virt-viewer double-free on sized-streams
Submitted by Victor Toso
Assigned to Victor Toso
Description
While playing with patch [0] on rhel6 spice-server due bug [1], virt-viewer had double-free when messing with guest stream size. Sadly, debug info was lacking but I'll get back to it afterwards (just to no forget to file the bug)
##############################################################
*** Error in `/home/vtosodec/work/jhbuild/dev/bin/remote-viewer': free(): invalid next size (normal): 0x0000000004497d70 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x77da5)[0x7ffff43bcda5] /lib64/libc.so.6(+0x804fa)[0x7ffff43c54fa] /lib64/libc.so.6(cfree+0x4c)[0x7ffff43c8cac] /lib64/libglib-2.0.so.0(g_free+0xe)[0x7ffff4fff5ee] /lib64/libspice-client-glib-2.0.so.8(+0x2aa8a)[0x7ffff4cb6a8a] /lib64/libspice-client-glib-2.0.so.8(+0x2a842)[0x7ffff4cb6842] /lib64/libglib-2.0.so.0(+0x4a893)[0x7ffff4ffa893] /lib64/libglib-2.0.so.0(g_main_context_dispatch+0x15a)[0x7ffff4ff9e3a] /lib64/libglib-2.0.so.0(+0x4a1d0)[0x7ffff4ffa1d0] /lib64/libglib-2.0.so.0(g_main_context_iteration+0x2c)[0x7ffff4ffa27c] /lib64/libgio-2.0.so.0(g_application_run+0x1ec)[0x7ffff55e4a0c] /home/vtosodec/work/jhbuild/dev/bin/remote-viewer(main+0x4a)[0x40f5ea] /lib64/libc.so.6(__libc_start_main+0xf0)[0x7ffff4365580] /home/vtosodec/work/jhbuild/dev/bin/remote-viewer(_start+0x29)[0x40f629] ======= Memory map: ======== 00400000-00433000 r-xp 00000000 fd:03 2100540 /home/vtosodec/work/jhbuild/dev/bin/remote-viewer 00633000-00634000 r--p 00033000 fd:03 2100540 /home/vtosodec/work/jhbuild/dev/bin/remote-viewer 00634000-00635000 rw-p 00034000 fd:03 2100540 /home/vtosodec/work/jhbuild/dev/bin/remote-viewer 00635000-08218000 rw-p 00000000 00:00 0 [heap] 7fffac000000-7fffac021000 rw-p 00000000 00:00 0 7fffac021000-7fffb0000000 ---p 00000000 00:00 0 7fffb1ffe000-7fffb5ffe000 rw-s 00000000 00:05 14876674 /SYSV00000000 (deleted) 7fffb5ffe000-7fffc3ffe000 rw-p 00000000 00:00 0 7fffc3ffe000-7fffc7fff000 rw-s 00000000 00:13 33842 /dev/shm/pulse-shm-2419090321 7fffc7fff000-7fffcc000000 rw-s 00000000 00:13 825542 /dev/shm/pulse-shm-2193547351 7fffcc000000-7fffcc021000 rw-p 00000000 00:00 0 7fffcc021000-7fffd0000000 ---p 00000000 00:00 0 7fffd0000000-7fffd0022000 rw-p 00000000 00:00 0 7fffd0022000-7fffd4000000 ---p 00000000 00:00 0 7fffd49f4000-7fffd69f4000 rw-p 00000000 00:00 0 7fffd6df4000-7fffd6df5000 ---p 00000000 00:00 0 7fffd6df5000-7fffd75f5000 rw-p 00000000 00:00 0 [stack:1284] 7fffd75f5000-7fffd75f6000 ---p 00000000 00:00 0 7fffd75f6000-7fffd7df6000 rw-p 00000000 00:00 0 [stack:1281] 7fffd7df6000-7fffd7dff000 r-xp 00000000 fd:01 3153275 /usr/lib64/libltdl.so.7.3.1 7fffd7dff000-7fffd7ffe000 ---p 00009000 fd:01 3153275 /usr/lib64/libltdl.so.7.3.1 7fffd7ffe000-7fffd7fff000 r--p 00008000 fd:01 3153275 /usr/lib64/libltdl.so.7.3.1 7fffd7fff000-7fffd8000000 rw-p 00009000 fd:01 3153275 /usr/lib64/libltdl.so.7.3.1 7fffd8000000-7fffd8021000 rw-p 00000000 00:00 0 7fffd8021000-7fffdc000000 ---p 00000000 00:00 0 7fffdc200000-7fffdc214000 r-xp 00000000 fd:01 3153550 /usr/lib64/libtdb.so.1.3.8 7fffdc214000-7fffdc414000 ---p 00014000 fd:01 3153550 /usr/lib64/libtdb.so.1.3.8 7fffdc414000-7fffdc415000 r--p 00014000 fd:01 3153550 /usr/lib64/libtdb.so.1.3.8 7fffdc415000-7fffdc416000 rw-p 00015000 fd:01 3153550 /usr/lib64/libtdb.so.1.3.8 7fffdc416000-7fffdc41e000 r-xp 00000000 fd:01 3154956 /usr/lib64/libvorbisfile.so.3.3.6 7fffdc41e000-7fffdc61d000 ---p 00008000 fd:01 3154956 /usr/lib64/libvorbisfile.so.3.3.6 7fffdc61d000-7fffdc61e000 r--p 00007000 fd:01 3154956 /usr/lib64/libvorbisfile.so.3.3.6 7fffdc61e000-7fffdc61f000 rw-p 00000000 00:00 0 7fffdc61f000-7fffdc630000 r-xp 00000000 fd:01 3154178 /usr/lib64/libcanberra.so.0.2.5 7fffdc630000-7fffdc82f000 ---p 00011000 fd:01 3154178 /usr/lib64/libcanberra.so.0.2.5 7fffdc82f000-7fffdc830000 r--p 00010000 fd:01 3154178 /usr/lib64/libcanberra.so.0.2.5 7fffdc830000-7fffdc831000 rw-p 00011000 fd:01 3154178 /usr/lib64/libcanberra.so.0.2.5 7fffdc831000-7fffdc835000 r-xp 00000000 fd:01 3154177 /usr/lib64/libcanberra-gtk3.so.0.1.9 7fffdc835000-7fffdca35000 ---p 00004000 fd:01 3154177 /usr/lib64/libcanberra-gtk3.so.0.1.9 7fffdca35000-7fffdca36000 r--p 00004000 fd:01 3154177 /usr/lib64/libcanberra-gtk3.so.0.1.9 7fffdca36000-7fffdca37000 rw-p 00000000 00:00 0 7fffdca37000-7fffdca3c000 r-xp 00000000 fd:01 262788 /usr/lib64/gtk-3.0/modules/libcanberra-gtk3-module.so 7fffdca3c000-7fffdcc3c000 ---p 00005000 fd:01 262788 /usr/lib64/gtk-3.0/modules/libcanberra-gtk3-module.so 7fffdcc3c000-7fffdcc3d000 r--p 00005000 fd:01 262788 /usr/lib64/gtk-3.0/modules/libcanberra-gtk3-module.so 7fffdcc3d000-7fffdcc3e000 rw-p 00000000 00:00 0 7fffdcc3e000-7fffdcc41000 r-xp 00000000 fd:01 271399 /usr/lib64/gtk-3.0/modules/libpk-gtk-module.so 7fffdcc41000-7fffdce40000 ---p 00003000 fd:01 271399 /usr/lib64/gtk-3.0/modules/libpk-gtk-module.so 7fffdce40000-7fffdce41000 r--p 00002000 fd:01 