Bug 94318

Summary: virt-viewer double-free on sized-streams
Product: Spice Reporter: Victor Toso <bugzilla>
Component: virt-viewerAssignee: Victor Toso <bugzilla>
Status: RESOLVED MOVED QA Contact:
Severity: normal    
Priority: medium CC: bugzilla
Version: unspecified   
Hardware: Other   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Victor Toso 2016-02-27 14:54:41 UTC
While playing with patch [0] on rhel6 spice-server due bug [1], virt-viewer had double-free when messing with guest stream size. Sadly, debug info was lacking but I'll get back to it afterwards (just to no forget to file the bug)                                                                           
                                                                                ##############################################################
              
*** Error in `/home/vtosodec/work/jhbuild/dev/bin/remote-viewer': free(): invalid next size (normal): 0x0000000004497d70 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x77da5)[0x7ffff43bcda5]
/lib64/libc.so.6(+0x804fa)[0x7ffff43c54fa]
/lib64/libc.so.6(cfree+0x4c)[0x7ffff43c8cac]
/lib64/libglib-2.0.so.0(g_free+0xe)[0x7ffff4fff5ee]
/lib64/libspice-client-glib-2.0.so.8(+0x2aa8a)[0x7ffff4cb6a8a]
/lib64/libspice-client-glib-2.0.so.8(+0x2a842)[0x7ffff4cb6842]
/lib64/libglib-2.0.so.0(+0x4a893)[0x7ffff4ffa893]
/lib64/libglib-2.0.so.0(g_main_context_dispatch+0x15a)[0x7ffff4ff9e3a]
/lib64/libglib-2.0.so.0(+0x4a1d0)[0x7ffff4ffa1d0]
/lib64/libglib-2.0.so.0(g_main_context_iteration+0x2c)[0x7ffff4ffa27c]
/lib64/libgio-2.0.so.0(g_application_run+0x1ec)[0x7ffff55e4a0c]
/home/vtosodec/work/jhbuild/dev/bin/remote-viewer(main+0x4a)[0x40f5ea]
/lib64/libc.so.6(__libc_start_main+0xf0)[0x7ffff4365580]
/home/vtosodec/work/jhbuild/dev/bin/remote-viewer(_start+0x29)[0x40f629]
======= Memory map: ========
00400000-00433000 r-xp 00000000 fd:03 2100540                            /home/vtosodec/work/jhbuild/dev/bin/remote-viewer
00633000-00634000 r--p 00033000 fd:03 2100540                            /home/vtosodec/work/jhbuild/dev/bin/remote-viewer
00634000-00635000 rw-p 00034000 fd:03 2100540                            /home/vtosodec/work/jhbuild/dev/bin/remote-viewer
00635000-08218000 rw-p 00000000 00:00 0                                  [heap]
7fffac000000-7fffac021000 rw-p 00000000 00:00 0
7fffac021000-7fffb0000000 ---p 00000000 00:00 0
7fffb1ffe000-7fffb5ffe000 rw-s 00000000 00:05 14876674                   /SYSV00000000 (deleted)
7fffb5ffe000-7fffc3ffe000 rw-p 00000000 00:00 0
7fffc3ffe000-7fffc7fff000 rw-s 00000000 00:13 33842                      /dev/shm/pulse-shm-2419090321
7fffc7fff000-7fffcc000000 rw-s 00000000 00:13 825542                     /dev/shm/pulse-shm-2193547351
7fffcc000000-7fffcc021000 rw-p 00000000 00:00 0
7fffcc021000-7fffd0000000 ---p 00000000 00:00 0
7fffd0000000-7fffd0022000 rw-p 00000000 00:00 0
7fffd0022000-7fffd4000000 ---p 00000000 00:00 0
7fffd49f4000-7fffd69f4000 rw-p 00000000 00:00 0
