tags 608756 + confirmed upstream patch squeeze wheezy sid thanks Replying to an old bug report...
On 03.01.2011 14:04, Harald Dunkel wrote: > Package: qemu-kvm > Version: 0.12.5+dfsg-5 > > I get an assertion on the host, if I try to increase the > screen size from 1280x1024 to 1400x1050 on the guest. > > # kvm -m 512 -drive file=Win7.vmdk,boot=on -net nic,macaddr=00:00:00:11:22:33 > -net tap -uuid 564d8e7f-aca4-40a2-1444-aa30a3112233 -vnc :1 -usbdevice tablet > -vga vmware > kvm: malloc.c:3097: sYSMALLOc: Assertion `(old_top == (((mbinptr) (((char *) > &((av)->bins[((1) - 1) * 2])) - __builtin_offsetof (struct malloc_chunk, > fd)))) && old_size == 0) || ((unsigned long) (old_size) >= (unsigned > long)((((__builtin_offsetof (struct malloc_chunk, fd_nextsize))+((2 * > (sizeof(size_t))) - 1)) & ~((2 * (sizeof(size_t))) - 1))) && ((old_top)->size > & 0x1) && ((unsigned long)old_end & pagemask) == 0)' failed. > Aborted (core dumped) > > The guest runs Windows 7 with the current Vmware drivers > installed. The problem seems to be reproducible. On 03.01.2011 15:07, you wrote: > PPS: Using "-vga std" I get a memory corruption (see below). > 1280x1024 and 1600x1200 seem to work fine. There's a bug in vnc handling of several resolutions. This bug is still present in 1.0 version of qemu and qemu-kvm, and has been fixed only very recently. The problem is that vnc code in qemu assumes that the screen width is a multiple of 16, and this assumption is relied on in several places, allocating buffers of smaller size if this is not the case. The result is random memory corruption. But 1400 is not a multiple of 16, so it explains why this happens with 1400x1050 but not with other sizes you mentioned (both of which has width dividable by 16). Note this is a problem which can be triggered by the guest, so it can be considered a DoS condition and hence is security- sensitive. But from another point of view, since for regular desktop usage there's a workaround (not using 1400xNNNN modes), I think it does not have to be of high priority. Also, it only happens with vnc console, and does not affect SDL console. Now when upstream released a fix I can (trivially) backport it to squeeze, and most likely will. I'm sorry it took me so long - to be fair, I dislike dealing with vnc bugs. It just happened I noticed that Gerd Hoffman sent a patch fixing it today. Thanks! /mjt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
