Bug 37269 – computerroom segfault due to libqjpeg.so

Bug 37269 - computerroom segfault due to libqjpeg.so


Summary:	computerroom segfault due to libqjpeg.so

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	UMC - Computer room
Version:	UCS@school 3.2 R2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.0 Errata
Assigned To:	Florian Best
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:	37768
	Show dependency tree / graph

Reported:	2014-12-09 16:49 CET by Janis Meybohm
Modified:	2016-11-25 12:02 CET (History)
CC List:	5 users (show)

See Also:	43051
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	best: Patch_Available+

Attachments
coredump (9.55 MB, application/gzip) 2014-12-09 16:49 CET, Janis Meybohm	Details
dpkg-query (51.37 KB, text/plain) 2014-12-17 11:58 CET, Janis Meybohm	Details
patch: fix_computerroom_segfault_due_to_libqjpeg (1.65 KB, patch) 2015-01-13 16:01 CET, Alexander Kramer	Details \| Diff
patch: fix_computerroom_segfault_due_to_libqjpeg (768 bytes, patch) 2015-01-13 16:33 CET, Alexander Kramer	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janis Meybohm

2014-12-09 16:49:37 CET

Created attachment 6517 [details]
coredump

2014082621000327

09.12.14 08:10:07.464  PROTOCOL    ( INFO    ) : Sending UMCP RESPONSE 141810900738998-13371
09.12.14 08:10:07.464  PARSER      ( INFO    ) : UMCP REQUEST 141810900739237-13372 parsed successfully
09.12.14 08:10:07.464  MODULE      ( INFO    ) : Received request 141810900739237-13372
09.12.14 08:10:07.464  PROTOCOL    ( INFO    ) : Received UMCP COMMAND REQUEST 141810900739237-13372
09.12.14 08:10:07.464  MODULE      ( INFO    ) : Executing ['computerroom/screenshot']
09.12.14 08:10:07.465  PROTOCOL    ( INFO    ) : Sending UMCP RESPONSE 141810900739237-13372
09.12.14 08:10:07.465  PARSER      ( INFO    ) : UMCP REQUEST 141810900739405-13373 parsed successfully
09.12.14 08:10:07.465  MODULE      ( INFO    ) : Received request 141810900739405-13373
09.12.14 08:10:07.465  PROTOCOL    ( INFO    ) : Received UMCP COMMAND REQUEST 141810900739405-13373
09.12.14 08:10:07.465  MODULE      ( INFO    ) : Executing ['computerroom/screenshot']
09.12.14 08:10:10.042  DEBUG_INIT
...


Dec  9 08:10:07 ieu04-sr12 kernel: [644830.953203] univention-mana[9143]: segfault at 7fb0dca48012 ip 00007fb0b5deaa10 sp 00007fffc89ac0a0 error 4 in libqjpeg.so[7fb0b5de6000+8000]

ucs-school-umc-computerroom 5.0.8-3.151.201411061732
libqtgui4 4:4.6.3-4.43.201107140905

Linux ieu04-sr12 3.10.0-ucs81-amd64 #1 SMP Debian 3.10.11-1.81.201409041448 (2014-09-04) x86_64 GNU/Linux
Univention DC Slave 3.2-3



No steps on how to reproduce this but it leads to an unusable UMC until UMC-web-server and UMC-server are restarted.

Comment 1 Janis Meybohm

2014-12-17 11:58:33 CET

Created attachment 6548 [details]
dpkg-query

Comment 2 Alexander Kramer

2015-01-13 16:01:48 CET

Created attachment 6597 [details]
patch: fix_computerroom_segfault_due_to_libqjpeg

Comment 3 Alexander Kramer

2015-01-13 16:33:14 CET

Created attachment 6598 [details]
patch: fix_computerroom_segfault_due_to_libqjpeg

Comment 4 Florian Best

2015-01-27 11:39:57 CET

Patch applied in svn r57579.

