VirtualBox

Custom Query (16363 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (649 - 651 of 16363)

Ticket Resolution Summary Owner Reporter
#19586 duplicate Mouse buttons freezes when using remote desktop 2020Newbie
Description

The mouse buttons stop working (no response) when running Ubuntu (any version). The pointer still moves, but no clicking has no effect.

THis is very repeatable - it occurs every 2 or 3 minutes. The only workaround, is to close RDT, then start again.

Note: this issue does not happen when running windows application on the remote machine. Only when running Ubuntu on VirtualBox (6.1.X , i.e. any version of VBox).

#19583 fixed GUI crashes when using Qt on Xwayland sessions (fixed in 6.1.10) Frank Batschulat (Oracle) Frank Batschulat (Oracle)
Description

Trying to start virtualbox (the GUI) on a Fedora 32 system using Qt but also running with a Xwayland session (which is the default) instaed of a Xorg session crashes immediately with SIGSEGV.

This test is using Virtualbox Trunk directly build on Fedora32, the .run installer package.

platform info:

Linux lserver.fritz.box 5.6.10-300.fc32.x86_64 #1 SMP Mon May 4 14:29:45 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

[fbatschu@lserver ~]$ cat /etc/redhat-release 
Fedora release 32 (Thirty Two)

PRETTY_NAME="Fedora 32 (Workstation Edition)"

[fbatschu@lserver ~]$ ps -eafd|grep X
earlyoom     784       1  0 13:16 ?        00:00:00 /usr/bin/earlyoom -r 0 -m 4 -M 409600 --prefer ^Web Content$ --avoid ^(dnf|packagekitd|gnome-shell|gnome-session-c|gnome-session-b|lightdm|sddm|sddm-helper|gdm|gdm-wayland-ses|gdm-session-wor|gdm-x-session|Xorg|Xwayland|systemd|systemd-logind|dbus-daemon|dbus-broker|cinnamon|cinnamon-sessio|kwin_x11|kwin_wayland|plasmashell|ksmserver|plasma_session|startplasma-way|xfce4-session|mate-session|marco|lxqt-session|openbox)$
fbatschu    7144    7041  1 13:39 ?        00:00:00 /usr/bin/Xwayland :0 -rootless -noreset -accessx -core -auth /run/user/1000/.mutter-Xwaylandauth.22XIK0 -listen 4 -listen 5 -displayfd 6 -listen 7

how the problem manifests itself:

[fbatschu@lserver ~]$ /usr/bin/virtualbox
Qt WARNING: QSocketNotifier: Can only be used with threads started with QThread
Segmentation fault (core dumped)

[ 1397.632886] VirtualBox[7814]: segfault at 7f38115408a0 ip 00007f380eb00342 sp 00007ffeed2d4470 error 7 in libX11.so.6.3.0[7f380eaeb000+90000]
[ 1397.632904] Code: be 00 02 00 00 bf 01 00 00 00 48 8d 5d 01 e8 a5 e9 fe ff 48 8b 15 a6 1c 11 00 49 89 84 24 88 09 00 00 49 89 c3 49 8b 44 24 08 <48> 89 10 48 0f be 45 00 84 c0 0f 85 f5 fd ff ff c7 04 24 01 00 00

Reading symbols from /opt/VirtualBox/VirtualBox...
Missing separate debuginfo for /opt/VirtualBox/VirtualBox
Try: dnf --enablerepo='*debug*' install /usr/lib/debug/.build-id/36/8917fd07c09ec9197b8d97ec3d22c373483a2c.debug
(No debugging symbols found in /opt/VirtualBox/VirtualBox)

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f380eb00342 in _XInternAtom () from /lib64/libX11.so.6

[root@lserver /]# find /usr -name VBox.sh -ls
[root@lserver /]# find /opt -name VBox.sh -ls
 15219930      8 -rwxr-xr-x   1 root     root         4677 May  6 12:54 /opt/VirtualBox/VBox.sh

