You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Grigory Trenin (Jira)" <ji...@apache.org> on 2020/04/25 20:46:00 UTC

[jira] [Created] (GUACAMOLE-1053) Segfault in gaucd (race between RDP client user threads)

Grigory Trenin created GUACAMOLE-1053:
-----------------------------------------

             Summary: Segfault in gaucd (race between RDP client user threads)
                 Key: GUACAMOLE-1053
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1053
             Project: Guacamole
          Issue Type: Bug
          Components: guacd
    Affects Versions: 1.1.0
         Environment: RHEL 7.7 (x86_64)
            Reporter: Grigory Trenin


{noformat}
Program terminated with signal 11, Segmentation fault.
#0  guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, pressed=0) at keyboard.c:444
444         if (!keyboard->synchronized) {

(gdb) p keyboard->synchronized
Cannot access memory at address 0x7faa4c36401c

(gdb) bt
#0  guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, pressed=0) at keyboard.c:444
#1  0x00007faae2f50bf0 in guac_user_input_thread (data=<optimized out>) at user-handshake.c:165
#2  0x00007faae2372ea5 in start_thread () from /lib64/libpthread.so.0
#3  0x00007faae0c678cd in clone () from /lib64/libc.so.6

(gdb) info threads
  Id   Target Id         Frame
  3    Thread 0x7fa9eb7fe700 (LWP 7379) 0x00007faae2374017 in pthread_join () from /lib64/libpthread.so.0
  2    Thread 0x7fa9ebfff700 (LWP 7376) (Exiting) 0x00007faae2379bad in recvmsg () from /lib64/libpthread.so.0
* 1    Thread 0x7fa9f8ff9700 (LWP 7381) guac_rdp_keyboard_update_keysym (keyboard=0x7faa4c364010, keysym=65288, pressed=0)
    at keyboard.c:444
{noformat}
"info threads" shows that there are only 3 threads running:
 # guac_user_input_thread (the thread segfault occured in)
 # guacd_connection_thread
 # guacd_user_thread waiting for guac_user_input_thread

Note that there is no client thread running.
So here is what happenned: *guac_rdp_client_thread* exited and freed *rdp_client->keyboard* structure, while user input thread was still running and tried to access *rdp_client->keyboard* after it was freed.

This is an old bug. Found a 2-year old GUACAMOLE-433 which looks exactly the same, but it was closed as "Cannot reproduce". It does not happen often indeed. We have 120 users actively using Guacamole (since COVID-19) and have seen this segfault only twice within the last month.

As a relief, a NULL value can be assigned to *rdp_client->keyboard* immediately after freeing it. It will decrease segfault probability, but of course, the race condition between a client and user input threads remains.

To fix it reliably we probably need to introduce a mutex that will not allow to run 
a user input handlers concurrently with RDP connection setup/cleanup code.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)