[qemu-xen master] ui: fix VNC client throttling when audio capture is active

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[qemu-xen master] ui: fix VNC client throttling when audio capture is active

commit f9c8767828aa44441681ea683f53cef8135050cd
Author:     Daniel P. Berrange <[hidden email]>
AuthorDate: Mon Dec 18 19:12:24 2017 +0000
Commit:     Michael Roth <[hidden email]>
CommitDate: Mon Feb 12 18:34:14 2018 -0600

    ui: fix VNC client throttling when audio capture is active
    The VNC server must throttle data sent to the client to prevent the 'output'
    buffer size growing without bound, if the client stops reading data off the
    socket (either maliciously or due to stalled/slow network connection).
    The current throttling is very crude because it simply checks whether the
    output buffer offset is zero. This check must be disabled if audio capture is
    enabled, because when streaming audio the output buffer offset will rarely be
    zero due to queued audio data, and so this would starve framebuffer updates.
    As a result, the VNC client can cause QEMU to allocate arbitrary amounts of RAM.
    They can first start something in the guest that triggers lots of framebuffer
    updates eg play a youtube video. Then enable audio capture, and simply never
    read data back from the server. This can easily make QEMU's VNC server send
    buffer consume 100MB of RAM per second, until the OOM killer starts reaping
    processes (hopefully the rogue QEMU process, but it might pick others...).
    To address this we make the throttling more intelligent, so we can throttle
    when audio capture is active too. To determine how to throttle incremental
    updates or audio data, we calculate a size threshold. Normally the threshold is
    the approximate number of bytes associated with a single complete framebuffer
    update. ie width * height * bytes per pixel. We'll send incremental updates
    until we hit this threshold, at which point we'll stop sending updates until
    data has been written to the wire, causing the output buffer offset to fall
    back below the threshold.
    If audio capture is enabled, we increase the size of the threshold to also
    allow for upto 1 seconds worth of audio data samples. ie nchannels * bytes
    per sample * frequency. This allows the output buffer to have a mixture of
    incremental framebuffer updates and audio data queued, but once the threshold
    is exceeded, audio data will be dropped and incremental updates will be
    This unbounded memory growth affects all VNC server configurations supported by
    QEMU, with no workaround possible. The mitigating factor is that it can only be
    triggered by a client that has authenticated with the VNC server, and who is
    able to trigger a large quantity of framebuffer updates or audio samples from
    the guest OS. Mostly they'll just succeed in getting the OOM killer to kill
    their own QEMU process, but its possible other processes can get taken out as
    collateral damage.
    This is a more general variant of the similar unbounded memory usage flaw in
    the websockets server, that was previously assigned CVE-2017-15268, and fixed
    in 2.11 by:
      commit a7b20a8efa28e5f22c26c06cd06c2f12bc863493
      Author: Daniel P. Berrange <[hidden email]>
      Date:   Mon Oct 9 14:43:42 2017 +0100
        io: monitor encoutput buffer size from websocket GSource
    This new general memory usage flaw has been assigned CVE-2017-15124, and is
    partially fixed by this patch.
    Signed-off-by: Daniel P. Berrange <[hidden email]>
    Reviewed-by: Darren Kenny <[hidden email]>
    Reviewed-by: Marc-André Lureau <[hidden email]>
    Message-id: [hidden email]
    Signed-off-by: Gerd Hoffmann <[hidden email]>
    (cherry picked from commit e2b72cb6e0443d90d7ab037858cb6834b6cca852)
    Signed-off-by: Michael Roth <[hidden email]>
 ui/vnc.c | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++--------
 ui/vnc.h |  6 ++++++
 2 files changed, 70 insertions(+), 8 deletions(-)

