Bug#608756: assertion for screen size 1400x1050 (using -vga vmware)
tags 608756 + confirmed upstream patch squeeze wheezy sid thanks Replying to an old bug report... On 03.01.2011 14:04, Harald Dunkel wrote: Package: qemu-kvm Version: 0.12.5+dfsg-5 I get an assertion on the host, if I try to increase the screen size from 1280x1024 to 1400x1050 on the guest. # kvm -m 512 -drive file=Win7.vmdk,boot=on -net nic,macaddr=00:00:00:11:22:33 -net tap -uuid 564d8e7f-aca4-40a2-1444-aa30a3112233 -vnc :1 -usbdevice tablet -vga vmware kvm: malloc.c:3097: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) ((av)-bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd old_size == 0) || ((unsigned long) (old_size) = (unsigned long)__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) ~((2 * (sizeof(size_t))) - 1))) ((old_top)-size 0x1) ((unsigned long)old_end pagemask) == 0)' failed. Aborted (core dumped) The guest runs Windows 7 with the current Vmware drivers installed. The problem seems to be reproducible. On 03.01.2011 15:07, you wrote: PPS: Using -vga std I get a memory corruption (see below). 1280x1024 and 1600x1200 seem to work fine. There's a bug in vnc handling of several resolutions. This bug is still present in 1.0 version of qemu and qemu-kvm, and has been fixed only very recently. The problem is that vnc code in qemu assumes that the screen width is a multiple of 16, and this assumption is relied on in several places, allocating buffers of smaller size if this is not the case. The result is random memory corruption. But 1400 is not a multiple of 16, so it explains why this happens with 1400x1050 but not with other sizes you mentioned (both of which has width dividable by 16). Note this is a problem which can be triggered by the guest, so it can be considered a DoS condition and hence is security- sensitive. But from another point of view, since for regular desktop usage there's a workaround (not using 1400x modes), I think it does not have to be of high priority. Also, it only happens with vnc console, and does not affect SDL console. Now when upstream released a fix I can (trivially) backport it to squeeze, and most likely will. I'm sorry it took me so long - to be fair, I dislike dealing with vnc bugs. It just happened I noticed that Gerd Hoffman sent a patch fixing it today. Thanks! /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608756: assertion for screen size 1400x1050 (using -vga vmware)
Package: qemu-kvm Version: 0.12.5+dfsg-5 I get an assertion on the host, if I try to increase the screen size from 1280x1024 to 1400x1050 on the guest. # kvm -m 512 -drive file=Win7.vmdk,boot=on -net nic,macaddr=00:00:00:11:22:33 -net tap -uuid 564d8e7f-aca4-40a2-1444-aa30a3112233 -vnc :1 -usbdevice tablet -vga vmware kvm: malloc.c:3097: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) ((av)-bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, fd old_size == 0) || ((unsigned long) (old_size) = (unsigned long)__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * (sizeof(size_t))) - 1)) ~((2 * (sizeof(size_t))) - 1))) ((old_top)-size 0x1) ((unsigned long)old_end pagemask) == 0)' failed. Aborted (core dumped) The guest runs Windows 7 with the current Vmware drivers installed. The problem seems to be reproducible. Regards Harri -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608756: assertion for screen size 1400x1050 (using -vga vmware)
PS: Using 1600x1200 there is no problem. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#608756: assertion for screen size 1400x1050 (using -vga vmware)
