Bug 47574 - spice-gtk crash (parsing new VM name message)
Summary: spice-gtk crash (parsing new VM name message)
Status: RESOLVED FIXED
Alias: None
Product: Spice
Classification: Unclassified
Component: spice-gtk (show other bugs)
Version: unspecified
Hardware: x86-64 (AMD64) Linux (All)
: medium major
Assignee: Spice Bug List
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-20 05:29 UTC by Yaniv Kaul
Modified: 2013-04-10 15:34 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Yaniv Kaul 2012-03-20 05:29:20 UTC 
Using spice-gtk b9b658f6ea41a2473853149b41fef2cb808ec4f2
spice 914e50814f151a9a5680018e2f264fd900885af9
qemu 33cf629a3754b58a1e2dbbe01d91d97e712b7c06

[ykaul@ykaul spice-gtk]$ gtk/spicy &
[1] 29428
[ykaul@ykaul spice-gtk]$ GSpice-Message: main channel: failed to connect
GSpice-Message: main channel: opened
*** buffer overflow detected ***: /home/ykaul/spice-gtk/gtk/.libs/lt-spicy terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3016308af7]
/lib64/libc.so.6[0x3016306a70]
/home/ykaul/spice-gtk/gtk/.libs/libspice-client-glib-2.0.so.1(+0xcc565)[0x7fab05146565]
/home/ykaul/spice-gtk/gtk/.libs/libspice-client-glib-2.0.so.1(+0x194ac)[0x7fab050934ac]
/home/ykaul/spice-gtk/gtk/.libs/libspice-client-glib-2.0.so.1(+0x1a3a9)[0x7fab050943a9]
/home/ykaul/spice-gtk/gtk/.libs/libspice-client-glib-2.0.so.1(+0x176b4)[0x7fab050916b4]
/home/ykaul/spice-gtk/gtk/.libs/libspice-client-glib-2.0.so.1(+0xc6d1f)[0x7fab05140d1f]
/home/ykaul/spice-gtk/gtk/.libs/libspice-client-glib-2.0.so.1(+0xc6ab6)[0x7fab05140ab6]
/lib64/libc.so.6[0x30162470d0]



Running with gdb:

(gdb) bt
#0  0x0000003016236285 in raise () from /lib64/libc.so.6
#1  0x0000003016237b9b in abort () from /lib64/libc.so.6
#2  0x0000003016277a7e in __libc_message () from /lib64/libc.so.6
#3  0x0000003016308af7 in __fortify_fail () from /lib64/libc.so.6
#4  0x0000003016306a70 in __chk_fail () from /lib64/libc.so.6
#5  0x00007fc24a3b4565 in memcpy (__len=9, __src=<optimized out>, __dest=0x1dfd6a4) at /usr/include/bits/string3.h:52
#6  parse_msg_main_name (message_start=<optimized out>, message_end=0x1dbbe7d "", minor=<optimized out>, size=0x1e68500,
    free_message=0x1e68508) at generated_demarshallers.c:1155
#7  0x00007fc24a3014ac in spice_channel_recv_msg (channel=0x1e32860, msg_handler=0x7fc24a30f850 <spice_main_handle_msg>, data=0x0)
    at spice-channel.c:1827
#8  0x00007fc24a3023a9 in spice_channel_iterate_read (channel=0x1e32860) at spice-channel.c:2000
#9  spice_channel_iterate_read (channel=0x1e32860) at spice-channel.c:1984
#10 0x00007fc24a2ff6b4 in spice_channel_iterate (channel=0x1e32860) at spice-channel.c:2058
#11 spice_channel_coroutine (data=0x1e32860) at spice-channel.c:2211
#12 0x00007fc24a3aed1f in coroutine_trampoline (cc=0x1e32918) at coroutine_ucontext.c:56
#13 0x00007fc24a3aeab6 in continuation_trampoline (i0=<optimized out>, i1=<optimized out>) at continuation.c:49
#14 0x00000030162470d0 in ?? () from /lib64/libc.so.6


trace hints it's the name that is being sent - the name (from wireshark capture) seems like
len = 9  (uint32)
name = TinyCore\0  (ASCII?!)


qemu command line:./x86_64-softmmu/qemu-system-x86_64 -spice port=6901,disable-ticketing,jpeg-wan-compression=always,zlib-glz-wan-compression=always,playback-compression=on -k en-us -name Tinycore -boot d -drive file=~/tc.qcow2,if=ide,cache=writethrough,media=disk,format=qcow2 -drive file=~/Downloads/TinyCore-current.iso,if=ide,media=cdrom -soundhw pcspk -m 1024 -cpu core2duo,+x2apic -smp 2 -balloon none -bios /usr/share/seabios/bios.bin -monitor stdio --parallel none -vga qxl
Comment 1 Marc-Andre Lureau 2012-03-20 13:45:11 UTC 
I sent a patch to the ML

This is enough, although I wished the demarshaller wouldn't crash..

-       uint8 name[name_len];
+       uint8 name[name_len] @end;

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.