7fffd6df4000-7fffd6df5000 ---p 00000000 00:00 0
7fffd6df5000-7fffd75f5000 rw-p 00000000 00:00 0                          [stack:1284]
7fffd75f5000-7fffd75f6000 ---p 00000000 00:00 0
7fffd75f6000-7fffd7df6000 rw-p 00000000 00:00 0                          [stack:1281]
7fffd7df6000-7fffd7dff000 r-xp 00000000 fd:01 3153275                    /usr/lib64/libltdl.so.7.3.1
7fffd7dff000-7fffd7ffe000 ---p 00009000 fd:01 3153275                    /usr/lib64/libltdl.so.7.3.1
7fffd7ffe000-7fffd7fff000 r--p 00008000 fd:01 3153275                    /usr/lib64/libltdl.so.7.3.1
7fffd7fff000-7fffd8000000 rw-p 00009000 fd:01 3153275                    /usr/lib64/libltdl.so.7.3.1
7fffd8000000-7fffd8021000 rw-p 00000000 00:00 0
7fffd8021000-7fffdc000000 ---p 00000000 00:00 0
7fffdc200000-7fffdc214000 r-xp 00000000 fd:01 3153550                    /usr/lib64/libtdb.so.1.3.8
7fffdc214000-7fffdc414000 ---p 00014000 fd:01 3153550                    /usr/lib64/libtdb.so.1.3.8
7fffdc414000-7fffdc415000 r--p 00014000 fd:01 3153550                    /usr/lib64/libtdb.so.1.3.8
7fffdc415000-7fffdc416000 rw-p 00015000 fd:01 3153550                    /usr/lib64/libtdb.so.1.3.8
7fffdc416000-7fffdc41e000 r-xp 00000000 fd:01 3154956                    /usr/lib64/libvorbisfile.so.3.3.6
7fffdc41e000-7fffdc61d000 ---p 00008000 fd:01 3154956                    /usr/lib64/libvorbisfile.so.3.3.6
7fffdc61d000-7fffdc61e000 r--p 00007000 fd:01 3154956                    /usr/lib64/libvorbisfile.so.3.3.6
7fffdc61e000-7fffdc61f000 rw-p 00000000 00:00 0
7fffdc61f000-7fffdc630000 r-xp 00000000 fd:01 3154178                    /usr/lib64/libcanberra.so.0.2.5
7fffdc630000-7fffdc82f000 ---p 00011000 fd:01 3154178                    /usr/lib64/libcanberra.so.0.2.5
7fffdc82f000-7fffdc830000 r--p 00010000 fd:01 3154178                    /usr/lib64/libcanberra.so.0.2.5
7fffdc830000-7fffdc831000 rw-p 00011000 fd:01 3154178                    /usr/lib64/libcanberra.so.0.2.5
7fffdc831000-7fffdc835000 r-xp 00000000 fd:01 3154177                    /usr/lib64/libcanberra-gtk3.so.0.1.9
7fffdc835000-7fffdca35000 ---p 00004000 fd:01 3154177                    /usr/lib64/libcanberra-gtk3.so.0.1.9
7fffdca35000-7fffdca36000 r--p 00004000 fd:01 3154177                    /usr/lib64/libcanberra-gtk3.so.0.1.9
7fffdca36000-7fffdca37000 rw-p 00000000 00:00 0
7fffdca37000-7fffdca3c000 r-xp 00000000 fd:01 262788                     /usr/lib64/gtk-3.0/modules/libcanberra-gtk3-module.so
7fffdca3c000-7fffdcc3c000 ---p 00005000 fd:01 262788                     /usr/lib64/gtk-3.0/modules/libcanberra-gtk3-module.so
7fffdcc3c000-7fffdcc3d000 r--p 00005000 fd:01 262788                     /usr/lib64/gtk-3.0/modules/libcanberra-gtk3-module.so
7fffdcc3d000-7fffdcc3e000 rw-p 00000000 00:00 0
7fffdcc3e000-7fffdcc41000 r-xp 00000000 fd:01 271399                     /usr/lib64/gtk-3.0/modules/libpk-gtk-module.so
7fffdcc41000-7fffdce40000 ---p 00003000 fd:01 271399                     /usr/lib64/gtk-3.0/modules/libpk-gtk-module.so
