[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [Bug 1815371] [NEW] SPICE session's connection_id's are not
From: |
Laurent Bigonville |
Subject: |
[Qemu-devel] [Bug 1815371] [NEW] SPICE session's connection_id's are not unique |
Date: |
Sun, 10 Feb 2019 18:12:43 -0000 |
Public bug reported:
From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897
=====
When creating a virtual machine with qemu (e.g. via libvirt) including a
SPICE server, the client_id of the SPICE session is not unique. For
example, starting multiple virtual machines on the same libvirtd, the
client_id is the same for all virtual machine's SPICE sessions.
A description of the client_id can be found in
https://www.spice-space.org/static/docs/spice_protocol.pdf under section
2.11. c) :
"UINT32 connection_id - In case of a new session (i.e., channel type is
RED_CHANNEL_MAIN) this field is set to zero, and in response the server will
allocate session id and will send it via the RedLinkReply message. In case of
all other channel types, this field will be equal to the allocated session id"
The relevant code for generating client ids in libspice-server1 can be found
here:
https://gitlab.freedesktop.org/spice/spice/blob/v0.12.8/server/reds.c#L1614
This uses rand() to generate the random id, but qemu (at least in the
case of qemu-system-x86) fails to initialize the RNG seed (with e.g.
srand()).
The result is, that every SPICE session started (by e.g. libvirtd) has the same
client_id. Usually, this is not a problem, but running something like a SPICE
proxy, relying on the client_id to correctly route connections, this creates
problems.
Adding something like 'srand(time(NULL));' to qemu (in vl.c) solves this issue.
Related (as seen in some VNC patches, e.g.
'CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch/ui/vnc.c'
): srand(time(NULL)+getpid()+getpid()*987654+rand());
Tested on Debian 9.7 with kernel 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1
(2018-05-07) x86_64 GNU/Linux.
=====
** Affects: qemu
Importance: Undecided
Status: New
** Affects: qemu (Debian)
Importance: Unknown
Status: Unknown
** Bug watch added: Debian Bug tracker #920897
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897
** Also affects: qemu (Debian) via
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815371
Title:
SPICE session's connection_id's are not unique
Status in QEMU:
New
Status in qemu package in Debian:
Unknown
Bug description:
From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897
=====
When creating a virtual machine with qemu (e.g. via libvirt) including
a SPICE server, the client_id of the SPICE session is not unique. For
example, starting multiple virtual machines on the same libvirtd, the
client_id is the same for all virtual machine's SPICE sessions.
A description of the client_id can be found in
https://www.spice-space.org/static/docs/spice_protocol.pdf under
section 2.11. c) :
"UINT32 connection_id - In case of a new session (i.e., channel type is
RED_CHANNEL_MAIN) this field is set to zero, and in response the server will
allocate session id and will send it via the RedLinkReply message. In case of
all other channel types, this field will be equal to the allocated session id"
The relevant code for generating client ids in libspice-server1 can be found
here:
https://gitlab.freedesktop.org/spice/spice/blob/v0.12.8/server/reds.c#L1614
This uses rand() to generate the random id, but qemu (at least in the
case of qemu-system-x86) fails to initialize the RNG seed (with e.g.
srand()).
The result is, that every SPICE session started (by e.g. libvirtd) has the
same client_id. Usually, this is not a problem, but running something like a
SPICE proxy, relying on the client_id to correctly route connections, this
creates problems.
Adding something like 'srand(time(NULL));' to qemu (in vl.c) solves this
issue. Related (as seen in some VNC patches, e.g.
'CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch/ui/vnc.c'
): srand(time(NULL)+getpid()+getpid()*987654+rand());
Tested on Debian 9.7 with kernel 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1
(2018-05-07) x86_64 GNU/Linux.
=====
To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815371/+subscriptions
- [Qemu-devel] [Bug 1815371] [NEW] SPICE session's connection_id's are not unique,
Laurent Bigonville <=