QEMU

Segfault with custom vnc client

Bug #1484925 reported by Uli Stärk on 2015-08-14

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	QEMU	Expired	Undecided	Unassigned

Bug Description

Hey,

I'm using Citrix XenServer 6.5. I worte a script that uses noVNC to connect to the rfb console via xapi. When I use GRML and try to boot it, the QEMU process segfaults and kills my VM. This happens when the screen resizes and the kernel is loading:

recvfrom(3, "\3\1\0\0\0\0\2\200\1\220\3\0\2\200\0\0\0P\1\220", 4096, 0, NULL, NULL) = 20
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0xb28000} ---

I can see in the child process the following message, right before the parent Segfaults:
read(4, "cirrus: blanking the screen line_offset=0 height=480\n", 53) = 53

This issue only happens, when I have my custom php/novnc-client connected. I also tried the nodejs/novnc package from xen-orchestra - same result. Using the stock client from Citrix XenCenter it works just fine. So I think it is related to noVNC. I hope this is just a bug and not exploitable to force a VM to crash or execute code.

XenServer launches the qemu with the following command line:

qemu-dm-25 --syslog -d 25 -m 2048 -boot dc -serial pty -vcpus 1 -videoram 4 -vncunused -k en-us -vnc 127.0.0.1:1 -usb -usbdevice tablet -net nic,vlan=0,macaddr=8a:43:e2:b1:57:df,model=rtl8139 -net tap,vlan=0,bridge=xenbr0,ifname=tap25.0 -acpi -monitor pty

XenServer 6.5 is using the following version:
# /usr/lib64/xen/bin/qemu-dm -help
QEMU PC emulator version 0.10.2, Copyright (c) 2003-2008 Fabrice Bellard

Greetings
Uli Stärk

Revision history for this message

Daniel Berrange (berrange) wrote on 2015-08-14:

Can you attach GDB to your qemu-dm process and attempt to capture a full stack trace when it crashes (ie thread apply all backtrace)

Revision history for this message

Dubravko (dsever) wrote on 2015-10-01:

Hi,

Did you resolve your problem? Because I have the same issus..

Dubravko

Revision history for this message

Uli Stärk (ulistaerk) wrote on 2015-10-02:

No, sorry. I've stopped researching this issue.

Revision history for this message

Dr. David Alan Gilbert (dgilbert-h) wrote on 2015-10-02:

Dubravko: can you get a good backtrace from your crash?

Revision history for this message

Plam (lambert-olivier) wrote on 2015-10-02:

Hi,

Xen Orchestra project leader here. Exactly the same problem with noVNC + qemu-dm.

I assume there is maybe an invalid param from noVNC somewhere, but crashing the process is not really expected.

The bug is also reported at Citrix (see https://bugs.xenserver.org/browse/XSO-381)

I don't know how to give you more info, if you have some commands to use to help you, tell me :)

Revision history for this message

Thomas Huth (th-huth) wrote on 2016-11-21:

QEMU 0.10 is pretty much outdated nowadays... can you reproduce this issue with the latest version of QEMU, and if so, provide a backtrace of the crash?

Changed in qemu:
status:	New → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-01-21:

[Expired for QEMU because there has been no activity for 60 days.]

Changed in qemu:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.