xfreerdp 2.11.5 still broken with: "Fastpath update Bitmap [1] failed, status 0"

Question

xfreerdp 2.11.5 still broken with: "Fastpath update Bitmap [1] failed, status 0"

frispete opened this issue a month ago · comments

$ xfreerdp2 /bpp:24 /size:1920x1200 /v:x.y.z.0 /u:user '/p:pass' +fonts +aero +clipboard
[12:51:17:122] [2597:2598] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[12:51:17:122] [2597:2598] [WARN][com.freerdp.crypto] - CN = WIN2K16-01.domain.local
[12:51:18:425] [2597:2598] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[12:51:18:425] [2597:2598] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[12:51:18:468] [2597:2598] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[12:51:19:087] [2597:2598] [ERROR][com.freerdp.core.fastpath] - Fastpath update Bitmap [1] failed, status 0
[12:51:19:087] [2597:2598] [ERROR][com.freerdp.core.fastpath] - fastpath_recv_update_data: fastpath_recv_update() - -1
[12:51:19:087] [2597:2598] [ERROR][com.freerdp.core.fastpath] - fastpath_recv_update_data() fail
[12:51:19:087] [2597:2598] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -3
[12:51:19:087] [2597:2598] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]
[12:51:19:087] [2597:2598] [INFO][com.freerdp.client.common] - Network disconnect!

This issue is reported to be fixed by: aeac304

which is included in the 2.11.5 release. Probably, it's not the full fix, because:

adding /gfx does fix the issue
using -fast-path does not, it connects and shows a black window only
xfreerdp 3.4.0 doesn't show this behaviour, it works straight away

These tests are all done with openSUSE Tumbleweed 20240407, specifically in my home repo, where I attempt to build FreeRDP 2 and 3 in a friendly co-existing fashion, and make krdc 23.08.5 work with freerdp2. krdc 24.02.1 uses the freerdp3 library directly. That approach cannot supply additional options to the xfreerdp process, that might be required at certain setups...

akallabeth · Answer 1 · Thu Apr 11 2024 19:34:51 GMT+0800 (China Standard Time)

@frispete

please add a debug or trace log output, this might be something else.
-fast-path will be dropped (it is useless if you use anything newer than XP)
/gfx does only work if the remote has it enabled, so not sure this tells us anything

Hans-Peter Jansen · Answer 2 · Thu Apr 11 2024 23:34:10 GMT+0800 (China Standard Time)

@akallabeth with pleasure!
xfreerdp2.log

akallabeth · Answer 3 · Fri Apr 12 2024 15:04:09 GMT+0800 (China Standard Time)

@frispete ok, the commit you reference is for 32bit color depth, you´re running 16bit (forced by server, your command line specifies 24).
that is using interleaved_decompress

Hans-Peter Jansen · Answer 4 · Mon Apr 15 2024 04:52:14 GMT+0800 (China Standard Time)

@akallabeth FYI, here are logs for requesting 16 and 32 bits color depth attached.
xfreerdp2-16.log
xfreerdp2-32.log

akallabeth · Answer 5 · Mon Apr 15 2024 14:08:57 GMT+0800 (China Standard Time)

@frispete they are all 16bpp ;)
your server is forcing this.
anyway, don´t currently have time for this but I´ve added it to the list of backports to do.

Hans-Peter Jansen · Answer 6 · Mon Apr 15 2024 19:28:10 GMT+0800 (China Standard Time)

@akallabeth

don´t currently have time for this but I´ve added it to the list of backports to do
Sure, no problem, the /gfx work around is doing fine so far.

After being related to this project since more than a decade, I can only express my heartfelt thanks for your tireless efforts! This project is so outstanding because of you!

Hans-Peter Jansen · Answer 7 · Thu Apr 18 2024 17:53:01 GMT+0800 (China Standard Time)

Thanks a bunch for addressing these issues @akallabeth

While updating our freerdp2 package from 2.11.5 to 2.11.6, I noticed, that we still carry a CVE-2023-40574-to-2023-40576.patch, that derived from you. It doesn't apply anymore, but interestingly, some parts do:

$ quilt pu
Applying patch freerdp-CVE-2023-40574-to-2023-40576.patch
patching file libfreerdp/primitives/prim_YUV.c
patching file libfreerdp/codec/include/bitmap.c
Hunk #1 FAILED at 46.
Hunk #2 FAILED at 76.
Hunk #3 FAILED at 134.
Hunk #4 FAILED at 144.
Hunk #5 FAILED at 166.
Hunk #6 FAILED at 176.
Hunk #7 FAILED at 197.
Hunk #8 FAILED at 212.
Hunk #9 FAILED at 232.
Hunk #10 FAILED at 257.
Hunk #11 FAILED at 278.
Hunk #12 FAILED at 343.
Hunk #13 FAILED at 351.
Hunk #14 FAILED at 405.
Hunk #15 FAILED at 416.
15 out of 15 hunks FAILED -- rejects in file libfreerdp/codec/include/bitmap.c
patching file libfreerdp/codec/interleaved.c
Hunk #1 succeeded at 26 (offset 1 line).
Hunk #2 succeeded at 334 with fuzz 2 (offset 198 lines).
Hunk #3 FAILED at 244.
Hunk #4 FAILED at 268.
Hunk #5 FAILED at 292.
3 out of 5 hunks FAILED -- rejects in file libfreerdp/codec/interleaved.c
Patch freerdp-CVE-2023-40574-to-2023-40576.patch does not apply (enforce with -f)

In general, I fully trust you and this project, that those issues are addressed in the best possible way, but what puzzles me is that those CVE numbers are not mentioned in the stable-2.0 git log. Can you briefly share your thoughts on this, or should I open another issue regarding this?

Distributions tend to be relatively touchy about CVE numbers these days... 😉

akallabeth · Answer 8 · Thu Apr 18 2024 22:09:53 GMT+0800 (China Standard Time)

@frispete in 2.11.6 we backported the whole interleaved.c and include/bitmap.c from 3.5.0 with all patches included. (we did quite a rewrite as there were multiple issues with that decoder)
it solves two things, 1 your bug you reported here, 2. out of bound access just like for 3.5.0

Hans-Peter Jansen · Answer 9 · Thu Apr 18 2024 22:24:52 GMT+0800 (China Standard Time)

Yep, I see.

Just saying, that you may want to mention somewhere, that these changes fixes CVE-2023-40574, CVE-2023-40575 and CVE-2023-40576 as well to make those silly vulnerability crap*scanners happy.