Hi Daniel, On Sa 04 Jan 2020 01:07:21 CET, Daniel Reichelt wrote:
On 02.01.20 16:39, Daniel Reichelt wrote:With 7e63df224aa45a8b541cd63a870594454aba7526 applied, this happens 9 out of 10 times.Actually, that's crap. I noticed a ton of running x11vnc processes and re-tried ~debu10 with 7e63df224aa45a8b541cd63a870594454aba7526 applied. Result: just the error message about "unknown encoding", so nothing notably different than w/o said additional patch. (Although the different behaviour when other x11vnc processes are lingering is…"interesting"…it's not pertinent to the regression itself.)
I attached a .debdiff that reflects todays regression fix upload to buster-pu (I also did one to stretch-pu). I cherry-pick 2 more patches from upstream that relate to pthreading in libvncserver. I was able to reproduce your x11vnc crash on buster and with libvncserver having the attached .debdiff applied the crashes are gone.
Can you confirm that? Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
diff -Nru libvncserver-0.9.11+dfsg/debian/changelog libvncserver-0.9.11+dfsg/debian/changelog
--- libvncserver-0.9.11+dfsg/debian/changelog 2019-12-03 09:18:57.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/changelog 2020-01-08 08:22:51.000000000 +0100
@@ -1,3 +1,13 @@
+libvncserver (0.9.11+dfsg-1.3+deb10u2) buster; urgency=medium
+
+ * Regression update.
+
+ * debian/patches: Add use-after-free/{4,5,6}.patch. All cherry-picked from
+ upstream. Resolves crashing of x11vnc when vncviewer connects. (Closes:
+ #905786).
+
+ -- Mike Gabriel <sunweaver@debian.org> Wed, 08 Jan 2020 08:22:51 +0100
+
libvncserver (0.9.11+dfsg-1.3+deb10u1) buster; urgency=medium
* CVE-2019-15681: rfbserver: don't leak stack memory to the remote. (Closes:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/series libvncserver-0.9.11+dfsg/debian/patches/series
--- libvncserver-0.9.11+dfsg/debian/patches/series 2019-12-03 09:18:57.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/series 2020-01-08 08:22:34.000000000 +0100
@@ -25,4 +25,7 @@
use-after-free/1.patch
use-after-free/2.patch
use-after-free/3.patch
+use-after-free/4.patch
+use-after-free/5.patch
+use-after-free/6.patch
0002-set-true-color-flag-to-1.patch
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/4.patch 2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,24 @@
+From 7e63df224aa45a8b541cd63a870594454aba7526 Mon Sep 17 00:00:00 2001
+From: Andrzej Szombierski <qq@kuku.eu.org>
+Date: Tue, 28 May 2019 10:56:47 +0200
+Subject: [PATCH] rfbserver: don't close fd 0 accidentally
+
+pipe_notify_client_thread needs to be initialized to -1
+---
+ libvncserver/rfbserver.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/libvncserver/rfbserver.c
++++ b/libvncserver/rfbserver.c
+@@ -462,6 +462,11 @@
+
+ cl->lastPtrX = -1;
+
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ cl->pipe_notify_client_thread[0] = -1;
++ cl->pipe_notify_client_thread[1] = -1;
++#endif
++
+ #ifdef LIBVNCSERVER_WITH_WEBSOCKETS
+ /*
+ * Wait a few ms for the client to send one of:
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/5.patch 2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,26 @@
+From d0a76539835d11c0f4723499f8be4bc9c7724eb9 Mon Sep 17 00:00:00 2001
+From: Rajesh Sahoo <rajesh.sahoo@lge.com>
+Date: Tue, 11 Jun 2019 15:13:04 +0530
+Subject: [PATCH] avoid pthread_join if backgroundLoop is FALSE
+
+client_thread is created depending upon backgroundLoop, but joining
+without checking for same condition. so we are trying to join a garbage
+thread_id.
+---
+ libvncserver/main.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/libvncserver/main.c
++++ b/libvncserver/main.c
+@@ -1095,9 +1095,11 @@
+ }
+
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ if(currentCl->screen->backgroundLoop) {
+ // Notify the thread and join it
+ write(currentCl->pipe_notify_client_thread[1], "\x00", 1);
+ pthread_join(currentCl->client_thread, NULL);
++ }
+ #else
+ rfbClientConnectionGone(currentCl);
+ #endif
diff -Nru libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch
--- libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch 1970-01-01 01:00:00.000000000 +0100
+++ libvncserver-0.9.11+dfsg/debian/patches/use-after-free/6.patch 2020-01-08 08:22:51.000000000 +0100
@@ -0,0 +1,30 @@
+From d3a4292aa9ade2a335e0915523506b73e94251d7 Mon Sep 17 00:00:00 2001
+From: Christian Beier <dontmind@freeshell.org>
+Date: Sun, 6 Jan 2019 19:34:04 +0100
+Subject: [PATCH] Move pipe_notify_client_thread to end of rfbClientRec
+
+in order to retain ABI compatibility.
+---
+ rfb/rfb.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/rfb/rfb.h
++++ b/rfb/rfb.h
+@@ -466,7 +466,6 @@
+ int protocolMinorVersion;
+
+ #ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
+- int pipe_notify_client_thread[2];
+ pthread_t client_thread;
+ #endif
+
+@@ -696,6 +695,9 @@
+ wsCtx *wsctx;
+ char *wspath; /* Requests path component */
+ #endif
++#ifdef LIBVNCSERVER_HAVE_LIBPTHREAD
++ int pipe_notify_client_thread[2];
++#endif
+ } rfbClientRec, *rfbClientPtr;
+
+ /**
Attachment:
pgp7Wjb_HjqrE.pgp
Description: Digitale PGP-Signatur