271399 /usr/lib64/gtk-3.0/modules/libpk-gtk-module.so 7fffdce41000-7fffdce42000 rw-p 00003000 fd:01 271399 /usr/lib64/gtk-3.0/modules/libpk-gtk-module.so 7fffdce42000-7fffdce43000 ---p 00000000 00:00 0 7fffdce43000-7fffdd643000 rw-p 00000000 00:00 0 [stack:1280] 7fffdd643000-7fffdd644000 ---p 00000000 00:00 0 7fffdd644000-7fffdde44000 rw-p 00000000 00:00 0 [stack:1279] 7fffdde44000-7fffdde46000 r-xp 00000000 fd:01 3154895 /usr/lib64/libutil-2.22.so 7fffdde46000-7fffde045000 ---p 00002000 fd:01 3154895 /usr/lib64/libutil-2.22.so 7fffde045000-7fffde046000 r--p 00001000 fd:01 3154895 /usr/lib64/libutil-2.22.so 7fffde046000-7fffde047000 rw-p 00002000 fd:01 3154895 /usr/lib64/libutil-2.22.so 7fffde047000-7fffde07e000 r-xp 00000000 fd:01 135782 /usr/lib64/gvfs/libgvfscommon.so 7fffde07e000-7fffde27d000 ---p 00037000 fd:01 135782 /usr/lib64/gvfs/libgvfscommon.so 7fffde27d000-7fffde283000 r--p 00036000 fd:01 135782 /usr/lib64/gvfs/libgvfscommon.so 7fffde283000-7fffde284000 rw-p 00000000 00:00 0 7fffde284000-7fffde2b4000 r-xp 00000000 fd:01 135781 /usr/lib64/gio/modules/libgvfsdbus.so 7fffde2b4000-7fffde4b4000 ---p 00030000 fd:01 135781 /usr/lib64/gio/modules/libgvfsdbus.so 7fffde4b4000-7fffde4b6000 r--p 00030000 fd:01 135781 /usr/lib64/gio/modules/libgvfsdbus.so 7fffde4b6000-7fffde4b7000 rw-p 00032000 fd:01 135781 /usr/lib64/gio/modules/libgvfsdbus.so 7fffde4b7000-7fffe4e0a000 r--p 00000000 fd:01 3157757 /usr/lib/locale/locale-archive 7fffe4e0a000-7fffe4e35000 r-xp 00000000 fd:01 3154954 /usr/lib64/libvorbis.so.0.4.7 7fffe4e35000-7fffe5035000 ---p 0002b000 fd:01 3154954 /usr/lib64/libvorbis.so.0.4.7 7fffe5035000-7fffe5036000 r--p 0002b000 fd:01 3154954 /usr/lib64/libvorbis.so.0.4.7 7fffe5036000-7fffe5037000 rw-p 00000000 00:00 0 7fffe5037000-7fffe503d000 r-xp 00000000 fd:01 3154673 /usr/lib64/libogg.so.0.8.2 7fffe503d000-7fffe523c000 ---p 00006000 fd:01 3154673 /usr/lib64/libogg.so.0.8.2 7fffe523c000-7fffe523d000 r--p 00005000 fd:01 3154673 /usr/lib64/libogg.so.0.8.2 7fffe523d000-7fffe523e000 rw-p 00000000 00:00 0 7fffe523e000-7fffe5255000 r-xp 00000000 fd:01 3146675 /usr/lib64/libelf-0.165.so 7fffe5255000-7fffe5454000 ---p 00017000 fd:01 3146675 /usr/lib64/libelf-0.165.so 7fffe5454000-7fffe5455000 r--p 00016000 fd:01 3146675 /usr/lib64/libelf-0.165.so 7fffe5455000-7fffe5456000 rw-p 00017000 fd:01 3146675 /usr/lib64/libelf-0.165.so 7fffe5456000-7fffe54cd000 r-xp 00000000 fd:01 3153838 /usr/lib64/libfreebl3.so 