All of lore.kernel.org
 help / color / mirror / Atom feed
* [Qemu-devel] [Bug 1815371] [NEW] SPICE session's connection_id's are not unique
@ 2019-02-10 18:12 Laurent Bigonville
  2019-02-10 23:15 ` [Qemu-devel] [Bug 1815371] " Bug Watch Updater
  2021-05-05 11:17 ` Thomas Huth
  0 siblings, 2 replies; 3+ messages in thread
From: Laurent Bigonville @ 2019-02-10 18:12 UTC (permalink / raw)
  To: qemu-devel

Public bug reported:

From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897

=====

When creating a virtual machine with qemu (e.g. via libvirt) including a
SPICE server, the client_id of the SPICE session is not unique. For
example, starting multiple virtual machines on the same libvirtd, the
client_id is the same for all virtual machine's SPICE sessions.


A description of the client_id can be found in

https://www.spice-space.org/static/docs/spice_protocol.pdf under section
2.11. c) :


"UINT32 connection_id - In case of a new session (i.e., channel type is RED_CHANNEL_MAIN) this field is set to zero, and in response the server will allocate session id and will send it via the RedLinkReply message. In case of all other channel types, this field will be equal to the allocated session id"


The relevant code for generating client ids in libspice-server1 can be found here: https://gitlab.freedesktop.org/spice/spice/blob/v0.12.8/server/reds.c#L1614

This uses rand() to generate the random id, but qemu (at least in the
case of qemu-system-x86) fails to initialize the RNG seed (with e.g.
srand()).


The result is, that every SPICE session started (by e.g. libvirtd) has the same client_id. Usually, this is not a problem, but running something like a SPICE proxy, relying on the client_id to correctly route connections, this creates problems.


Adding something like 'srand(time(NULL));' to qemu (in vl.c) solves this issue. Related (as seen in some VNC patches, e.g. 'CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch/ui/vnc.c' ):  srand(time(NULL)+getpid()+getpid()*987654+rand());


Tested on Debian 9.7 with kernel  4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux.


=====

** Affects: qemu
     Importance: Undecided
         Status: New

** Affects: qemu (Debian)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #920897
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897

** Also affects: qemu (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815371

Title:
   SPICE session's connection_id's are not unique

Status in QEMU:
  New
Status in qemu package in Debian:
  Unknown

Bug description:
  From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897

  =====

  When creating a virtual machine with qemu (e.g. via libvirt) including
  a SPICE server, the client_id of the SPICE session is not unique. For
  example, starting multiple virtual machines on the same libvirtd, the
  client_id is the same for all virtual machine's SPICE sessions.

  
  A description of the client_id can be found in

  https://www.spice-space.org/static/docs/spice_protocol.pdf under
  section 2.11. c) :

  
  "UINT32 connection_id - In case of a new session (i.e., channel type is RED_CHANNEL_MAIN) this field is set to zero, and in response the server will allocate session id and will send it via the RedLinkReply message. In case of all other channel types, this field will be equal to the allocated session id"

  
  The relevant code for generating client ids in libspice-server1 can be found here: https://gitlab.freedesktop.org/spice/spice/blob/v0.12.8/server/reds.c#L1614

  This uses rand() to generate the random id, but qemu (at least in the
  case of qemu-system-x86) fails to initialize the RNG seed (with e.g.
  srand()).

  
  The result is, that every SPICE session started (by e.g. libvirtd) has the same client_id. Usually, this is not a problem, but running something like a SPICE proxy, relying on the client_id to correctly route connections, this creates problems.

  
  Adding something like 'srand(time(NULL));' to qemu (in vl.c) solves this issue. Related (as seen in some VNC patches, e.g. 'CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch/ui/vnc.c' ):  srand(time(NULL)+getpid()+getpid()*987654+rand());

  
  Tested on Debian 9.7 with kernel  4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux.


  =====

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815371/+subscriptions

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Qemu-devel] [Bug 1815371] Re: SPICE session's connection_id's are not unique
  2019-02-10 18:12 [Qemu-devel] [Bug 1815371] [NEW] SPICE session's connection_id's are not unique Laurent Bigonville
@ 2019-02-10 23:15 ` Bug Watch Updater
  2021-05-05 11:17 ` Thomas Huth
  1 sibling, 0 replies; 3+ messages in thread
From: Bug Watch Updater @ 2019-02-10 23:15 UTC (permalink / raw)
  To: qemu-devel

** Changed in: qemu (Debian)
       Status: Unknown => Confirmed

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815371

Title:
   SPICE session's connection_id's are not unique

Status in QEMU:
  New
Status in qemu package in Debian:
  Confirmed

Bug description:
  From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897

  =====

  When creating a virtual machine with qemu (e.g. via libvirt) including
  a SPICE server, the client_id of the SPICE session is not unique. For
  example, starting multiple virtual machines on the same libvirtd, the
  client_id is the same for all virtual machine's SPICE sessions.