Comment 5 Florian Best

2015-01-27 12:24:26 CET

merged to UCS@school 3.2

Comment 6 Alexander Kramer

2015-02-09 14:46:36 CET

fyi some background information:

Alex Kläser debugged the core-file and came up with the following hypothesis:
During a picture is written to /tmp the file pointer becomes invalid cause of a connection-error. Alex found this hint width gdb:

print *image.d
$1 = { [...] data = 0x7fb0dca48010 <Address 0x7fb0dca48010 out of
bounds>, [...] }

Sönke helped me to reproduced the error. We added the following code to ./usr/share/pyshared/univention/management/console/modules/computerroom/italc2.py:

    def screenshot2(self):
        MODULE.process('### QA: End of sleep 60.')
        tmpfile = tempfile.NamedTemporaryFile( delete = False )
        tmpfile.close()
        writer = QImageWriter( tmpfile.name, 'JPG' )
        writer.write( self._screenshot )

    # iTalc: screenshots
    @property
    def screenshot( self ):
        image = self._vnc.image()
        if not image.byteCount():
            return None
        MODULE.process('### QImage: %s' % (image,));
        MODULE.process('### QA: Restart the win-Client.')
        self._screenshot = image
        self._timer_screenshot = notifier.timer_add(60000, self.screenshot2)
    
        tmpfile = tempfile.NamedTemporaryFile( delete = False )
        tmpfile.close()
        #writer = QImageWriter( tmpfile.name, 'JPG' )
        #writer.write( image )
        return tmpfile

With this debug helper we set a ucs@school vm with a joined windows-client and did the following test:

- change the resolution of the windows client
- restart the windows-client
- stop the italc process
- disconnect the windows-client 

	
» Übersetzung(en) tabellarisch anzeigen | immer
» Übersetzungen mit gleichem Wortanfang
» unfortunate | unfortunately
 
	SYNO  	alas | regrettably | unfortunately ... 
	

Unfortunately I wasn't able to reproduce the error because of the rare timing. So we decided to fix this bug anyway. See the attached patch.

Comment 7 Sönke Schwardt-Krummrich

2015-02-20 18:04:18 CET

Patch has been used during build:

sschwardt@omar:/var/univention/buildsystem2/apt/ucs_4.0-0-ucs-school-4.0/source$ gunzip < italc_2.0.22-3.71.201501271147.tar.gz | grep -Fa 'if(t->m_image.width() != cl->width && t->m_image.height() != cl->height)'
        if(t->m_image.width() != cl->width && t->m_image.height() != cl->height)
+       if(t->m_image.width() != cl->width && t->m_image.height() != cl->height)

OK: patch applied
OK: iTALC still works
??: was still unable to trigger the segfault
OK: XML changelog
OK: debian changelog
OK: package built

Comment 8 Sönke Schwardt-Krummrich

2015-02-27 15:19:36 CET

UCS@school 4.0 v2 has been released:
http://docs.univention.de/release-notes-ucsschool-4.0v2-de.html

If this error occurs again, please use "Clone This Bug".

Comment 9 Florian Best

2016-01-19 14:33:15 CET

Maybe this patch would have been a alternative if the theory in comment 6 is correct?:

diff --git a/ucs-school-umc-computerroom/umc/python/computerroom/italc2.py b/ucs-school-umc-computerroom/umc/python/computerroom/italc2.py
index b45a33c..e882540 100644
--- a/ucs-school-umc-computerroom/umc/python/computerroom/italc2.py
+++ b/ucs-school-umc-computerroom/umc/python/computerroom/italc2.py
@@ -461,6 +461,8 @@ class ITALC_Computer( notifier.signals.Provider, QObject ):
        # iTalc: screenshots
        @property
        def screenshot( self ):
+               if self._state.current != 'connected':
+                       return
                image = self._vnc.image()
                if not image.byteCount():
                        return None