7fffdce40000-7fffdce41000 r--p 00002000 fd:01 271399                     /usr/lib64/gtk-3.0/modules/libpk-gtk-module.so
7fffdce41000-7fffdce42000 rw-p 00003000 fd:01 271399                     /usr/lib64/gtk-3.0/modules/libpk-gtk-module.so
7fffdce42000-7fffdce43000 ---p 00000000 00:00 0
7fffdce43000-7fffdd643000 rw-p 00000000 00:00 0                          [stack:1280]
7fffdd643000-7fffdd644000 ---p 00000000 00:00 0
7fffdd644000-7fffdde44000 rw-p 00000000 00:00 0                          [stack:1279]
7fffdde44000-7fffdde46000 r-xp 00000000 fd:01 3154895                    /usr/lib64/libutil-2.22.so
7fffdde46000-7fffde045000 ---p 00002000 fd:01 3154895                    /usr/lib64/libutil-2.22.so
7fffde045000-7fffde046000 r--p 00001000 fd:01 3154895                    /usr/lib64/libutil-2.22.so
7fffde046000-7fffde047000 rw-p 00002000 fd:01 3154895                    /usr/lib64/libutil-2.22.so
7fffde047000-7fffde07e000 r-xp 00000000 fd:01 135782                     /usr/lib64/gvfs/libgvfscommon.so
7fffde07e000-7fffde27d000 ---p 00037000 fd:01 135782                     /usr/lib64/gvfs/libgvfscommon.so
7fffde27d000-7fffde283000 r--p 00036000 fd:01 135782                     /usr/lib64/gvfs/libgvfscommon.so
7fffde283000-7fffde284000 rw-p 00000000 00:00 0
7fffde284000-7fffde2b4000 r-xp 00000000 fd:01 135781                     /usr/lib64/gio/modules/libgvfsdbus.so
7fffde2b4000-7fffde4b4000 ---p 00030000 fd:01 135781                     /usr/lib64/gio/modules/libgvfsdbus.so
7fffde4b4000-7fffde4b6000 r--p 00030000 fd:01 135781                     /usr/lib64/gio/modules/libgvfsdbus.so
7fffde4b6000-7fffde4b7000 rw-p 00032000 fd:01 135781                     /usr/lib64/gio/modules/libgvfsdbus.so
7fffde4b7000-7fffe4e0a000 r--p 00000000 fd:01 3157757                    /usr/lib/locale/locale-archive
7fffe4e0a000-7fffe4e35000 r-xp 00000000 fd:01 3154954                    /usr/lib64/libvorbis.so.0.4.7
7fffe4e35000-7fffe5035000 ---p 0002b000 fd:01 3154954                    /usr/lib64/libvorbis.so.0.4.7
7fffe5035000-7fffe5036000 r--p 0002b000 fd:01 3154954                    /usr/lib64/libvorbis.so.0.4.7
7fffe5036000-7fffe5037000 rw-p 00000000 00:00 0
7fffe5037000-7fffe503d000 r-xp 00000000 fd:01 3154673                    /usr/lib64/libogg.so.0.8.2
7fffe503d000-7fffe523c000 ---p 00006000 fd:01 3154673                    /usr/lib64/libogg.so.0.8.2
7fffe523c000-7fffe523d000 r--p 00005000 fd:01 3154673                    /usr/lib64/libogg.so.0.8.2
7fffe523d000-7fffe523e000 rw-p 00000000 00:00 0
7fffe523e000-7fffe5255000 r-xp 00000000 fd:01 3146675                    /usr/lib64/libelf-0.165.so
7fffe5255000-7fffe5454000 ---p 00017000 fd:01 3146675                    /usr/lib64/libelf-0.165.so
7fffe5454000-7fffe5455000 r--p 00016000 fd:01 3146675                    /usr/lib64/libelf-0.165.so
7fffe5455000-7fffe5456000 rw-p 00017000 fd:01 3146675                    /usr/lib64/libelf-0.165.so
7fffe5456000-7fffe54cd000 r-xp 00000000 fd:01 3153838                    /usr/lib64/libfreebl3.so
7fffe54cd000-7fffe56cc000 ---p 00077000 fd:01 3153838                    /usr/lib64/libfreebl3.so
7fffe56cc000-7fffe56ce000 r--p 00076000 fd:01 3153838                    /usr/lib64/libfreebl3.so
7fffe56ce000-7fffe56cf000 rw-p 00078000 fd:01 3153838                    /usr/lib64/libfreebl3.so
7fffe56cf000-7fffe56d3000 rw-p 00000000 00:00 0
7fffe56d3000-7fffe56d7000 r-xp 00000000 fd:01 3154124                    /usr/lib64/libattr.so.1.1.0
7fffe56d7000-7fffe58d7000 ---p 00004000 fd:01 3154124                    /usr/lib64/libattr.so.1.1.0
7fffe58d7000-7fffe58d8000 r--p 00004000 fd:01 3154124                    /usr/lib64/libattr.so.1.1.0
7fffe58d8000-7fffe58d9000 rw-p 00000000 00:00 0
7fffe58d9000-7fffe5966000 r-xp 00000000 fd:01 3154955                    /usr/lib64/libvorbisenc.so.2.0.10
7fffe5966000-7fffe5b65000 ---p 0008d000 fd:01 3154955                    /usr/lib64/libvorbisenc.so.2.0.10
7fffe5b65000-7fffe5b81000 r--p 0008c000 fd:01 3154955                    /usr/lib64/libvorbisenc.so.2.0.10
7fffe5b81000-7fffe5b82000 rw-p 000a8000 fd:01 3154955                    /usr/lib64/libvorbisenc.so.2.0.10
7fffe5b82000-7fffe5bda000 r-xp 00000000 fd:01 3154008                    /usr/lib64/libFLAC.so.8.3.0
7fffe5bda000-7fffe5dd9000 ---p 00058000 fd:01 3154008                    /usr/lib64/libFLAC.so.8.3.0
7fffe5dd9000-7fffe5ddb000 r--p 00057000 fd:01 3154008                    /usr/lib64/libFLAC.so.8.3.0
7fffe5ddb000-7fffe5ddc000 rw-p 00059000 fd:01 3154008                    /usr/lib64/libFLAC.so.8.3.0
7fffe5ddc000-7fffe5de6000 r-xp 00000000 fd:01 3154423                    /usr/lib64/libgsm.so.1.0.12
7fffe5de6000-7fffe5fe6000 ---p 0000a000 fd:01 3154423                    /usr/lib64/libgsm.so.1.0.12
7fffe5fe6000-7fffe5fe7000 r--p 0000a000 fd:01 3154423                    /usr/lib64/libgsm.so.1.0.12
7fffe5fe7000-7fffe5fe8000 rw-p 0000b000 fd:01 3154423                    /usr/lib64/libgsm.so.1.0.12
7fffe5fe8000-7fffe5ffe000 r-xp 00000000 fd:01 3154604                    /usr/lib64/libnsl-2.22.so
7fffe5ffe000-7fffe61fd000 ---p 00016000 fd:01 3154604                    /usr/lib64/libnsl-2.22.so
7fffe61fd000-7fffe61fe000 r--p 00015000 fd:01 3154604                    /usr/lib64/libnsl-2.22.so
7fffe61fe000-7fffe61ff000 rw-p 00016000 fd:01 3154604                    /usr/lib64/libnsl-2.22.so
7fffe61ff000-7fffe6201000 rw-p 00000000 00:00 0
7fffe6201000-7fffe6248000 r-xp 00000000 fd:01 3152839                    /usr/lib64/libdw-0.165.so
7fffe6248000-7fffe6448000 ---p 00047000 fd:01 3152839                    /usr/lib64/libdw-0.165.so
7fffe6448000-7fffe644a000 r--p 00047000 fd:01 3152839                    /usr/lib64/libdw-0.165.so
7fffe644a000-7fffe644b000 rw-p 00049000 fd:01 3152839                    /usr/lib64/libdw-0.165.so
7fffe644b000-7fffe645d000 r-xp 00000000 fd:01 3153127                    /usr/lib64/libgpg-error.so.0.17.0
7fffe645d000-7fffe665d000 ---p 00012000 fd:01 3153127                    /usr/lib64/libgpg-error.so.0.17.0