XDG_SESSION_TYPE=wayland

Hans described the problem and a possible patch on the mailing list:

https://www.virtualbox.org/pipermail/vbox-dev/2020-April/015433.html
https://www.virtualbox.org/pipermail/vbox-dev/2020-April/015436.html

From: "Hans de Goede" <>
To: vbox-dev@virtualbox.org
Subject: [vbox-dev] [ PATCH] Fix crash on startup under Wayland
Date: Tue, 07 Apr 2020 14:00:47 +0200

Hi,

I noticed that with a default Fedora 32 workstation install (default  
GNOME3 on
Wayland session) VirtualBox crashes immediately at startup. The problem is  that QT5 now defaults to the Wayland backend and VirtualBox assumes the X11  backend
is used and makes a bunch of unchecked X11 calls which cause NULL pointer derefs.

The attached patch is a simple fix which fixes this by setting the QT  
backend back to X11.

As usual, the patch is released under the MIT license.

Regards,
Hans

No that is a different bug, this is about "VirtualBox" (the
hypervisor managing UI) crashing on startup when started
from a Fedora 32 GNOME3 (Wayland) session.

That bug is about VBoxClient, which is part of the guest additions
crashing.

IOW this fixes a hypervisor (UI) crash, the ticket you are
pointing to fixes a guest (additions) crash. So very much a
different thing.

Also note that I have provided a patch fixing the
guest (additions) crash. in the ticket you linked to
5 weeks ago.

As for this being a workaround, VirtualBox makes calls
to QX11Info functions in various places, a quick grep shows:

VirtualBox-6.1.4/src/VBox/Frontends/VirtualBox/src/runtime/UISession.cpp
VirtualBox-6.1.4/src/VBox/Frontends/VirtualBox/src/runtime/UIFrameBuffer.cpp
VirtualBox-6.1.4/src/VBox/Frontends/VirtualBox/src/runtime/UIMachineLogic.cpp
VirtualBox-6.1.4/src/VBox/Frontends/VirtualBox/src/runtime/UIKeyboardHandler.cpp
VirtualBox-6.1.4/src/VBox/Frontends/VirtualBox/src/runtime/UIMouseHandler.cpp
VirtualBox-6.1.4/src/VBox/Frontends/VirtualBox/src/globals/UICommon.cpp
VirtualBox-6.1.4/src/VBox/Frontends/VirtualBox/src/platform/x11/VBoxX11Helper.cpp
VirtualBox-6.1.4/src/VBox/Frontends/VirtualBox/src/widgets/UIHostComboEditor.cpp

And the most called function is QX11Info::display() and the
resulting X11 Display is then used to make a whole lot of
direct Xlib calls in various places.

IOW the assumption that the X11 QT backend / X11 windows are used
under Linux is deeply embedded inside the VirtualBox code. So yes this
is a workaround but properly fixing this will take a significant
(huge even) amount of effort.

Regards,

Hans
diff -up VirtualBox-6.1.4/src/VBox/Installer/linux/VBox.sh~ VirtualBox-6.1.4/src/VBox/Installer/linux/VBox.sh
--- VirtualBox-6.1.4/src/VBox/Installer/linux/VBox.sh~	2020-04-02 18:29:07.000000000 +0200
+++ VirtualBox-6.1.4/src/VBox/Installer/linux/VBox.sh	2020-04-06 10:29:16.560823901 +0200
@@ -88,6 +88,11 @@ if [ "$SHUTDOWN" = "true" ]; then
     exit 0
 fi
 
+# The VirtualBox code uses QX11Info::display() to make direct X11 calls in
+# various places, so it is not ready to run as native Wayland client yet
+# Without this "VirtualBox" crashes immediately at startup under Wayland
+export QT_QPA_PLATFORM=xcb
+
 APP=`basename $0`
 case "$APP" in
     VirtualBox|virtualbox)
#19579 fixed VBoxManage Segmentation Fault - VirtualBox 6.1.6 on macOS/Linux => fixed in svn/VBox.next BP cemonatk
Description

VBoxManage Segmentation Fault - VirtualBox 6.1.6 on macOS/Linux

Greetings,

Oracle VM VirtualBox software has a “Null Pointer Dereference” vulnerability on version 6.1.6. Hence it gives "Segmentation Fault" output.