  
  A description of the client_id can be found in

  https://www.spice-space.org/static/docs/spice_protocol.pdf under
  section 2.11. c) :

  
  "UINT32 connection_id - In case of a new session (i.e., channel type is RED_CHANNEL_MAIN) this field is set to zero, and in response the server will allocate session id and will send it via the RedLinkReply message. In case of all other channel types, this field will be equal to the allocated session id"

  
  The relevant code for generating client ids in libspice-server1 can be found here: https://gitlab.freedesktop.org/spice/spice/blob/v0.12.8/server/reds.c#L1614

  This uses rand() to generate the random id, but qemu (at least in the
  case of qemu-system-x86) fails to initialize the RNG seed (with e.g.
  srand()).

  
  The result is, that every SPICE session started (by e.g. libvirtd) has the same client_id. Usually, this is not a problem, but running something like a SPICE proxy, relying on the client_id to correctly route connections, this creates problems.

  
  Adding something like 'srand(time(NULL));' to qemu (in vl.c) solves this issue. Related (as seen in some VNC patches, e.g. 'CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch/ui/vnc.c' ):  srand(time(NULL)+getpid()+getpid()*987654+rand());

  
  Tested on Debian 9.7 with kernel  4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux.


  =====

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815371/+subscriptions

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug 1815371] Re:  SPICE session's connection_id's are not unique
  2019-02-10 18:12 [Qemu-devel] [Bug 1815371] [NEW] SPICE session's connection_id's are not unique Laurent Bigonville
  2019-02-10 23:15 ` [Qemu-devel] [Bug 1815371] " Bug Watch Updater
@ 2021-05-05 11:17 ` Thomas Huth
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Huth @ 2021-05-05 11:17 UTC (permalink / raw)
  To: qemu-devel

This is an automated cleanup. This bug report has been moved to QEMU's
new bug tracker on gitlab.com and thus gets marked as 'expired' now.
Please continue with the discussion here:

 https://gitlab.com/qemu-project/qemu/-/issues/163


** Changed in: qemu
       Status: New => Expired

** Bug watch added: gitlab.com/qemu-project/qemu/-/issues #163
   https://gitlab.com/qemu-project/qemu/-/issues/163

-- 
You received this bug notification because you are a member of qemu-
devel-ml, which is subscribed to QEMU.
https://bugs.launchpad.net/bugs/1815371

Title:
   SPICE session's connection_id's are not unique

Status in QEMU:
  Expired
Status in qemu package in Debian:
  Confirmed

Bug description:
  From: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920897

  =====

  When creating a virtual machine with qemu (e.g. via libvirt) including
  a SPICE server, the client_id of the SPICE session is not unique. For
  example, starting multiple virtual machines on the same libvirtd, the
  client_id is the same for all virtual machine's SPICE sessions.

  
  A description of the client_id can be found in

  https://www.spice-space.org/static/docs/spice_protocol.pdf under
  section 2.11. c) :

  
  "UINT32 connection_id - In case of a new session (i.e., channel type is RED_CHANNEL_MAIN) this field is set to zero, and in response the server will allocate session id and will send it via the RedLinkReply message. In case of all other channel types, this field will be equal to the allocated session id"

  
  The relevant code for generating client ids in libspice-server1 can be found here: https://gitlab.freedesktop.org/spice/spice/blob/v0.12.8/server/reds.c#L1614

  This uses rand() to generate the random id, but qemu (at least in the
  case of qemu-system-x86) fails to initialize the RNG seed (with e.g.
  srand()).

  
  The result is, that every SPICE session started (by e.g. libvirtd) has the same client_id. Usually, this is not a problem, but running something like a SPICE proxy, relying on the client_id to correctly route connections, this creates problems.

  
  Adding something like 'srand(time(NULL));' to qemu (in vl.c) solves this issue. Related (as seen in some VNC patches, e.g. 'CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch/ui/vnc.c' ):  srand(time(NULL)+getpid()+getpid()*987654+rand());

  
  Tested on Debian 9.7 with kernel  4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64 GNU/Linux.


  =====

To manage notifications about this bug go to:
https://bugs.launchpad.net/qemu/+bug/1815371/+subscriptions


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-05-05 11:29 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-10 18:12 [Qemu-devel] [Bug 1815371] [NEW] SPICE session's connection_id's are not unique Laurent Bigonville
2019-02-10 23:15 ` [Qemu-devel] [Bug 1815371] " Bug Watch Updater
2021-05-05 11:17 ` Thomas Huth

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.