7fffe665d000-7fffe665e000 r--p 00012000 fd:01 3153127                    /usr/lib64/libgpg-error.so.0.17.0
7fffe665e000-7fffe665f000 rw-p 00013000 fd:01 3153127                    /usr/lib64/libgpg-error.so.0.17.0
7fffe665f000-7fffe673a000 r-xp 00000000 fd:01 3154355                    /usr/lib64/libgcrypt.so.20.0.4
7fffe673a000-7fffe693a000 ---p 000db000 fd:01 3154355                    /usr/lib64/libgcrypt.so.20.0.4
7fffe693a000-7fffe693b000 r--p 000db000 fd:01 3154355                    /usr/lib64/libgcrypt.so.20.0.4
7fffe693b000-7fffe6943000 rw-p 000dc000 fd:01 3154355                    /usr/lib64/libgcrypt.so.20.0.4
7fffe6943000-7fffe6944000 rw-p 00000000 00:00 0
7fffe6944000-7fffe6948000 r-xp 00000000 fd:01 3153599                    /usr/lib64/libuuid.so.1.3.0
7fffe6948000-7fffe6b47000 ---p 00004000 fd:01 3153599                    /usr/lib64/libuuid.so.1.3.0
7fffe6b47000-7fffe6b48000 r--p 00003000 fd:01 3153599                    /usr/lib64/libuuid.so.1.3.0
7fffe6b48000-7fffe6b49000 rw-p 00000000 00:00 0
7fffe6b49000-7fffe6b4c000 r-xp 00000000 fd:01 3154546                    /usr/lib64/libkeyutils.so.1.5
7fffe6b4c000-7fffe6d4b000 ---p 00003000 fd:01 3154546                    /usr/lib64/libkeyutils.so.1.5
7fffe6d4b000-7fffe6d4c000 r--p 00002000 fd:01 3154546                    /usr/lib64/libkeyutils.so.1.5
7fffe6d4c000-7fffe6d4d000 rw-p 00000000 00:00 0
7fffe6d4d000-7fffe6d5a000 r-xp 00000000 fd:01 3156015                    /usr/lib64/libkrb5support.so.0.1
7fffe6d5a000-7fffe6f5a000 ---p 0000d000 fd:01 3156015                    /usr/lib64/libkrb5support.so.0.1
7fffe6f5a000-7fffe6f5b000 r--p 0000d000 fd:01 3156015                    /usr/lib64/libkrb5support.so.0.1
7fffe6f5b000-7fffe6f5c000 rw-p 0000e000 fd:01 3156015                    /usr/lib64/libkrb5support.so.0.1
7fffe6f5c000-7fffe6fcb000 r-xp 00000000 fd:01 3155944                    /usr/lib64/libpcre.so.1.2.6
7fffe6fcb000-7fffe71ca000 ---p 0006f000 fd:01 3155944                    /usr/lib64/libpcre.so.1.2.6
7fffe71ca000-7fffe71cb000 r--p 0006e000 fd:01 3155944                    /usr/lib64/libpcre.so.1.2.6
7fffe71cb000-7fffe71cc000 rw-p 0006f000 fd:01 3155944                    /usr/lib64/libpcre.so.1.2.6
7fffe71cc000-7fffe71d1000 r-xp 00000000 fd:01 3154093                    /usr/lib64/libXxf86vm.so.1.0.0
7fffe71d1000-7fffe73d0000 ---p 00005000 fd:01 3154093                    /usr/lib64/libXxf86vm.so.1.0.0
7fffe73d0000-7fffe73d1000 r--p 00004000 fd:01 3154093                    /usr/lib64/libXxf86vm.so.1.0.0
7fffe73d1000-7fffe73d2000 rw-p 00005000 fd:01 3154093                    /usr/lib64/libXxf86vm.so.1.0.0
7fffe73d2000-7fffe73e9000 r-xp 00000000 fd:01 3153664                    /usr/lib64/libxcb-glx.so.0.0.0
7fffe73e9000-7fffe75e8000 ---p 00017000 fd:01 3153664                    /usr/lib64/libxcb-glx.so.0.0.0
7fffe75e8000-7fffe75ea000 r--p 00016000 fd:01 3153664                    /usr/lib64/libxcb-glx.so.0.0.0
Program received signal SIGABRT, Aborted.
