diff --git a/SOURCES/0023-channel-main-Fix-indentation.patch b/SOURCES/0023-channel-main-Fix-indentation.patch new file mode 100644 index 0000000..d1d7837 --- /dev/null +++ b/SOURCES/0023-channel-main-Fix-indentation.patch @@ -0,0 +1,118 @@ +From 1defa5c0f0107b8496b7696408aad064c65947a5 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 17 Mar 2020 21:27:19 +0000 +Subject: [PATCH] channel-main: Fix indentation + +Signed-off-by: Frediano Ziglio +Acked-by: Victor Toso +--- + src/channel-main.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 1e85a36..0a0b9ca 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -283,13 +283,13 @@ static void spice_main_get_property(GObject *object, + switch (prop_id) { + case PROP_MOUSE_MODE: + g_value_set_int(value, c->mouse_mode); +- break; ++ break; + case PROP_AGENT_CONNECTED: + g_value_set_boolean(value, c->agent_connected); +- break; ++ break; + case PROP_AGENT_CAPS_0: + g_value_set_int(value, c->agent_caps[0]); +- break; ++ break; + case PROP_DISPLAY_DISABLE_WALLPAPER: + g_value_set_boolean(value, c->display_disable_wallpaper); + break; +@@ -312,8 +312,8 @@ static void spice_main_get_property(GObject *object, + g_value_set_int(value, spice_main_get_max_clipboard(self)); + break; + default: +- G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec); +- break; ++ G_OBJECT_WARN_INVALID_PROPERTY_ID(object, prop_id, pspec); ++ break; + } + } + +@@ -346,8 +346,8 @@ static void spice_main_set_property(GObject *gobject, guint prop_id, + spice_main_set_max_clipboard(self, g_value_get_int(value)); + break; + default: +- G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec); +- break; ++ G_OBJECT_WARN_INVALID_PROPERTY_ID(gobject, prop_id, pspec); ++ break; + } + } + +@@ -2051,9 +2051,10 @@ static void main_agent_handle_msg(SpiceChannel *channel, + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_SELECTION], 0, selection, + cb->type, cb->data, msg->size - sizeof(VDAgentClipboard)); + +- if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) +- g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD], 0, +- cb->type, cb->data, msg->size - sizeof(VDAgentClipboard)); ++ if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) { ++ g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD], 0, ++ cb->type, cb->data, msg->size - sizeof(VDAgentClipboard)); ++ } + break; + } + case VD_AGENT_CLIPBOARD_GRAB: +@@ -2075,10 +2076,11 @@ static void main_agent_handle_msg(SpiceChannel *channel, + } + + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_SELECTION_GRAB], 0, selection, +- (guint8*)payload, msg->size / sizeof(uint32_t), &ret); +- if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) ++ (guint8*)payload, msg->size / sizeof(uint32_t), &ret); ++ if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) { + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_GRAB], 0, +- payload, msg->size / sizeof(uint32_t), &ret); ++ payload, msg->size / sizeof(uint32_t), &ret); ++ } + break; + } + case VD_AGENT_CLIPBOARD_REQUEST: +@@ -2086,11 +2088,11 @@ static void main_agent_handle_msg(SpiceChannel *channel, + gboolean ret; + VDAgentClipboardRequest *req = payload; + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_SELECTION_REQUEST], 0, selection, +- req->type, &ret); ++ req->type, &ret); + + if (selection == VD_AGENT_CLIPBOARD_SELECTION_CLIPBOARD) + g_coroutine_signal_emit(self, signals[SPICE_MAIN_CLIPBOARD_REQUEST], 0, +- req->type, &ret); ++ req->type, &ret); + break; + } + case VD_AGENT_CLIPBOARD_RELEASE: +@@ -2333,7 +2335,7 @@ static gboolean migrate_connect(gpointer data) + host = (char*)info->host_data; + + if (info->cert_subject_size == 0 || +- strlen((const char*)info->cert_subject_data) == 0) { ++ strlen((const char*)info->cert_subject_data) == 0) { + /* only verify hostname if no cert subject */ + g_object_set(mig->session, "verify", SPICE_SESSION_VERIFY_HOSTNAME, NULL); + } else { +@@ -2690,7 +2692,7 @@ void spice_main_update_display(SpiceMainChannel *channel, int id, + * Since: 0.35 + **/ + void spice_main_channel_update_display(SpiceMainChannel *channel, int id, int x, int y, int width, +- int height, gboolean update) ++ int height, gboolean update) + { + SpiceMainChannelPrivate *c; + +-- +2.28.0 + diff --git a/SOURCES/0024-channel-main-Fix-indentation.patch b/SOURCES/0024-channel-main-Fix-indentation.patch new file mode 100644 index 0000000..1079e96 --- /dev/null +++ b/SOURCES/0024-channel-main-Fix-indentation.patch @@ -0,0 +1,40 @@ +From 3c933f53bfa9b679750f5d0bbdc7707134d88598 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Fri, 20 Mar 2020 05:19:49 +0000 +Subject: [PATCH] channel-main: Fix indentation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Some mistake in recent patch, thanks to Marc-André's eagle eyes. + +Signed-off-by: Frediano Ziglio +Acked-by: Victor Toso +--- + src/channel-main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index d7669e8..6a1bb40 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -283,13 +283,13 @@ static void spice_main_get_property(GObject *object, + switch (prop_id) { + case PROP_MOUSE_MODE: + g_value_set_int(value, c->mouse_mode); +- break; ++ break; + case PROP_AGENT_CONNECTED: + g_value_set_boolean(value, c->agent_connected); +- break; ++ break; + case PROP_AGENT_CAPS_0: + g_value_set_int(value, c->agent_caps[0]); +- break; ++ break; + case PROP_DISPLAY_DISABLE_WALLPAPER: + g_value_set_boolean(value, c->display_disable_wallpaper); + break; +-- +2.28.0 + diff --git a/SOURCES/0025-channel-main-Remove-unused-declaration.patch b/SOURCES/0025-channel-main-Remove-unused-declaration.patch new file mode 100644 index 0000000..ee8a4b3 --- /dev/null +++ b/SOURCES/0025-channel-main-Remove-unused-declaration.patch @@ -0,0 +1,42 @@ +From 41c8a60e5e9451080863d2f87bb0f5007a71cc34 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Tue, 4 Aug 2020 15:50:03 +0100 +Subject: [PATCH] channel-main: Remove unused declaration + +OldRedMigrationBegin is not used. Last usage removed in + + commit f944ad6935f12efe47f78cbde1c5e6db31442597 + + More cleanup for old protocol support + + Support for protocol version 1 was dropped in commit f77a1d50. + +Signed-off-by: Frediano Ziglio +--- + src/channel-main.c | 10 ---------- + 1 file changed, 10 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index e944771..3dd94a2 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -2326,16 +2326,6 @@ static gboolean main_migrate_handshake_done(gpointer data) + return FALSE; + } + +-#ifdef __GNUC__ +-typedef struct __attribute__ ((__packed__)) OldRedMigrationBegin { +-#else +-typedef struct __declspec(align(1)) OldRedMigrationBegin { +-#endif +- uint16_t port; +- uint16_t sport; +- char host[0]; +-} OldRedMigrationBegin; +- + /* main context */ + static gboolean migrate_connect(gpointer data) + { +-- +2.28.0 + diff --git a/SOURCES/0026-main-add-a-few-missing-vdagent-capability-descriptio.patch