diff --git a/ui/vnc.c b/ui/vnc.c
index 6ae002c..a2699f5 100644
--- a/ui/vnc.c
+++ b/ui/vnc.c
@@ -60,6 +60,7 @@ static QTAILQ_HEAD(, VncDisplay) vnc_displays =
 static int vnc_cursor_define(VncState *vs);
 static void vnc_release_modifiers(VncState *vs);
+static void vnc_update_throttle_offset(VncState *vs);
 static void vnc_set_share_mode(VncState *vs, VncShareMode mode)
@@ -766,6 +767,7 @@ static void vnc_dpy_switch(DisplayChangeListener *dcl,
         vnc_set_area_dirty(vs->dirty, vd, 0, 0,
+        vnc_update_throttle_offset(vs);
@@ -961,16 +963,67 @@ static int find_and_clear_dirty_height(VncState *vs,
     return h;
+ * Figure out how much pending data we should allow in the output
+ * buffer before we throttle incremental display updates, and/or
+ * drop audio samples.
+ *
+ * We allow for equiv of 1 full display's worth of FB updates,
+ * and 1 second of audio samples. If audio backlog was larger
+ * than that the client would already suffering awful audio
+ * glitches, so dropping samples is no worse really).
+ */
+static void vnc_update_throttle_offset(VncState *vs)
+    size_t offset =
+        vs->client_width * vs->client_height * vs->client_pf.bytes_per_pixel;
+    if (vs->audio_cap) {
+        int freq = vs->as.freq;
+        /* We don't limit freq when reading settings from client, so
+         * it could be upto MAX_INT in size. 48khz is a sensible
+         * upper bound for trustworthy clients */
+        int bps;
+        if (freq > 48000) {
+            freq = 48000;
+        }
+        switch (vs->as.fmt) {
+        default:
+        case  AUD_FMT_U8:
+        case  AUD_FMT_S8:
+            bps = 1;
+            break;
+        case  AUD_FMT_U16:
+        case  AUD_FMT_S16:
+            bps = 2;
+            break;
+        case  AUD_FMT_U32:
+        case  AUD_FMT_S32:
+            bps = 4;
+            break;
+        }
+        offset += freq * bps * vs->as.nchannels;
+    }
+    /* Put a floor of 1MB on offset, so that if we have a large pending
+     * buffer and the display is resized to a small size & back again
+     * we don't suddenly apply a tiny send limit
+     */
+    offset = MAX(offset, 1024 * 1024);
+    vs->throttle_output_offset = offset;
 static bool vnc_should_update(VncState *vs)
     switch (vs->update) {
-        /* Only allow incremental updates if the output buffer
-         * is empty, or if audio capture is enabled.
+        /* Only allow incremental updates if the pending send queue
+         * is less than the permitted threshold
-        if (!vs->output.offset || vs->audio_cap) {
+        if (vs->output.offset < vs->throttle_output_offset) {
             return true;
@@ -1084,11 +1137,13 @@ static void audio_capture(void *opaque, void *buf, int size)
     VncState *vs = opaque;
-    vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
-    vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
-    vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
-    vnc_write_u32(vs, size);
-    vnc_write(vs, buf, size);
+    if (vs->output.offset < vs->throttle_output_offset) {
+        vnc_write_u8(vs, VNC_MSG_SERVER_QEMU);
+        vnc_write_u8(vs, VNC_MSG_SERVER_QEMU_AUDIO);
+        vnc_write_u16(vs, VNC_MSG_SERVER_QEMU_AUDIO_DATA);
+        vnc_write_u32(vs, size);
+        vnc_write(vs, buf, size);
+    }
@@ -2288,6 +2343,7 @@ static int protocol_client_msg(VncState *vs, uint8_t *data, size_t len)
+    vnc_update_throttle_offset(vs);
     vnc_read_when(vs, protocol_client_msg, 1);
     return 0;
diff --git a/ui/vnc.h b/ui/vnc.h
index b9d310e..8fe6959 100644
--- a/ui/vnc.h
+++ b/ui/vnc.h
@@ -298,6 +298,12 @@ struct VncState
     VncClientInfo *info;
+    /* We allow multiple incremental updates or audio capture
+     * samples to be queued in output buffer, provided the
+     * buffer size doesn't exceed this threshold. The value
+     * is calculating dynamically based on framebuffer size
+     * and audio sample settings in vnc_update_throttle_offset() */
+    size_t throttle_output_offset;
     Buffer output;
     Buffer input;
     /* current output mode information */
generated by git-patchbot for /home/xen/git/qemu-xen.git#master

Xen-changelog mailing list
[hidden email]