0x00007ffff4379a98 in raise () from /lib64/libc.so.6

##############################################################

thread apply all bt

Thread 5 (Thread 0x7fffd75f4700 (LWP 1284)):
#0  0x00007ffff443bfdd in poll () at /lib64/libc.so.6
#1  0x00007ffff22580b5 in handle_events () at /lib64/libusb-1.0.so.0
#2  0x00007ffff2259043 in libusb_handle_events_timeout_completed () at /lib64/libusb-1.0.so.0
#3  0x00007ffff225912f in libusb_handle_events () at /lib64/libusb-1.0.so.0
#4  0x00007ffff4cc4b50 in spice_usb_device_manager_usb_ev_thread () at /lib64/libspice-client-glib-2.0.so.8
#5  0x00007ffff5020835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#6  0x00007ffff470d60a in start_thread () at /lib64/libpthread.so.0
#7  0x00007ffff4447a4d in clone () at /lib64/libc.so.6

Thread 4 (Thread 0x7fffd7df5700 (LWP 1281)):
#0  0x00007ffff443bfdd in poll () at /lib64/libc.so.6
#1  0x00007ffff225eb3c in linux_udev_event_thread_main () at /lib64/libusb-1.0.so.0
#2  0x00007ffff470d60a in start_thread () at /lib64/libpthread.so.0
#3  0x00007ffff4447a4d in clone () at /lib64/libc.so.6

Thread 3 (Thread 0x7fffdd642700 (LWP 1280)):
#0  0x00007ffff443bfdd in poll () at /lib64/libc.so.6
#1  0x00007ffff4ffa16c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2  0x00007ffff4ffa4f2 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#3  0x00007ffff561b336 in gdbus_shared_thread_func () at /lib64/libgio-2.0.so.0
#4  0x00007ffff5020835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5  0x00007ffff470d60a in start_thread () at /lib64/libpthread.so.0
#6  0x00007ffff4447a4d in clone () at /lib64/libc.so.6

Thread 2 (Thread 0x7fffdde43700 (LWP 1279)):
#0  0x00007ffff443bfdd in poll () at /lib64/libc.so.6
#1  0x00007ffff4ffa16c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2  0x00007ffff4ffa27c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#3  0x00007ffff4ffa2b9 in glib_worker_main () at /lib64/libglib-2.0.so.0
#4  0x00007ffff5020835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5  0x00007ffff470d60a in start_thread () at /lib64/libpthread.so.0
#6  0x00007ffff4447a4d in clone () at /lib64/libc.so.6

Thread 1 (Thread 0x7ffff7ef3a80 (LWP 1275)):
#0  0x00007ffff4379a98 in raise () at /lib64/libc.so.6
#1  0x00007ffff437b69a in abort () at /lib64/libc.so.6
#2  0x00007ffff43bcdaa in  () at /lib64/libc.so.6
#3  0x00007ffff43c54fa in _int_free () at /lib64/libc.so.6
#4  0x00007ffff43c8cac in free () at /lib64/libc.so.6
#5  0x00007ffff4fff5ee in g_free () at /lib64/libglib-2.0.so.0
#6  0x00007ffff4cb6a8a in stream_mjpeg_data () at /lib64/libspice-client-glib-2.0.so.8
#7  0x00007ffff4cb6842 in display_stream_render () at /lib64/libspice-client-glib-2.0.so.8
#8  0x00007ffff4ffa893 in g_timeout_dispatch () at /lib64/libglib-2.0.so.0
#9  0x00007ffff4ff9e3a in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#10 0x00007ffff4ffa1d0 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#11 0x00007ffff4ffa27c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
Comment 1 GitLab Migration User 2018-06-05 14:19:29 UTC
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/spice/spice-gtk/issues/52.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.