b/SOURCES/0026-main-add-a-few-missing-vdagent-capability-descriptio.patch new file mode 100644 index 0000000..8d08d54 --- /dev/null +++ b/SOURCES/0026-main-add-a-few-missing-vdagent-capability-descriptio.patch @@ -0,0 +1,26 @@ +From 8d60d4fc3fe0bd620f216091b24bbb8b72bb055a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Mon, 17 Aug 2020 14:36:05 +0400 +Subject: [PATCH] main: add a few missing vdagent capability descriptions + +Acked-by: Frediano Ziglio +--- + src/channel-main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 3dd94a2..671716a 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -222,6 +222,8 @@ static const char *agent_caps[] = { + [ VD_AGENT_CAP_AUDIO_VOLUME_SYNC ] = "volume-sync", + [ VD_AGENT_CAP_MONITORS_CONFIG_POSITION ] = "monitors config position", + [ VD_AGENT_CAP_FILE_XFER_DISABLED ] = "file transfer disabled", ++ [ VD_AGENT_CAP_FILE_XFER_DETAILED_ERRORS ] = "file transfer detailed errors", ++ [ VD_AGENT_CAP_GRAPHICS_DEVICE_INFO ] = "graphics device info", + [ VD_AGENT_CAP_CLIPBOARD_NO_RELEASE_ON_REGRAB ] = "no release on re-grab", + [ VD_AGENT_CAP_CLIPBOARD_GRAB_SERIAL ] = "clipboard grab serial", + }; +-- +2.28.0 + diff --git a/SOURCES/0027-main-add-stricter-pre-condition-on-display-id-value.patch b/SOURCES/0027-main-add-stricter-pre-condition-on-display-id-value.patch new file mode 100644 index 0000000..60ec0f5 --- /dev/null +++ b/SOURCES/0027-main-add-stricter-pre-condition-on-display-id-value.patch @@ -0,0 +1,39 @@ +From e521ddee98961bb30a7a3d93c6c01dddb7da3662 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= +Date: Tue, 15 Sep 2020 13:09:46 +0400 +Subject: [PATCH] main: add stricter pre-condition on display id value +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Marc-André Lureau +Acked-by: Frediano Ziglio +--- + src/channel-main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 671716a..5fcf8e8 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -2723,7 +2723,7 @@ void spice_main_channel_update_display(SpiceMainChannel *channel, int id, int x, + + c = SPICE_MAIN_CHANNEL(channel)->priv; + +- g_return_if_fail(id < SPICE_N_ELEMENTS(c->display)); ++ g_return_if_fail(id >= 0 && id < SPICE_N_ELEMENTS(c->display)); + + SpiceDisplayConfig display = { + .x = x, .y = y, .width = width, .height = height, +@@ -3040,7 +3040,7 @@ void spice_main_channel_update_display_enabled(SpiceMainChannel *channel, int id + c->display[i].display_state = display_state; + } + } else { +- g_return_if_fail(id < G_N_ELEMENTS(c->display)); ++ g_return_if_fail(id >= 0 && id < G_N_ELEMENTS(c->display)); + if (c->display[id].display_state == display_state) + return; + c->display[id].display_state = display_state; +-- +2.28.0 + diff --git a/SOURCES/0028-channel-main-Use-heap-and-reference-counting-for-spi.patch b/SOURCES/0028-channel-main-Use-heap-and-reference-counting-for-spi.patch new file mode 100644 index 0000000..1744443 --- /dev/null +++ b/SOURCES/0028-channel-main-Use-heap-and-reference-counting-for-spi.patch @@ -0,0 +1,273 @@ +From 8f1147b4119f920b69eb9c577121cbd5ac1e1d70 Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 10 Aug 2020 15:27:09 +0100 +Subject: [PATCH 28/31] channel-main: Use heap and reference counting for + spice_migrate + +Don't use the stack, it will potentially disappear (see mig +variable in main_migrate_connect). +For instance channels use this structure when they are freed. As +the free is done in delayed mode the initial coroutine could be +ended releasing the stack and causing a segmentation fault. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1867564. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/channel-main.c | 110 ++++++++++++++++++++++++++++++++------------- + 1 file changed, 78 insertions(+), 32 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 79fe63c..8caf727 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -123,6 +123,7 @@ struct spice_migrate { + struct coroutine *from; + SpiceMigrationDstInfo *info; + SpiceSession *session; ++ int ref_count; + guint nchannels; + SpiceChannel *src_channel; + SpiceChannel *dst_channel; +@@ -175,8 +176,8 @@ static void channel_set_handlers(SpiceChannelClass *klass); + static void agent_send_msg_queue(SpiceMainChannel *channel); + static void agent_free_msg_queue(SpiceMainChannel *channel); + static void migrate_channel_event_cb(SpiceChannel *channel, SpiceChannelEvent event, +- gpointer data); +-static gboolean main_migrate_handshake_done(gpointer data); ++ spice_migrate *mig); ++static gboolean main_migrate_handshake_done(spice_migrate *mig); + static void spice_main_channel_send_migration_handshake(SpiceChannel *channel); + static void file_xfer_flushed(SpiceMainChannel *channel, gboolean success); + static void file_xfer_read_async_cb(GObject *source_object, +@@ -193,6 +194,7 @@ static void file_transfer_operation_task_finished(SpiceFileTransferTask *xfer_ta + GError *error, + gpointer userdata); + static void file_transfer_operation_send_progress(SpiceFileTransferTask *xfer_task); ++static void spice_migrate_unref(spice_migrate *mig); + + /* ------------------------------------------------------------------ */ + +@@ -387,6 +389,7 @@ static void spice_main_channel_finalize(GObject *obj) + { + SpiceMainChannelPrivate *c = SPICE_MAIN_CHANNEL(obj)->priv; + ++ spice_migrate_unref(c->migrate_data); + g_free(c->agent_msg_data); + agent_free_msg_queue(SPICE_MAIN_CHANNEL(obj)); + +@@ -2242,11 +2245,50 @@ static void main_handle_agent_token(SpiceChannel *channel, SpiceMsgIn *in) + agent_send_msg_queue(SPICE_MAIN_CHANNEL(channel)); + } + ++static spice_migrate* ++spice_migrate_ref(spice_migrate *mig) ++{ ++ if (mig != NULL) { ++ mig->ref_count++; ++ } ++ return mig; ++} ++ ++static void ++spice_migrate_unref(spice_migrate *mig) ++{ ++ if (mig != NULL && --mig->ref_count == 0) { ++ g_free(mig); ++ } ++} ++ ++static inline void ++spice_migrate_idle_add(gboolean (*func)(spice_migrate *mig), spice_migrate *mig) ++{ ++ g_idle_add_full(G_PRIORITY_DEFAULT_IDLE, (GSourceFunc) func, spice_migrate_ref(mig), ++ (GDestroyNotify) spice_migrate_unref); ++} ++ ++static void ++spice_migrate_closure_unref(spice_migrate *mig, GClosure *closure) ++{ ++ spice_migrate_unref(mig); ++} ++ ++static gulong ++spice_migrate_signal_connect(gpointer instance, const gchar *detailed_signal, ++ GCallback func, spice_migrate *mig) ++{ ++ return g_signal_connect_data(instance, detailed_signal, func, spice_migrate_ref(mig), ++ (GClosureNotify) spice_migrate_closure_unref, ++ (GConnectFlags) 0); ++} ++ + /* main context */ +-static void migrate_channel_new_cb(SpiceSession *s, SpiceChannel *channel, gpointer data) ++static void migrate_channel_new_cb(SpiceSession *s, SpiceChannel *channel, spice_migrate *mig) + { +- g_signal_connect(channel, "channel-event", +- G_CALLBACK(migrate_channel_event_cb), data); ++ spice_migrate_signal_connect(channel, "channel-event", ++ G_CALLBACK(migrate_channel_event_cb), mig); + } + + static void +@@ -2267,7 +2309,7 @@ static void spice_main_channel_send_migration_handshake(SpiceChannel *channel) + + if (!spice_channel_test_capability(channel, SPICE_MAIN_CAP_SEAMLESS_MIGRATE)) { + c->migrate_data->do_seamless = false; +- g_idle_add(main_migrate_handshake_done, c->migrate_data); ++ spice_migrate_idle_add(main_migrate_handshake_done, c->migrate_data); + } else { + SpiceMsgcMainMigrateDstDoSeamless msg_data; + SpiceMsgOut *msg_out; +@@ -2282,13 +2324,12 @@ static void spice_main_channel_send_migration_handshake(SpiceChannel *channel) + + /* main context */ + static void migrate_channel_event_cb(SpiceChannel *channel, SpiceChannelEvent event, +- gpointer data) ++ spice_migrate *mig) + { +- spice_migrate *mig = data; + SpiceChannelPrivate *c = SPICE_CHANNEL(channel)->priv; + + g_return_if_fail(mig->nchannels > 0); +- g_signal_handlers_disconnect_by_func(channel, migrate_channel_event_cb, data); ++ g_signal_handlers_disconnect_by_func(channel, migrate_channel_event_cb, mig); + + switch (event) { + case SPICE_CHANNEL_OPENED: +@@ -2299,7 +2340,8 @@ static void migrate_channel_event_cb(SpiceChannel *channel, SpiceChannelEvent ev + + c->state = SPICE_CHANNEL_STATE_MIGRATION_HANDSHAKE; + mig->dst_channel = channel; +- main_priv->migrate_data = mig; ++ spice_migrate_unref(main_priv->migrate_data); ++ main_priv->migrate_data = spice_migrate_ref(mig); + } else { + c->state = SPICE_CHANNEL_STATE_MIGRATING; + mig->nchannels--; +@@ -2332,9 +2374,8 @@ static void migrate_channel_event_cb(SpiceChannel *channel, SpiceChannelEvent ev + } + + /* main context */ +-static gboolean main_migrate_handshake_done(gpointer data) ++static gboolean main_migrate_handshake_done(spice_migrate *mig) + { +- spice_migrate *mig = data; + SpiceChannelPrivate *c = SPICE_CHANNEL(mig->dst_channel)->priv; + + g_return_val_if_fail(c->channel_type == SPICE_CHANNEL_MAIN, FALSE); +@@ -2348,9 +2389,8 @@ static gboolean main_migrate_handshake_done(gpointer data) + } + + /* main context */ +-static gboolean migrate_connect(gpointer data) ++static gboolean migrate_connect(spice_migrate *mig) + { +- spice_migrate *mig = data; + SpiceChannelPrivate *c; + int port, sport; + const char *host; +@@ -2393,8 +2433,8 @@ static gboolean migrate_connect(gpointer data) + g_object_set(mig->session, "host", host, NULL); + spice_session_set_port(mig->session, port, FALSE); + spice_session_set_port(mig->session, sport, TRUE); +- g_signal_connect(mig->session, "channel-new", +- G_CALLBACK(migrate_channel_new_cb), mig); ++ spice_migrate_signal_connect(mig->session, "channel-new", ++ G_CALLBACK(migrate_channel_new_cb), mig); + + g_signal_emit(mig->src_channel, signals[SPICE_MIGRATION_STARTED], 0, + mig->session); +@@ -2414,50 +2454,56 @@ static void main_migrate_connect(SpiceChannel *channel, + { + SpiceMainChannelPrivate *main_priv = SPICE_MAIN_CHANNEL(channel)->priv; + int reply_type = SPICE_MSGC_MAIN_MIGRATE_CONNECT_ERROR; +- spice_migrate mig = { 0, }; ++ spice_migrate *mig; + SpiceMsgOut *out; + SpiceSession *session; + +- mig.src_channel = channel; +- mig.info = dst_info; +- mig.from = coroutine_self(); +- mig.do_seamless = do_seamless; +- mig.src_mig_version = src_mig_version; ++ mig = spice_new0(spice_migrate, 1); ++ mig->ref_count = 1; ++ mig->src_channel = channel; ++ mig->info = dst_info; ++ mig->from = coroutine_self(); ++ mig->do_seamless = do_seamless; ++ mig->src_mig_version = src_mig_version; + + CHANNEL_DEBUG(channel, "migrate connect"); + session = spice_channel_get_session(channel); +- mig.session = spice_session_new_from_session(session); +- if (mig.session == NULL) ++ mig->session = spice_session_new_from_session(session); ++ if (mig->session == NULL) { + goto end; +- if (!spice_session_set_migration_session(session, mig.session)) ++ } ++ if (!spice_session_set_migration_session(session, mig->session)) { + goto end; ++ } + +- main_priv->migrate_data = &mig; ++ spice_migrate_unref(main_priv->migrate_data); ++ main_priv->migrate_data = spice_migrate_ref(mig); + + /* no need to track idle, call is sync for this coroutine */ +- g_idle_add(migrate_connect, &mig); ++ spice_migrate_idle_add(migrate_connect, mig); + + /* switch to main loop and wait for connections */ + coroutine_yield(NULL); + +- if (mig.nchannels != 0) { ++ if (mig->nchannels != 0) { + CHANNEL_DEBUG(channel, "migrate failed: some channels failed to connect"); + spice_session_abort_migration(session); + } else { +- if (mig.do_seamless) { ++ if (mig->do_seamless) { + SPICE_DEBUG("migration (seamless): connections all ok"); + reply_type = SPICE_MSGC_MAIN_MIGRATE_CONNECTED_SEAMLESS; + } else { + SPICE_DEBUG("migration (semi-seamless): connections all ok"); + reply_type = SPICE_MSGC_MAIN_MIGRATE_CONNECTED; + } +- spice_session_start_migrating(session, mig.do_seamless); ++ spice_session_start_migrating(session, mig->do_seamless); + } + + end: + CHANNEL_DEBUG(channel, "migrate connect reply %d", reply_type); + out = spice_msg_out_new(channel, reply_type); + spice_msg_out_send(out); ++ spice_migrate_unref(mig); + } + + /* coroutine context */ +@@ -2489,7 +2535,7 @@ static void main_handle_migrate_dst_seamless_ack(SpiceChannel *channel, SpiceMsg + + g_return_if_fail(c->state == SPICE_CHANNEL_STATE_MIGRATION_HANDSHAKE); + main_priv->migrate_data->do_seamless = true; +- g_idle_add(main_migrate_handshake_done, main_priv->migrate_data); ++ spice_migrate_idle_add(main_migrate_handshake_done, main_priv->migrate_data); + } + + static void main_handle_migrate_dst_seamless_nack(SpiceChannel *channel, SpiceMsgIn *in) +@@ -2501,7 +2547,7 @@ static void main_handle_migrate_dst_seamless_nack(SpiceChannel *channel, SpiceMs + + g_return_if_fail(c->state == SPICE_CHANNEL_STATE_MIGRATION_HANDSHAKE); + main_priv->migrate_data->do_seamless = false; +- g_idle_add(main_migrate_handshake_done, main_priv->migrate_data); ++ spice_migrate_idle_add(main_migrate_handshake_done, main_priv->migrate_data); + } + + /* main context */ +-- +2.28.0 + diff --git a/SOURCES/0029-channel-main-Copy-SpiceMigrationDstInfo-into-spice_m.patch b/SOURCES/0029-channel-main-Copy-SpiceMigrationDstInfo-into-spice_m.patch new file mode 100644 index 0000000..29959c4 --- /dev/null +++ b/SOURCES/0029-channel-main-Copy-SpiceMigrationDstInfo-into-spice_m.patch @@ -0,0 +1,71 @@ +From ab42be2b00d12d0bc98c6ddea08a7f969e83b2ac Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Mon, 10 Aug 2020 15:35:26 +0100 +Subject: [PATCH 29/31] channel-main: Copy SpiceMigrationDstInfo into + spice_migrate + +The message could disappear while the structure is used. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/channel-main.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 8caf727..5f81975 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -121,7 +121,7 @@ struct _SpiceMainChannelPrivate { + + struct spice_migrate { + struct coroutine *from; +- SpiceMigrationDstInfo *info; ++ SpiceMigrationDstInfo info; + SpiceSession *session; + int ref_count; + guint nchannels; +@@ -2258,6 +2258,8 @@ static void + spice_migrate_unref(spice_migrate *mig) + { + if (mig != NULL && --mig->ref_count == 0) { ++ g_free(mig->info.host_data); ++ g_free(mig->info.cert_subject_data); + g_free(mig); + } + } +@@ -2396,7 +2398,6 @@ static gboolean migrate_connect(spice_migrate *mig) + const char *host; + + g_return_val_if_fail(mig != NULL, FALSE); +- g_return_val_if_fail(mig->info != NULL, FALSE); + g_return_val_if_fail(mig->nchannels == 0, FALSE); + c = SPICE_CHANNEL(mig->src_channel)->priv; + g_return_val_if_fail(c != NULL, FALSE); +@@ -2404,7 +2405,7 @@ static gboolean migrate_connect(spice_migrate *mig) + + spice_session_set_migration_state(mig->session, SPICE_SESSION_MIGRATION_CONNECTING); + +- SpiceMigrationDstInfo *info = mig->info; ++ SpiceMigrationDstInfo *info = &mig->info; + SPICE_DEBUG("migrate_begin %u %s %d %d", + info->host_size, info->host_data, info->port, info->sport); + port = info->port; +@@ -2461,7 +2462,13 @@ static void main_migrate_connect(SpiceChannel *channel, + mig = spice_new0(spice_migrate, 1); + mig->ref_count = 1; + mig->src_channel = channel; +- mig->info = dst_info; ++ mig->info = *dst_info; ++ if (dst_info->host_data) { ++ mig->info.host_data = (void *) g_strdup((char*) dst_info->host_data); ++ } ++ if (dst_info->cert_subject_data) { ++ mig->info.cert_subject_data = (void *) g_strdup((char*) dst_info->cert_subject_data); ++ } + mig->from = coroutine_self(); + mig->do_seamless = do_seamless; + mig->src_mig_version = src_mig_version; +-- +2.28.0 + diff --git a/SOURCES/0030-channel-main-Make-more-clear-that-host_data-and-cert.patch b/SOURCES/0030-channel-main-Make-more-clear-that-host_data-and-cert.patch new file mode 100644 index 0000000..4010f4b --- /dev/null +++ b/SOURCES/0030-channel-main-Make-more-clear-that-host_data-and-cert.patch @@ -0,0 +1,47 @@ +From 1f2a7a079a42ac9bccc12749c5eac4fcdbd48b2e Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 16 Sep 2020 17:12:14 +0100 +Subject: [PATCH 30/31] channel-main: Make more clear that host_data and + cert_subject_data are C strings + +After commit ab42be2b00d12d0bc98c6ddea08a7f969e83b2ac ("channel-main: +Copy SpiceMigrationDstInfo into spice_migrate") host_data and +cert_subject_data fields in spice_migrate structure are proper +terminated C strings so: +- check pointer instead of related field; +- you don't need to terminate again. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/channel-main.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 5f81975..2881d59 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -2412,18 +2412,14 @@ static gboolean migrate_connect(spice_migrate *mig) + sport = info->sport; + host = (char*)info->host_data; + +- if (info->cert_subject_size == 0 || ++ if (info->cert_subject_data == NULL || + strlen((const char*)info->cert_subject_data) == 0) { + /* only verify hostname if no cert subject */ + g_object_set(mig->session, "verify", SPICE_SESSION_VERIFY_HOSTNAME, NULL); + } else { +- gchar *subject = g_alloca(info->cert_subject_size + 1); +- strncpy(subject, (const char*)info->cert_subject_data, info->cert_subject_size); +- subject[info->cert_subject_size] = '\0'; +- + // session data are already copied + g_object_set(mig->session, +- "cert-subject", subject, ++ "cert-subject", info->cert_subject_data, + "verify", SPICE_SESSION_VERIFY_SUBJECT, + NULL); + } +-- +2.28.0 + diff --git a/SOURCES/0031-channel-main-Handle-not-terminated-host_data-and-cer.patch b/SOURCES/0031-channel-main-Handle-not-terminated-host_data-and-cer.patch new file mode 100644 index 0000000..7abc850 --- /dev/null +++ b/SOURCES/0031-channel-main-Handle-not-terminated-host_data-and-cer.patch @@ -0,0 +1,38 @@ +From 9b98e01c8f5d0dc8faaf3af7b8fc95768e1ff0ad Mon Sep 17 00:00:00 2001 +From: Frediano Ziglio +Date: Wed, 16 Sep 2020 15:50:33 +0100 +Subject: [PATCH 31/31] channel-main: Handle not terminated host_data and + cert_subject_data fields + +host_data and cert_subject_data fields from SPICE messages could be +not NUL terminated so using g_strdup can lead to some read overflow. + +This bug was discovered by Uri Lublin. + +Signed-off-by: Frediano Ziglio +Acked-by: Uri Lublin +--- + src/channel-main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/channel-main.c b/src/channel-main.c +index 2881d59..5fefded 100644 +--- a/src/channel-main.c ++++ b/src/channel-main.c +@@ -2460,10 +2460,11 @@ static void main_migrate_connect(SpiceChannel *channel, + mig->src_channel = channel; + mig->info = *dst_info; + if (dst_info->host_data) { +- mig->info.host_data = (void *) g_strdup((char*) dst_info->host_data); ++ mig->info.host_data = (void *) g_strndup((char*) dst_info->host_data, dst_info->host_size); + } + if (dst_info->cert_subject_data) { +- mig->info.cert_subject_data = (void *) g_strdup((char*) dst_info->cert_subject_data); ++ mig->info.cert_subject_data = (void *) g_strndup((char*) dst_info->cert_subject_data, ++ dst_info->cert_subject_size); + } + mig->from = coroutine_self(); + mig->do_seamless = do_seamless; +-- +2.28.0 + diff --git a/SPECS/spice-gtk.spec b/SPECS/spice-gtk.spec index 81d8bdf..199c863 100644 --- a/SPECS/spice-gtk.spec +++ b/SPECS/spice-gtk.spec @@ -2,7 +2,7 @@ Name: spice-gtk Version: 0.38 -Release: 5%{?dist} +Release: 6%{?dist} Summary: A GTK+ widget for SPICE clients Group: System Environment/Libraries @@ -36,6 +36,21 @@ Patch0020: 0020-mark_false_event_id-is-guint-assign-0-to-it-not-FALS.patch Patch0021: 0021-usb-backend-create_emulated_device-assert-address-32.patch Patch0022: 0022-spice-utils-allocate-ctx-after-g_return_val_if_fail.patch +# migration fixes: some earlier patches to make the following patches apply +Patch0023: 0023-channel-main-Fix-indentation.patch +Patch0024: 0024-channel-main-Fix-indentation.patch +Patch0025: 0025-channel-main-Remove-unused-declaration.patch +# related to patch 0009 +Patch0026: 0026-main-add-a-few-missing-vdagent-capability-descriptio.patch +# same file, safer code +Patch0027: 0027-main-add-stricter-pre-condition-on-display-id-value.patch +# migration fixes: the patches +Patch0028: 0028-channel-main-Use-heap-and-reference-counting-for-spi.patch +Patch0029: 0029-channel-main-Copy-SpiceMigrationDstInfo-into-spice_m.patch +Patch0030: 0030-channel-main-Make-more-clear-that-host_data-and-cert.patch +Patch0031: 0031-channel-main-Handle-not-terminated-host_data-and-cer.patch + + BuildRequires: meson BuildRequires: git-core BuildRequires: gnupg2 @@ -203,6 +218,10 @@ gpgv2 --quiet --keyring %{SOURCE2} %{SOURCE1} %{SOURCE0} %{_bindir}/spicy-stats %changelog +* Sun Dec 13 2020 Uri Lublin - 0.38-6 +- Fix some migration issues + Related: rhbz#1867564 + * Thu Dec 03 2020 Uri Lublin - 0.38-5 - Fix more static analyzer issues Resolves: rhbz#1839104