[Qemu-devel] [Bug 1547012] Re: qemu instances crashes with certain spice clients

[Thomas Huth]

Looking through old bug tickets... can you still reproduce this issue
with the latest version of QEMU? Or could we close this ticket nowadays?

** Changed in: qemu
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1547012

Title:
  qemu instances crashes with certain spice clients

Status in QEMU:
  Incomplete

Bug description:
  It's possible to make qemu instances crash when using certain browsers
  connected as spice-clients.

  my environment:

  - OpenStack Kilo installed from ubuntu-cloud archive (qemu-system-x86 
2.2+dfsg-5expubuntu9.6~cloud0)
  - Using spice for web-console access

  How to reproduce:

  1. Start a VM on openstack
  2. access the OpenStack dashboard using iceweasel 43.0.4 
  3. Open the spice-console
  4. Leave the console open for few minutes
  5. The VM will crash on the hypervisor

  The content of qemu log-files for this particular VM:

  2016-02-18 07:25:23.655+0000: starting up
  LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/sbin:/bin 
QEMU_AUDIO_DRV=spice /usr/bin/qemu-system-x86_64 -name instance-0000188f -S 
-machine pc-i440fx-utopic,accel=kvm,usb=off -cpu 
SandyBridge,+erms,+smep,+fsgsbase,+pdpe1gb,+rdrand,+f16c,+osxsave,+dca,+pcid,+pdcm,+xtpr,+tm2,+est,+smx,+vmx,+ds_cpl,+monitor,+dtes64,+pbe,+tm,+ht,+ss,+acpi,+ds,+vme
 -m 4096 -realtime mlock=off -smp 1,sockets=1,cores=1,threads=1 -uuid 
cb04ff25-056f-4f82-a2e8-1fbb762bc29e -smbios type=1,manufacturer=OpenStack 
Foundation,product=OpenStack 
Nova,version=2015.1.2,serial=00000000-0000-0000-0000-0cc47a45f5e8,uuid=cb04ff25-056f-4f82-a2e8-1fbb762bc29e
 -no-user-config -nodefaults -chardev 
socket,id=charmonitor,path=/var/lib/libvirt/qemu/instance-0000188f.monitor,server,nowait
 -mon chardev=charmonitor,id=monitor,mode=control -rtc base=utc,driftfix=slew 
-global kvm-pit.lost_tick_policy=discard -no-hpet -no-shutdown -boot strict=on 
-device piix3-usb-uhci,id=usb,bus=pci.0,addr=0x1.0x2 -device 
virtio-serial-pci,id=virtio-serial0,bus=pci.0,addr=0x4 -drive 
file=rbd:libvirt/cb04ff25-056f-4f82-a2e8-1fbb762bc29e_disk:id=cinder:key=AQBYmdBUCDq7IBAA/7tLevRjdF3Bo7522xkFqA==:auth_supported=cephx\;none:mon_host=xxx.xxx.xxx.xxx\:6789\;xxx.xxx.xxx.xxx\:6789\;xxx.xxx.xxx.xxx\:6789\;xxx.xxx.xxx.xxx\:6789\;xxx.xxx.xxx.xxx\:6789,if=none,id=drive-virtio-disk0,format=raw,cache=writeback
 -device 
virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1
 -netdev tap,fd=55,id=hostnet0,vhost=on,vhostfd=58 -device 
virtio-net-pci,netdev=hostnet0,id=net0,mac=fa:16:3e:a4:74:3b,bus=pci.0,addr=0x3 
-chardev 
file,id=charserial0,path=/var/lib/nova/instances/cb04ff25-056f-4f82-a2e8-1fbb762bc29e/console.log
 -device isa-serial,chardev=charserial0,id=serial0 -chardev pty,id=charserial1 
-device isa-serial,chardev=charserial1,id=serial1 -chardev pty,id=charchannel0 
-device 
virtserialport,bus=virtio-serial0.0,nr=1,chardev=charchannel0,id=channel0,name=com.redhat.spice.0
 -spice port=5929,addr=172.24.1.30,disable-ticketing,seamless-migration=on -k 
fr-ch -device 
qxl-vga,id=video0,ram_size=67108864,vram_size=67108864,vgamem_mb=16,bus=pci.0,addr=0x2
 -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x6 -msg timestamp=on
  char device redirected to /dev/pts/64 (label charserial1)
  char device redirected to /dev/pts/65 (label charchannel0)
  main_channel_link: add main channel client
  main_channel_handle_parsed: net test: latency 44.136000 ms, bitrate 
157538461538 bps (150240.384615 Mbps)
  inputs_connect: inputs channel client create
  red_dispatcher_set_cursor_peer:
  ((null):18188): SpiceWorker-CRITICAL **: 
red_worker.c:1629:common_alloc_recv_buf: unexpected message size 214862 (max is 
1024)
  2016-02-18 07:30:47.008+0000: shutting down

  It's funny because this error only occurs with certain browser
  versions, in my case with Iceweasel 43.0.4 and 44. 0 but it works well
  with Chrome 48.0.256482 and Firefox 44.0.2.

  Marking this a potential security issue as it could maybe lead to a
  denial-of-service if a user sends crafted packets.

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1547012/+subscriptions