[GUACAMOLE-898] Segment fault when two users race on same connection - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 1.0.0
Fix Version/s: None
Component/s: libguac, RDP, SSH, VNC
Labels:
None

Description

The VNC/RDP and SSH plugins all create a display/term in connection owner guac_vnc_client_thread/guac_rdp_client_thread and ssh_client_thread thread.

However, the client->display or client->term is immediately used in non-owner threads.

If two users are racing on the same connection and the client->display or client->term is not ready for the non-owner, then:

guac_common_display_dup(vnc_client->display, user, user->socket);

guac_common_display_dup(rdp_client->display, user, user->socket);

guac_terminal_dup(ssh_client->term, user, user->socket);

can result in segment fault because the display/term pointer can still be a NULL pointer.

Here is a stack trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ff9c2fad700 (LWP 9)]
0x00007ff9cbcd1cc0 in pthread_mutex_lock () from /lib64/libpthread.so.0
Missing separate debuginfos, use: debuginfo-install bzip2-libs-1.0.6-13.el7.x86_64 cairo-1.15.12-4.el7.x86_64 dbus-libs-1.10.24-13.el7_6.x86_64 elfutils-libelf-0.176-2.el7.x86_64 elfutils-libs-0.176-2.el7.x86_64 expat-2.1.0-10.el7_3.x86_64 flac-libs-1.3.0-5.el7_1.x86_64 fontconfig-2.13.0-4.3.el7.x86_64 freetype-2.8-14.el7.x86_64 glibc-2.17-292.el7.x86_64 gmp-6.0.0-15.el7.x86_64 gnutls-3.3.29-9.el7_6.x86_64 gsm-1.0.13-11.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-37.el7_7.2.x86_64 libICE-1.0.9-9.el7.x86_64 libSM-1.2.2-2.el7.x86_64 libX11-1.6.7-2.el7.x86_64 libXau-1.0.8-2.1.el7.x86_64 libXext-1.3.3-3.el7.x86_64 libXi-1.7.9-1.el7.x86_64 libXrender-0.9.10-1.el7.x86_64 libXtst-1.2.3-1.el7.x86_64 libasyncns-0.8-7.el7.x86_64 libattr-2.4.46-13.el7.x86_64 libcap-2.22-10.el7.x86_64 libcom_err-1.42.9-16.el7.x86_64 libffi-3.0.13-18.el7.x86_64 libgcc-4.8.5-39.el7.x86_64 libgcrypt-1.5.3-14.el7.x86_64 libglvnd-1.0.1-0.8.git5baa1e5.el7.x86_64 libglvnd-egl-1.0.1-0.8.git5baa1e5.el7.x86_64 libglvnd-glx-1.0.1-0.8.git5baa1e5.el7.x86_64 libgpg-error-1.12-3.el7.x86_64 libjpeg-turbo-1.2.90-8.el7.x86_64 libogg-1.3.0-7.el7.x86_64 libpng-1.5.13-7.el7_2.x86_64 libselinux-2.5-14.1.el7.x86_64 libsndfile-1.0.25-10.el7.x86_64 libtasn1-4.10-1.el7.x86_64 libuuid-2.23.2-61.el7.x86_64 libvncserver-0.9.9-13.el7_6.x86_64 libvorbis-1.3.3-8.el7.1.x86_64 libwebp-0.3.0-7.el7.x86_64 libxcb-1.13-1.el7.x86_64 lz4-1.7.5-3.el7.x86_64 lzo-minilzo-2.06-8.el7.x86_64 nettle-2.7.1-8.el7.x86_64 openssl-libs-1.0.2k-19.el7.x86_64 p11-kit-0.23.5-3.el7.x86_64 pcre-8.32-17.el7.x86_64 pixman-0.34.0-1.el7.x86_64 pulseaudio-libs-10.0-5.el7.x86_64 systemd-libs-219-67.el7_7.2.x86_64 tcp_wrappers-libs-7.6-77.el7.x86_64 uuid-1.6.2-26.el7.x86_64 xz-libs-5.2.2-1.el7.x86_64 zlib-1.2.7-18.el7.x86_64
(gdb) bt
#0  0x00007ff9cbcd1cc0 in pthread_mutex_lock () from /lib64/libpthread.so.0
#1  0x00007ff9c05a0bd3 in guac_common_display_dup (display=0x0, user=user@entry=0x7ff9900008c0, socket=0x7ff990000b60) at display.c:169
#2  0x00007ff9c059fbd7 in guac_vnc_user_join_handler (user=0x7ff9900008c0, argc=<optimized out>, argv=0x7ff9900048a0) at user.c:87
#3  0x00007ff9cbeeafc8 in guac_client_add_user (client=client@entry=0x7ff9a4000bb0, user=user@entry=0x7ff9900008c0, argc=22, argv=<optimized out>)
    at client.c:307
#4  0x00007ff9cbef2311 in guac_user_handle_connection (user=0x7ff9900008c0, usec_timeout=15000000) at user-handshake.c:414
(gdb)

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Changkun Ou

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Nov/19 11:18

Updated:: 05/Nov/19 14:29