7fffe54cd000-7fffe56cc000 ---p 00077000 fd:01 3153838 /usr/lib64/libfreebl3.so 7fffe56cc000-7fffe56ce000 r--p 00076000 fd:01 3153838 /usr/lib64/libfreebl3.so 7fffe56ce000-7fffe56cf000 rw-p 00078000 fd:01 3153838 /usr/lib64/libfreebl3.so 7fffe56cf000-7fffe56d3000 rw-p 00000000 00:00 0 7fffe56d3000-7fffe56d7000 r-xp 00000000 fd:01 3154124 /usr/lib64/libattr.so.1.1.0 7fffe56d7000-7fffe58d7000 ---p 00004000 fd:01 3154124 /usr/lib64/libattr.so.1.1.0 7fffe58d7000-7fffe58d8000 r--p 00004000 fd:01 3154124 /usr/lib64/libattr.so.1.1.0 7fffe58d8000-7fffe58d9000 rw-p 00000000 00:00 0 7fffe58d9000-7fffe5966000 r-xp 00000000 fd:01 3154955 /usr/lib64/libvorbisenc.so.2.0.10 7fffe5966000-7fffe5b65000 ---p 0008d000 fd:01 3154955 /usr/lib64/libvorbisenc.so.2.0.10 7fffe5b65000-7fffe5b81000 r--p 0008c000 fd:01 3154955 /usr/lib64/libvorbisenc.so.2.0.10 7fffe5b81000-7fffe5b82000 rw-p 000a8000 fd:01 3154955 /usr/lib64/libvorbisenc.so.2.0.10 7fffe5b82000-7fffe5bda000 r-xp 00000000 fd:01 3154008 /usr/lib64/libFLAC.so.8.3.0 7fffe5bda000-7fffe5dd9000 ---p 00058000 fd:01 3154008 /usr/lib64/libFLAC.so.8.3.0 7fffe5dd9000-7fffe5ddb000 r--p 00057000 fd:01 3154008 /usr/lib64/libFLAC.so.8.3.0 7fffe5ddb000-7fffe5ddc000 rw-p 00059000 fd:01 3154008 /usr/lib64/libFLAC.so.8.3.0 7fffe5ddc000-7fffe5de6000 r-xp 00000000 fd:01 3154423 /usr/lib64/libgsm.so.1.0.12 7fffe5de6000-7fffe5fe6000 ---p 0000a000 fd:01 3154423 /usr/lib64/libgsm.so.1.0.12 7fffe5fe6000-7fffe5fe7000 r--p 0000a000 fd:01 3154423 /usr/lib64/libgsm.so.1.0.12 7fffe5fe7000-7fffe5fe8000 rw-p 0000b000 fd:01 3154423 /usr/lib64/libgsm.so.1.0.12 7fffe5fe8000-7fffe5ffe000 r-xp 00000000 fd:01 3154604 /usr/lib64/libnsl-2.22.so 7fffe5ffe000-7fffe61fd000 ---p 00016000 fd:01 3154604 /usr/lib64/libnsl-2.22.so 7fffe61fd000-7fffe61fe000 r--p 00015000 fd:01 3154604 /usr/lib64/libnsl-2.22.so 7fffe61fe000-7fffe61ff000 rw-p 00016000 fd:01 3154604 /usr/lib64/libnsl-2.22.so 7fffe61ff000-7fffe6201000 rw-p 00000000 00:00 0 7fffe6201000-7fffe6248000 r-xp 00000000 fd:01 3152839 /usr/lib64/libdw-0.165.so 7fffe6248000-7fffe6448000 ---p 00047000 fd:01 3152839 /usr/lib64/libdw-0.165.so 7fffe6448000-7fffe644a000 r--p 00047000 fd:01 3152839 /usr/lib64/libdw-0.165.so 7fffe644a000-7fffe644b000 rw-p 00049000 fd:01 3152839 /usr/lib64/libdw-0.165.so 7fffe644b000-7fffe645d000 r-xp 00000000 fd:01 3153127 /usr/lib64/libgpg-error.so.0.17.0 7fffe645d000-7fffe665d000 ---p 00012000 fd:01 3153127 /usr/lib64/libgpg-error.so.0.17.0 7fffe665d000-7fffe665e000 r--p 00012000 fd:01 3153127 /usr/lib64/libgpg-error.so.0.17.0 7fffe665e000-7fffe665f000 rw-p 00013000 fd:01 3153127 /usr/lib64/libgpg-error.so.0.17.0 7fffe665f000-7fffe673a000 r-xp 00000000 fd:01 3154355 /usr/lib64/libgcrypt.so.20.0.4 7fffe673a000-7fffe693a000 ---p 000db000 fd:01 3154355 /usr/lib64/libgcrypt.so.20.0.4 7fffe693a000-7fffe693b000 r--p 000db000 fd:01 3154355 /usr/lib64/libgcrypt.so.20.0.4 7fffe693b000-7fffe6943000 rw-p 000dc000 fd:01 3154355 /usr/lib64/libgcrypt.so.20.0.4 7fffe6943000-7fffe6944000 rw-p 00000000 00:00 0 7fffe6944000-7fffe6948000 r-xp 00000000 fd:01 3153599 /usr/lib64/libuuid.so.1.3.0 7fffe6948000-7fffe6b47000 ---p 00004000 fd:01 3153599 /usr/lib64/libuuid.so.1.3.0 7fffe6b47000-7fffe6b48000 r--p 00003000 fd:01 3153599 /usr/lib64/libuuid.so.1.3.0 7fffe6b48000-7fffe6b49000 rw-p 00000000 00:00 0 7fffe6b49000-7fffe6b4c000 r-xp 00000000 fd:01 3154546 /usr/lib64/libkeyutils.so.1.5 7fffe6b4c000-7fffe6d4b000 ---p 00003000 fd:01 3154546 /usr/lib64/libkeyutils.so.1.5 7fffe6d4b000-7fffe6d4c000 r--p 00002000 fd:01 3154546 /usr/lib64/libkeyutils.so.1.5 7fffe6d4c000-7fffe6d4d000 rw-p 00000000 00:00 0 7fffe6d4d000-7fffe6d5a000 r-xp 00000000 fd:01 3156015 /usr/lib64/libkrb5support.so.0.1 7fffe6d5a000-7fffe6f5a000 ---p 0000d000 fd:01 3156015 /usr/lib64/libkrb5support.so.0.1 7fffe6f5a000-7fffe6f5b000 r--p 0000d000 fd:01 3156015 /usr/lib64/libkrb5support.so.0.1 7fffe6f5b000-7fffe6f5c000 rw-p 0000e000 fd:01 3156015 /usr/lib64/libkrb5support.so.0.1 7fffe6f5c000-7fffe6fcb000 r-xp 00000000 fd:01 3155944 /usr/lib64/libpcre.so.1.2.6 7fffe6fcb000-7fffe71ca000 ---p 0006f000 fd:01 3155944 /usr/lib64/libpcre.so.1.2.6 7fffe71ca000-7fffe71cb000 r--p 0006e000 fd:01 3155944 /usr/lib64/libpcre.so.1.2.6 7fffe71cb000-7fffe71cc000 rw-p 0006f000 fd:01 3155944 /usr/lib64/libpcre.so.1.2.6 7fffe71cc000-7fffe71d1000 r-xp 00000000 fd:01 3154093 /usr/lib64/libXxf86vm.so.1.0.0 7fffe71d1000-7fffe73d0000 ---p 00005000 fd:01 3154093 /usr/lib64/libXxf86vm.so.1.0.0 7fffe73d0000-7fffe73d1000 r--p 00004000 fd:01 3154093 /usr/lib64/libXxf86vm.so.1.0.0 7fffe73d1000-7fffe73d2000 rw-p 00005000 fd:01 3154093 /usr/lib64/libXxf86vm.so.1.0.0 7fffe73d2000-7fffe73e9000 r-xp 00000000 fd:01 3153664 /usr/lib64/libxcb-glx.so.0.0.0 7fffe73e9000-7fffe75e8000 ---p 00017000 fd:01 3153664 /usr/lib64/libxcb-glx.so.0.0.0 7fffe75e8000-7fffe75ea000 r--p 00016000 fd:01 3153664 /usr/lib64/libxcb-glx.so.0.0.0
Program received signal SIGABRT, Aborted.
