subject:"Bug#905786\: Fix for \"libvncserver1\: Use\-after\-free on shutdown\[...\]\" incomplete"

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

2020-01-08 Thread Daniel Reichelt

On 08.01.20 09:04, Mike Gabriel wrote:
> I attached a .debdiff that reflects todays regression fix upload to
> buster-pu (I also did one to stretch-pu). I cherry-pick 2 more patches
> from upstream that relate to pthreading in libvncserver. I was able to
> reproduce your x11vnc crash on buster and with libvncserver having the
> attached .debdiff applied the crashes are gone.
> 
> Can you confirm that?

Yep, works. Thanks!

Daniel



signature.asc
Description: OpenPGP digital signature

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

2020-01-08 Thread Mike Gabriel


Hi Daniel,

On  Sa 04 Jan 2020 01:07:21 CET, Daniel Reichelt wrote:


On 02.01.20 16:39, Daniel Reichelt wrote:

With 7e63df224aa45a8b541cd63a870594454aba7526 applied, this happens 9
out of 10 times.


Actually, that's crap.

I noticed a ton of running x11vnc processes and re-tried ~debu10 with
7e63df224aa45a8b541cd63a870594454aba7526 applied.

Result: just the error message about "unknown encoding", so nothing
notably different than w/o said additional patch. (Although the
different behaviour when other x11vnc processes are lingering
is…"interesting"…it's not pertinent to the regression itself.)


I attached a .debdiff that reflects todays regression fix upload to  
buster-pu (I also did one to stretch-pu). I cherry-pick 2 more patches  
from upstream that relate to pthreading in libvncserver. I was able to  
reproduce your x11vnc crash on buster and with libvncserver having the  
attached .debdiff applied the crashes are gone.


Can you confirm that?

Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de

diff -Nru libvncserver-0.9.11+dfsg/debian/changelog 
libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog   2019-12-03 09:18:57.0 
+0100
+++ libvncserver-0.9.11+dfsg/debian/changelog   2020-01-08 08:22:51.0 
+0100
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium
+
+  * Regression update.
+
+  * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
+upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
+#905786).
+
+ -- Mike Gabriel   Wed, 08 Jan 2020 08:22:51 +0100
+
 libvncserver (0.9.11+dfsg-1.3+deb10u1) buster; urgency=medium
 
   * CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series 
libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series  2019-12-03 
09:18:57.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series  2020-01-08 
08:22:34.0 +0100
@@ -25,4 +25,7 @@
 use-after-free/1.patch
 use-after-free/2.patch
 use-after-free/3.patch
+use-after-free/4.patch
+use-after-free/5.patch
+use-after-free/6.patch
 0002-set-true-color-flag-to-1.patch
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch 
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch  
1970-01-01 01:00:00.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch  
2020-01-08 08:22:51.0 +0100
@@ -0,0 +1,24 @@
+From 7e63df224aa45a8b541cd63a870594454aba7526 Mon Sep 17 00:00:00 2001
+From: Andrzej Szombierski 
+Date: Tue, 28 May 2019 10:56:47 +0200
+Subject: [PATCH] rfbserver: don't close fd 0 accidentally
+
+pipe_notify_client_thread needs to be initialized to -1
+---
+ libvncserver/rfbserver.c | 5 +
+ 1 file changed, 5 insertions(+)
+
+--- a/libvncserver/rfbserver.c
 b/libvncserver/rfbserver.c
+@@ -462,6 +462,11 @@
+ 
+   cl->lastPtrX = -1;
+ 
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++  cl->pipe_notify_client_thread[0] = -1;
++  cl->pipe_notify_client_thread[1] = -1;
++#endif
++
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+   /*
+* Wait a few ms for the client to send one of:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch 
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch  
1970-01-01 01:00:00.0 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch  
2020-01-08 08:22:51.0 +0100
@@ -0,0 +1,26 @@
+From d0a76539835d11c0f4723499f8be4bc9c7724eb9 Mon Sep 17 00:00:00 2001
+From: Rajesh Sahoo 
+Date: Tue, 11 Jun 2019 15:13:04 +0530
+Subject: [PATCH] avoid pthread_join if backgroundLoop is FALSE
+
+client_thread is created depending upon backgroundLoop, but joining
+without checking for same condition. so we are trying to join a garbage
+thread_id.
+---
+ libvncserver/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/libvncserver/main.c
 b/libvncserver/main.c
+@@ -1095,9 +1095,11 @@
+   }
+ 
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++if(currentCl->screen->backgroundLoop) {
+   // Notify the thread and join it
+   write(currentCl->pipe_notify_client_thread[1], "\x00", 1);
+   pthread_join(currentCl->client_thread, NULL);
++}
+ #else
+   rfbClientConnectionGone(currentCl);
+ #endif
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch 
libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch
---

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

2020-01-03 Thread Daniel Reichelt

On 02.01.20 16:39, Daniel Reichelt wrote:
> With 7e63df224aa45a8b541cd63a870594454aba7526 applied, this happens 9
> out of 10 times.

Actually, that's crap.

I noticed a ton of running x11vnc processes and re-tried ~debu10 with
7e63df224aa45a8b541cd63a870594454aba7526 applied.

Result: just the error message about "unknown encoding", so nothing
notably different than w/o said additional patch. (Although the
different behaviour when other x11vnc processes are lingering
is…"interesting"…it's not pertinent to the regression itself.)

signature.asc
Description: OpenPGP digital signature

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

2020-01-02 Thread Daniel Reichelt

> Does this upstream commit being added to the patches in +deb10u2 fix
> your issue?
> https://github.com/LibVNC/libvncserver/commit/7e63df224aa45a8b541cd63a870594454aba7526.patch

Not really.

With just ~debu10, 1 out of 10 times, the client window would stay open,
but I wasn't able to transmit any input… just no reaction whatsoever to
kb/mouse.

With 7e63df224aa45a8b541cd63a870594454aba7526 applied, this happens 9
out of 10 times.

A completely working connection couldn't be established at all.



signature.asc
Description: OpenPGP digital signature

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

2020-01-02 Thread Mike Gabriel


Hi Daniel,

thanks for this regression report.

On  Mo 30 Dez 2019 14:01:04 CET, Daniel Reichelt wrote:


Hi all,

the new use-after-free patches introduced in 0.9.11+dfsg-1.3~deb10u2
hurt connections to servers provided by x11vnc.

Previously, a server initiated by

x11vnc -nopw -auth guess -display :0 -forever

was perfectly fine to connect to using tightvncviewer. Now, with
~deb10u2, the remote windows of tightvncviewer comes up for a fraction
of a second and then immediately closes with the message "Unknown
encoding". Nothing changed on the involved systems besides
libvncserver1/libvncclient1.

Reverting only the use-after-free patches, re-building libvncserver1 and
starting x11vnc using that package, tightvncviewer can connect again.

Also, this issue does NOT appear when libvncserver1/testing
(0.9.12+dfsg-5) is installed.


Cheers
Daniel


Does this upstream commit being added to the patches in +deb10u2 fix  
your issue?

https://github.com/LibVNC/libvncserver/commit/7e63df224aa45a8b541cd63a870594454aba7526.patch

Could you test this?

Thanks,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de



pgpa4ADAhofL7.pgp
Description: Digitale PGP-Signatur

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

2019-12-30 Thread Daniel Reichelt

Hi all,

the new use-after-free patches introduced in 0.9.11+dfsg-1.3~deb10u2
hurt connections to servers provided by x11vnc.

Previously, a server initiated by

x11vnc -nopw -auth guess -display :0 -forever

was perfectly fine to connect to using tightvncviewer. Now, with
~deb10u2, the remote windows of tightvncviewer comes up for a fraction
of a second and then immediately closes with the message "Unknown
encoding". Nothing changed on the involved systems besides
libvncserver1/libvncclient1.

Reverting only the use-after-free patches, re-building libvncserver1 and
starting x11vnc using that package, tightvncviewer can connect again.

Also, this issue does NOT appear when libvncserver1/testing
(0.9.12+dfsg-5) is installed.


Cheers
Daniel



signature.asc
Description: OpenPGP digital signature

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

Bug#905786: Fix for "libvncserver1: Use-after-free on shutdown[...]" incomplete

6 matches

Site Navigation

Mail list logo

Footer information