You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Nick Couchman (Jira)" <ji...@apache.org> on 2022/03/25 16:02:00 UTC

[jira] [Updated] (GUACAMOLE-1555) guacd_log() may trigger a segfault in connection cleanup phase

     [ https://issues.apache.org/jira/browse/GUACAMOLE-1555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Nick Couchman updated GUACAMOLE-1555:
-------------------------------------
    Priority: Minor  (was: Major)

> guacd_log() may trigger a segfault in connection cleanup phase
> --------------------------------------------------------------
>
>                 Key: GUACAMOLE-1555
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1555
>             Project: Guacamole
>          Issue Type: Bug
>          Components: guacd
>         Environment: guacamole-server-1.4.0 with a customized rdp protocol plugin
>            Reporter: Sami Pönkänen
>            Priority: Minor
>
> If a guacamole protocol plugin initializes syslog by calling openlog() with a non-NULL ident string, then any calls from guacd to syslog() happening after the plugin has been unloaded may trigger a segfault.
> An example gdb backtrace of such segfault:
> {code:java}
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7ffff32a5700 (LWP 4585)]
> __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
> 31              movdqu  (%rdi), %xmm1
> Missing separate debuginfos, use: debuginfo-install...
> (gdb) bt
> #0  __strlen_sse2 () at ../sysdeps/x86_64/strlen.S:31
> #1  0x00007ffff6157805 in __GI_fputs_unlocked (str=0x7ffff283402c <Address 0x7ffff283402c out of bounds>, fp=fp@entry=0x7fffec011630)
>     at iofputs_u.c:34
> #2  0x00007ffff61d65d8 in __GI___vsyslog_chk (pri=<optimized out>, flag=flag@entry=-1, fmt=0x5f300f "%s", ap=ap@entry=0x7ffff32a4238)
>     at ../misc/syslog.c:205
> #3  0x00007ffff61d6aaf in __syslog (pri=<optimized out>, fmt=<optimized out>) at ../misc/syslog.c:117
> #4  0x0000000000407242 in vguacd_log (level=GUAC_LOG_DEBUG, format=0x5f3298 "Client terminated successfully.", args=0x7ffff32a4b68)
>     at log.c:89
> #5  0x0000000000407315 in guacd_log (level=GUAC_LOG_DEBUG, format=0x5f3298 "Client terminated successfully.") at log.c:100
> #6  0x0000000000407ab6 in guacd_exec_proc (proc=0x7fffec00ae20, protocol=0x7fffec002de3 "rdp") at proc.c:363
> #7  0x0000000000407cde in guacd_create_proc (protocol=0x7fffec002de3 "rdp") at proc.c:443
> #8  0x000000000040663e in guacd_route_connection (map=0x7ffff7ee2010, socket=0x7fffec0008c0) at connection.c:301
> #9  0x0000000000406846 in guacd_connection_thread (data=0x10d36d0) at connection.c:396
> #10 0x00007ffff720bea5 in start_thread (arg=0x7ffff32a5700) at pthread_create.c:307
> #11 0x00007ffff61dc9fd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 {code}
> In guacamole-server-1.4.0 all potentially crashing guacd_log() calls are in function guacd_exec_proc() in src/guacd/proc.c after line 358, in other words all calls after the guacd protocol plugin has been unloaded.
> The issue can be fixed by calling openlog() again in src/guacd/proc.c on line 355.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)