0x00007ffff4379a98 in raise () from /lib64/libc.so.6##############################################################
thread apply all bt
Thread 5 (Thread 0x7fffd75f4700 (LWP 1284)):
#0 0x00007ffff443bfdd in poll () at /lib64/libc.so.6
#1 0x00007ffff22580b5 in handle_events () at /lib64/libusb-1.0.so.0
#2 0x00007ffff2259043 in libusb_handle_events_timeout_completed () at /lib64/libusb-1.0.so.0
#3 0x00007ffff225912f in libusb_handle_events () at /lib64/libusb-1.0.so.0
#4 0x00007ffff4cc4b50 in spice_usb_device_manager_usb_ev_thread () at /lib64/libspice-client-glib-2.0.so.8
#5 0x00007ffff5020835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#6 0x00007ffff470d60a in start_thread () at /lib64/libpthread.so.0
#7 0x00007ffff4447a4d in clone () at /lib64/libc.so.6
Thread 4 (Thread 0x7fffd7df5700 (LWP 1281)):
#0 0x00007ffff443bfdd in poll () at /lib64/libc.so.6
#1 0x00007ffff225eb3c in linux_udev_event_thread_main () at /lib64/libusb-1.0.so.0
#2 0x00007ffff470d60a in start_thread () at /lib64/libpthread.so.0
#3 0x00007ffff4447a4d in clone () at /lib64/libc.so.6
Thread 3 (Thread 0x7fffdd642700 (LWP 1280)):
#0 0x00007ffff443bfdd in poll () at /lib64/libc.so.6
#1 0x00007ffff4ffa16c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2 0x00007ffff4ffa4f2 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#3 0x00007ffff561b336 in gdbus_shared_thread_func () at /lib64/libgio-2.0.so.0
#4 0x00007ffff5020835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5 0x00007ffff470d60a in start_thread () at /lib64/libpthread.so.0
#6 0x00007ffff4447a4d in clone () at /lib64/libc.so.6
Thread 2 (Thread 0x7fffdde43700 (LWP 1279)):
#0 0x00007ffff443bfdd in poll () at /lib64/libc.so.6
#1 0x00007ffff4ffa16c in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#2 0x00007ffff4ffa27c in g_main_context_iteration () at /lib64/libglib-2.0.so.0
#3 0x00007ffff4ffa2b9 in glib_worker_main () at /lib64/libglib-2.0.so.0
#4 0x00007ffff5020835 in g_thread_proxy () at /lib64/libglib-2.0.so.0
#5 0x00007ffff470d60a in start_thread () at /lib64/libpthread.so.0
#6 0x00007ffff4447a4d in clone () at /lib64/libc.so.6
Thread 1 (Thread 0x7ffff7ef3a80 (LWP 1275)):
#0 0x00007ffff4379a98 in raise () at /lib64/libc.so.6
#1 0x00007ffff437b69a in abort () at /lib64/libc.so.6
#2 0x00007ffff43bcdaa in () at /lib64/libc.so.6
#3 0x00007ffff43c54fa in _int_free () at /lib64/libc.so.6
#4 0x00007ffff43c8cac in free () at /lib64/libc.so.6
#5 0x00007ffff4fff5ee in g_free () at /lib64/libglib-2.0.so.0
#6 0x00007ffff4cb6a8a in stream_mjpeg_data () at /lib64/libspice-client-glib-2.0.so.8
#7 0x00007ffff4cb6842 in display_stream_render () at /lib64/libspice-client-glib-2.0.so.8
#8 0x00007ffff4ffa893 in g_timeout_dispatch () at /lib64/libglib-2.0.so.0
#9 0x00007ffff4ff9e3a in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#10 0x00007ffff4ffa1d0 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#11 0x00007ffff4ffa27c in g_main_context_iteration () at /lib64/libglib-2.0.so.0