PPS: Using -vga std I get a memory corruption (see below). 1280x1024 and 1600x1200 seem to work fine. *** glibc detected *** kvm: malloc(): memory corruption: 0x01e4e130 *** === Backtrace: = /lib/libc.so.6(+0x71ad6)[0x7f554c58aad6] /lib/libc.so.6(+0x74b6d)[0x7f554c58db6d] /lib/libc.so.6(__libc_malloc+0x70)[0x7f554c58f930] kvm[0x474625] kvm[0x46cfc7] kvm[0x46d27d] kvm[0x40cfba] kvm[0x4261da] kvm[0x40fa36] /lib/libc.so.6(__libc_start_main+0xfd)[0x7f554c537c4d] kvm[0x409d79] === Memory map: 0040-00637000 r-xp 08:11 12977 /usr/bin/kvm 00836000-00858000 rw-p 00236000 08:11 12977 /usr/bin/kvm 00858000-00c67000 rw-p 00:00 0 012a8000-0181d000 rw-p 00:00 0 0181d000-01825000 rw-p 00:00 0 01825000-023de000 rw-p 00:00 0 7f54fc00-7f54fc021000 rw-p 00:00 0 7f54fc021000-7f55 ---p 00:00 0 7f55037c2000-7f55037d8000 r-xp 08:11 115892 /lib/libgcc_s.so.1 7f55037d8000-7f55039d7000 ---p 00016000 08:11 115892 /lib/libgcc_s.so.1 7f55039d7000-7f55039d8000 rw-p 00015000 08:11 115892 /lib/libgcc_s.so.1 7f55039d8000-7f5503a99000 rw-p 00:00 0 7f5503bc6000-7f5503bca000 r-xp 08:11 30948 /usr/lib/sasl2/libanonymous.so.2.0.23 7f5503bca000-7f5503dc9000 ---p 4000 08:11 30948 /usr/lib/sasl2/libanonymous.so.2.0.23 7f5503dc9000-7f5503dca000 rw-p 3000 08:11 30948 /usr/lib/sasl2/libanonymous.so.2.0.23 7f5503dca000-7f5503dce000 r-xp 08:11 30943 /usr/lib/sasl2/libcrammd5.so.2.0.23 7f5503dce000-7f5503fce000 ---p 4000 08:11 30943 /usr/lib/sasl2/libcrammd5.so.2.0.23 7f5503fce000-7f5503fcf000 rw-p 4000 08:11 30943 /usr/lib/sasl2/libcrammd5.so.2.0.23 7f5503fcf000-7f5503fdb000 r-xp 08:11 30922 /usr/lib/sasl2/libdigestmd5.so.2.0.23 7f5503fdb000-7f55041da000 ---p c000 08:11 30922 /usr/lib/sasl2/libdigestmd5.so.2.0.23 7f55041da000-7f55041db000 rw-p b000 08:11 30922 /usr/lib/sasl2/libdigestmd5.so.2.0.23 7f55041db000-7f55041df000 r-xp 08:11 30921 /usr/lib/sasl2/liblogin.so.2.0.23 7f55041df000-7f55043de000 ---p 4000 08:11 30921 /usr/lib/sasl2/liblogin.so.2.0.23 7f55043de000-7f55043df000 rw-p 3000 08:11 30921 /usr/lib/sasl2/liblogin.so.2.0.23 7f55043df000-7f55043e7000 r-xp 08:11 1612612 /lib/libcrypt-2.11.2.so 7f55043e7000-7f55045e6000 ---p 8000 08:11 1612612 /lib/libcrypt-2.11.2.so 7f55045e6000-7f55045e7000 r--p 7000 08:11 1612612 /lib/libcrypt-2.11.2.so 7f55045e7000-7f55045e8000 rw-p 8000 08:11 1612612 /lib/libcrypt-2.11.2.so 7f55045e8000-7f5504616000 rw-p 00:00 0 7f5504616000-7f550461a000 r-xp 08:11 30924 /usr/lib/sasl2/libplain.so.2.0.23 7f550461a000-7f5504819000 ---p 4000 08:11 30924 /usr/lib/sasl2/libplain.so.2.0.23 7f5504819000-7f550481a000 rw-p 3000 08:11 30924 /usr/lib/sasl2/libplain.so.2.0.23 7f550481a000-7f550498f000 r-xp 08:11 1317620 /usr/lib/libcrypto.so.0.9.8 7f550498f000-7f5504b8f000 ---p 00175000 08:11 1317620 /usr/lib/libcrypto.so.0.9.8 7f5504b8f000-7f5504bb7000 rw-p 00175000 08:11 1317620 /usr/lib/libcrypto.so.0.9.8 7f5504bb7000-7f5504bbb000 rw-p 00:00 0 7f5504bbb000-7f5504bc3000 r-xp 08:11 30927 /usr/lib/sasl2/libntlm.so.2.0.23 7f5504bc3000-7f5504dc2000 ---p 8000 08:11 30927 /usr/lib/sasl2/libntlm.so.2.0.23 7f5504dc2000-7f5504dc3000 rw-p 7000 08:11 30927 /usr/lib/sasl2/libntlm.so.2.0.23 7f5504dc3000-7f5504f39000 r-xp 08:11 2668274 /usr/lib/libdb-4.8.so 7f5504f39000-7f5505138000 ---p 00176000 08:11 2668274 /usr/lib/libdb-4.8.so 7f5505138000-7f550513d000 rw-p 00175000 08:11 2668274 /usr/lib/libdb-4.8.so 7f550513d000-7f5505142000 r-xp 08:11 32103 /usr/lib/sasl2/libsasldb.so.2.0.23 7f5505142000-7f5505341000 ---p 5000 08:11 32103 /usr/lib/sasl2/libsasldb.so.2.0.23 7f5505341000-7f5505342000 rw-p 4000 08:11 32103 /usr/lib/sasl2/libsasldb.so.2.0.23 7f5505342000-7f5505384000 rw-p 00:00 0 7f55054b1000-7f55054b2000 rw-p 00:00 0 7f55054b2000-7f55064b2000 rw-p 00:00 0 7f55064b2000-7f55064b4000 rw-p 00:00 0 7f55064b4000-7f55464b4000 rw-p 00:00 0 7f55464b4000-7f55464b5000 rw-p 00:00 0 7f55464b5000-7f55464b6000 ---p 00:00