poc.cpp and strace_output.txt and strace_output.png files are shared below: https://drive.google.com/open?id=1vUK6qdqQdNb89iG9_WhDyUpXZeGeXp7I

Steps to reproduce this vulnerability:

  1. Install Oracle VM VirtualBox on *nix
  2. Run the command below:
    1. VBoxManage internalcommands repairhd -format karray fireh
  3. You will see “Segmentation Fault: 11”.
  4. You can see a detailed one with following command:
    1. sudo strace -i /usr/bin/VBoxManage internalcommands repairhd -format karray fireh

Reproduction steps of our “poc.cpp” Proof of Concept code which is also shared above.

  1. Download the latest source code from “https://www.virtualbox.org/svn/vbox/trunk/”. You can use wget for this:
    1. wget -m -np virtualbox.org/svn/vbox/trunk/
  2. Add one of the following macro on the top of the “/include/iprt/cdefs.h” file:
    1. #define IN_RING3
    2. #define IN_RING0
    3. or #define IN_RC
  3. Compile our “poc.cpp” with following commands:
    1. gcc -o poc poc.cpp -I ./include
  4. Run compiled binary with strace:
    1. sudo strace -i ./poc
  5. You will see the following output on terminal:

[0000000000400619] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x168} --- ???????????????? +++ killed by SIGSEGV (core dumped) +++ Segmentation fault (core dumped)

You can compare the output with the output that we have below:

Command: sudo strace -i /usr/bin/VBoxManage internalcommands repairhd -format karray fireh

Output: … [00007fa0b6f7b3d7] close(9) = 0 [00007fa0b81c7a69] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x168} --- ???????????????? +++ killed by SIGSEGV (core dumped) +++ Segmentation fault (core dumped)

As you can see on output, the error is as same as we have on “VBoxManage” binary application.

Root Cause of The Issue:

Design Logic of RT_SUCCESS macros in the following header file: https://www.virtualbox.org/browser/vbox/trunk/include/iprt/errcore.h

  1. The "rc" value which is passed into the following line is NULL:

67 #define RT_SUCCESS(rc) ( RT_LIKELY(RT_SUCCESS_NP(rc)) )

  1. Then "rc" is passed into "RT_SUCCESS_NP" as seen in the following lines:

77 #ifdef RTERR_STRICT_RC 78 # define RT_SUCCESS_NP(rc) ( RTErrStrictType(rc).success() ) 79 #else 80 # define RT_SUCCESS_NP(rc) ( (int)(rc) >= VINF_SUCCESS ) 81 #endif

The part above has 2 conditions:

When the "rc" variable which was NULL converted to integer, then it is set to zero "0": " (int)(rc) "

2.1. If it was defined before then the following defines:

The following part calls success() method: RTErrStrictType(rc).success()

In the constructer of "RTErrStrictType", it sets the value to m_rc(rc).

120 class RTErrStrictType ... 145 RTErrStrictType(int32_t rc) 146 : m_rc(rc) 147 {

It is initalized as 0 (zero) in the following part since it is int32_t: 122 protected: 123 int32_t m_rc;

The source-code of success() which was called before is below: 165 bool success() const 166 { 167 return m_rc >= 0; 168 }

Therefore, this condition returns always True since it is 0>=0.

2.2. If it was not defined before then the following defines:

The code part which shows the "VINF_SUCCESS" is 0: https://www.virtualbox.org/browser/vbox/trunk/include/iprt/err.mac 28 %define VINF_SUCCESS 0

Then the macro became as follows: # define RT_SUCCESS_NP(rc) True

Then following code returns also always returns True since it is always 0>=0: (int)(rc) >= VINF_SUCCESS

Reference: CWE-476: NULL Pointer Dereference - https://cwe.mitre.org/data/definitions/476.html

Finders of this vulnerability: Cem Onat Karagun of Diesec and Fatih Erdogan of Zemana.

Batch Modify
Note: See TracBatchModify for help on using batch modify.
Note: See TracQuery for help on using queries.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy