Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-935

Memory may be double-freed within RDP support on Ubuntu 18.04

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.1.0
    • Fix Version/s: 1.1.0
    • Component/s: RDP
    • Labels:
      None

      Description

      When built against the version of FreeRDP 2.0.0 packaged with Ubuntu 18.04 (2.0.0-rc0), a double-free occurs which prevents RDP connections from functioning:

      guacd[17706]: INFO:	Guacamole proxy daemon (guacd) version 1.1.0 started
      guacd[17706]: INFO:	Listening on host 127.0.0.1, port 4822
      guacd[17706]: INFO:	Creating new client for protocol "rdp"
      guacd[17706]: INFO:	Connection ID is "$b588ef8c-917d-4a26-ab09-1b881172d0ef"
      guacd[17711]: INFO:	No security mode specified. Defaulting to security mode negotiation with server.
      guacd[17711]: INFO:	Resize method: none
      guacd[17711]: INFO:	User "@192fcd59-6c7e-44c9-b744-3f0d21af1260" joined connection "$b588ef8c-917d-4a26-ab09-1b881172d0ef" (1 users now present)
      guacd[17711]: INFO:	Loading keymap "base"
      guacd[17711]: INFO:	Loading keymap "en-us-qwerty"
      double free or corruption (out)
      

      According to gdb, this occurs within Bitmap_Free():

      #0  0x00007ffff7360e97 in __GI_raise (sig=sig@entry=6)
          at ../sysdeps/unix/sysv/linux/raise.c:51
      #1  0x00007ffff7362801 in __GI_abort () at abort.c:79
      #2  0x00007ffff73ab897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff74d8b9a "%s\n") at ../sysdeps/posix/libc_fatal.c:181
      #3  0x00007ffff73b290a in malloc_printerr (str=str@entry=0x7ffff74da870 "double free or corruption (out)") at malloc.c:5350
      #4  0x00007ffff73b9e75 in _int_free (have_lock=0, p=0x7fffd80b9200, av=0x7ffff770dc40 <main_arena>) at malloc.c:4278
      #5  0x00007ffff73b9e75 in __GI___libc_free (mem=0x7fffd80b9210)
          at malloc.c:3124
      #6  0x00007ffff27c3c86 in _aligned_free (memblock=0x7fffd80b9230)
          at /home/ubuntu/FreeRDP/winpr/libwinpr/crt/alignment.c:213
      #7  0x00007ffff2d78d6f in Bitmap_Free (context=0x7fffd8019560, bitmap=0x7fffd8080a80) at /home/ubuntu/FreeRDP/libfreerdp/core/graphics.c:64
      #8  0x00007ffff2d2bc82 in gdi_bitmap_update (context=0x7fffd8019560, bitmapUpdate=0x7fffd8032360) at /home/ubuntu/FreeRDP/libfreerdp/gdi/gdi.c:490
      #9  0x00007ffff2d9c292 in fastpath_recv_update_common (fastpath=0x7fffd8032cd0, s=0x7fffd80a5fe0) at /home/ubuntu/FreeRDP/libfreerdp/core/fastpath.c:309
      #10 0x00007ffff2d9c490 in fastpath_recv_update (fastpath=0x7fffd8032cd0, updateCode=1 '\001', size=2336, s=0x7fffd80a5fe0)
          at /home/ubuntu/FreeRDP/libfreerdp/core/fastpath.c:367
      ...
      

      As noted in the comments, a similar double-free can also occur when the connection is being torn down after disconnect. For example:

      guacd[35]: INFO:	User "@909af0c9-af19-462a-9bb2-9437ba7cad06" disconnected (0 users remain)
      guacd[35]: INFO:	Last user of connection "$b8e2c6ed-be2b-425d-ba47-19d372ea39af" disconnected
      corrupted size vs. prev_size
      guacd[6]: INFO:	Connection "$b8e2c6ed-be2b-425d-ba47-19d372ea39af" removed.
      

      and:

      ...
      guacd[49]: INFO:	User "@ea827a10-0334-4443-85e5-069a3e766508" disconnected (0 users remain)
      guacd[49]: INFO:	Last user of connection "$cebaf047-83e9-4659-8cbd-55b20d776ecc" disconnected
      double free or corruption (!prev)
      guacd[6]: INFO:	Connection "$cebaf047-83e9-4659-8cbd-55b20d776ecc" removed.
      

        Attachments

          Activity

            People

            • Assignee:
              mjumper Mike Jumper
              Reporter:
              mjumper Mike Jumper
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: