[Qemu-devel] SPICE session's connection

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Qemu-devel] SPICE session's connection_id's are not unique

From:	Michael Tokarev
Subject:	[Qemu-devel] SPICE session's connection_id's are not unique
Date:	Wed, 30 Jan 2019 18:29:04 +0300
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0

Forwarding to qemu-devel@ from http://bugs.debian.org/920897

Thanks,

/mjt

-------- Forwarded message --------
Subject:        Bug#920897: SPICE session's connection_id's are not unique
Date:   Wed, 30 Jan 2019 11:21:54 +0000
From:   Philip Pum <address@hidden>

Package: qemu-system-x86
Version: 1:2.8+dfsg-6+deb9u4

When creating a virtual machine with qemu (e.g. via libvirt) including a SPICE 
server, the client_id of the SPICE session is not unique. For example, starting 
multiple virtual machines on the same libvirtd, the client_id is the same for 
all virtual machine's SPICE sessions.

A description of the client_id can be found in

https://www.spice-space.org/static/docs/spice_protocol.pdf under section 2.11. 
c) :

"UINT32 connection_id - In case of a new session (i.e., channel type is 
RED_CHANNEL_MAIN) this field is set to zero, and in response the server will allocate 
session id and will send it via the RedLinkReply message. In case of all other channel 
types, this field will be equal to the allocated session id"

The relevant code for generating client ids in libspice-server1 can be found 
here: 
https://gitlab.freedesktop.org/spice/spice/blob/v0.12.8/server/reds.c#L1614

This uses rand() to generate the random id, but qemu (at least in the case of 
qemu-system-x86) fails to initialize the RNG seed (with e.g. srand()).

The result is, that every SPICE session started (by e.g. libvirtd) has the same 
client_id. Usually, this is not a problem, but running something like a SPICE 
proxy, relying on the client_id to correctly route connections, this creates 
problems.

Adding something like 'srand(time(NULL));' to qemu (in vl.c) solves this issue. 
Related (as seen in some VNC patches, e.g. 
'CVE-2017-15124/04-ui-avoid-pointless-VNC-updates-if-framebuffer-isn-t-.patch/ui/vnc.c'
 ):  srand(time(NULL)+getpid()+getpid()*987654+rand());

Tested on Debian 9.7 with kernel  4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 
(2018-05-07) x86_64 GNU/Linux.

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] SPICE session's connection_id's are not unique, Michael Tokarev <=
- Re: [Qemu-devel] SPICE session's connection_id's are not unique, Daniel P . Berrangé, 2019/01/30

Prev by Date: [Qemu-devel] [PATCH v2 10/10] iotests.py: s/_/-/g on keys in qmp_log()
Next by Date: Re: [Qemu-devel] [PATCH v4 2/8] target/ppc: rework vmrg{l, h}{b, h, w} instructions to use Vsr* macros
Previous by thread: [Qemu-devel] [PATCH v2 00/10] iotests: Fix some issues
Next by thread: Re: [Qemu-devel] SPICE session's connection_id's are not unique
Index(es):
- Date
- Thread