0400, Marc-André Lureau wrote:
> Hi
> 
> On Tue, Sep 12, 2023 at 3:01 PM Michael Tokarev <mjt@tls.msk.ru> wrote:
> >
> > 12.09.2023 13:46, marcandre.lureau@redhat.com пишет:
> > > From: Marc-André Lureau <marcandre.lureau@redhat.com>
> > >
> > > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> > > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> > > 812       return con->hw_ops->ui_info != NULL;
> > > (gdb) bt
> > > #0  0x0000555555888630 in dpy_ui_info_supported (con=0x0) at ../ui/console.c:812
> > > #1  0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, data=0x5555581e93f0 <incomplete sequence \373>, len=24) at ../ui/vnc.c:2585
> > > #2  0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at ../ui/vnc.c:1607
> > > #3  0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635
> > >
> > > Fixes:
> > > https://issues.redhat.com/browse/RHEL-2600
> >
> > FWIW, this link does not work for me (requires auth).
> 
> hmm, should be ok now.
> 
> >
> > Is there a commit which introduced this issue?
> 
> It was reported against v6.2 (2021). I think it was introduced with
> commit 763deea7e9 ("vnc: add support for extended desktop resize"),
> but it might have been reproducible earlier.

Since its in a release, this probably ought to be tagged as a (denial
of service) CVE, since it enables a remote VNC client to crash the
whole VM. Fortunately it is only triggerable /after/ authentication
so the severity is relatively low.

With regards,
Daniel

diff --git a/ui/console.c b/ui/console.c
index da341f08da..aa1e09462c 100644
--- a/ui/console.c
+++ b/ui/console.c
@@ -806,6 +806,9 @@  bool dpy_ui_info_supported(QemuConsole *con)
     if (con == NULL) {
         con = active_console;
     }
+    if (con == NULL) {
+        return false;
+    }
 
     return con->hw_ops->ui_info != NULL;
 }

[PULL,13/14] ui: fix crash when there are no active_console

Commit Message

Comments

Patch