Re: [PULL 13/14] ui: fix crash when there are no active_console

[Daniel P . Berrangé]

On Tue, Sep 12, 2023 at 03:09:29PM +0400, Marc-André Lureau wrote:
> Hi
> 
> On Tue, Sep 12, 2023 at 3:01 PM Michael Tokarev <mjt@tls.msk.ru> wrote:
> >
> > 12.09.2023 13:46, marcandre.lureau@redhat.com пишет:
> > > From: Marc-André Lureau <marcandre.lureau@redhat.com>
> > >
> > > Thread 1 "qemu-system-x86" received signal SIGSEGV, Segmentation fault.
> > > 0x0000555555888630 in dpy_ui_info_supported (con=0x0) at 
> > > ../ui/console.c:812
> > > 812       return con->hw_ops->ui_info != NULL;
> > > (gdb) bt
> > > #0  0x0000555555888630 in dpy_ui_info_supported (con=0x0) at 
> > > ../ui/console.c:812
> > > #1  0x00005555558a44b1 in protocol_client_msg (vs=0x5555578c76c0, 
> > > data=0x5555581e93f0 <incomplete sequence \373>, len=24) at 
> > > ../ui/vnc.c:2585
> > > #2  0x00005555558a19ac in vnc_client_read (vs=0x5555578c76c0) at 
> > > ../ui/vnc.c:1607
> > > #3  0x00005555558a1ac2 in vnc_client_io (ioc=0x5555581eb0e0, 
> > > condition=G_IO_IN, opaque=0x5555578c76c0) at ../ui/vnc.c:1635
> > >
> > > Fixes:
> > > https://issues.redhat.com/browse/RHEL-2600
> >
> > FWIW, this link does not work for me (requires auth).
> 
> hmm, should be ok now.
> 
> >
> > Is there a commit which introduced this issue?
> 
> It was reported against v6.2 (2021). I think it was introduced with
> commit 763deea7e9 ("vnc: add support for extended desktop resize"),
> but it might have been reproducible earlier.

Since its in a release, this probably ought to be tagged as a (denial
of service) CVE, since it enables a remote VNC client to crash the
whole VM. Fortunately it is only triggerable /after/ authentication
so the severity is relatively low.

With regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|