VirtualBox

Custom Query (16363 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (76 - 78 of 16363)

Ticket Resolution Summary Owner Reporter
#19579 fixed VBoxManage Segmentation Fault - VirtualBox 6.1.6 on macOS/Linux => fixed in svn/VBox.next BP cemonatk
Description

VBoxManage Segmentation Fault - VirtualBox 6.1.6 on macOS/Linux

Greetings,

Oracle VM VirtualBox software has a “Null Pointer Dereference” vulnerability on version 6.1.6. Hence it gives "Segmentation Fault" output.

poc.cpp and strace_output.txt and strace_output.png files are shared below: https://drive.google.com/open?id=1vUK6qdqQdNb89iG9_WhDyUpXZeGeXp7I

Steps to reproduce this vulnerability:

  1. Install Oracle VM VirtualBox on *nix
  2. Run the command below:
    1. VBoxManage internalcommands repairhd -format karray fireh
  3. You will see “Segmentation Fault: 11”.
  4. You can see a detailed one with following command:
    1. sudo strace -i /usr/bin/VBoxManage internalcommands repairhd -format karray fireh

Reproduction steps of our “poc.cpp” Proof of Concept code which is also shared above.

  1. Download the latest source code from “https://www.virtualbox.org/svn/vbox/trunk/”. You can use wget for this:
    1. wget -m -np virtualbox.org/svn/vbox/trunk/
  2. Add one of the following macro on the top of the “/include/iprt/cdefs.h” file:
    1. #define IN_RING3
    2. #define IN_RING0
    3. or #define IN_RC
  3. Compile our “poc.cpp” with following commands:
    1. gcc -o poc poc.cpp -I ./include
  4. Run compiled binary with strace:
    1. sudo strace -i ./poc
  5. You will see the following output on terminal:

[0000000000400619] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x168} --- ???????????????? +++ killed by SIGSEGV (core dumped) +++ Segmentation fault (core dumped)

You can compare the output with the output that we have below:

Command: sudo strace -i /usr/bin/VBoxManage internalcommands repairhd -format karray fireh

Output: … [00007fa0b6f7b3d7] close(9) = 0 [00007fa0b81c7a69] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x168} --- ???????????????? +++ killed by SIGSEGV (core dumped) +++ Segmentation fault (core dumped)

As you can see on output, the error is as same as we have on “VBoxManage” binary application.

Root Cause of The Issue:

Design Logic of RT_SUCCESS macros in the following header file: https://www.virtualbox.org/browser/vbox/trunk/include/iprt/errcore.h

  1. The "rc" value which is passed into the following line is NULL:

67 #define RT_SUCCESS(rc) ( RT_LIKELY(RT_SUCCESS_NP(rc)) )

  1. Then "rc" is passed into "RT_SUCCESS_NP" as seen in the following lines:

77 #ifdef RTERR_STRICT_RC 78 # define RT_SUCCESS_NP(rc) ( RTErrStrictType(rc).success() ) 79 #else 80 # define RT_SUCCESS_NP(rc) ( (int)(rc) >= VINF_SUCCESS ) 81 #endif

The part above has 2 conditions:

When the "rc" variable which was NULL converted to integer, then it is set to zero "0": " (int)(rc) "

2.1. If it was defined before then the following defines:

The following part calls success() method: RTErrStrictType(rc).success()

In the constructer of "RTErrStrictType", it sets the value to m_rc(rc).

120 class RTErrStrictType ... 145 RTErrStrictType(int32_t rc) 146 : m_rc(rc) 147 {

It is initalized as 0 (zero) in the following part since it is int32_t: 122 protected: 123 int32_t m_rc;

The source-code of success() which was called before is below: 165 bool success() const 166 { 167 return m_rc >= 0; 168 }

Therefore, this condition returns always True since it is 0>=0.

2.2. If it was not defined before then the following defines:

The code part which shows the "VINF_SUCCESS" is 0: https://www.virtualbox.org/browser/vbox/trunk/include/iprt/err.mac 28 %define VINF_SUCCESS 0

Then the macro became as follows: # define RT_SUCCESS_NP(rc) True

Then following code returns also always returns True since it is always 0>=0: (int)(rc) >= VINF_SUCCESS

Reference: CWE-476: NULL Pointer Dereference - https://cwe.mitre.org/data/definitions/476.html

Finders of this vulnerability: Cem Onat Karagun of Diesec and Fatih Erdogan of Zemana.

#19706 fixed MacOS hosts no longer able to run VBoxHeadless as of 6.0.18 and 6.1.4 => fixed in svn/6.1.x x>12 BP myshell
Description

It is impossible to launch a VM in headless mode because of a problem of setugid which is not allowed.

It works fine with VirtualBox 6.1.2 but not with the following versions.

The error message seen is:

$ /Applications/VirtualBox.app/Contents/MacOS/VBoxHeadless -s solaris Oracle VM VirtualBox Headless Interface 6.1.4 (C) 2008-2020 Oracle Corporation All rights reserved.

2020-07-24 09:40:25.798 VBoxHeadless[2026:18559] The application with bundle ID org.virtualbox.app.VirtualBox is running setugid(), which is not allowed.

#19856 fixed 'VBoxManage unattended install' fails to detect system locale => fixed in svn/6.1.x x>14 BP Olleg
Description

Version 6.1.12 r139181 (Qt5.6.3), macOS 10.15.6 (19G2021)

According to the documentation on the unattended install if the locale and the timezone is not specified in arguments the VirtualBox must get the locale and the timezone from the host OS. But for macOS this does not work.

Here is script to test:

#!/bin/bash
# safe bash
set -o errexit -o noclobber -o nounset -o pipefail -o xtrace -o errtrace
# check command line arguments
if [ $# -ne 2 ]
then
   echo -e "Usage:\n\t $0 <redhat_installation_image.iso> <ssh_public_key_file>" 1>&2
   exit 1
fi
dvd_iso="$1"
echo "Check installation image \"${dvd_iso}\""
eval $(VBoxManage unattended detect --iso "${dvd_iso}" --machine-readable)
if [ "$OSTypeId" = 'RedHat_64' -a "$OSVersion" = '7' ]
then
   echo "The installation image \"${dvd_iso}\" is Ok"
else
   echo "Error: The installation image must be RedHat 7 64bit or so like (CentOS, for instance)" 1>&2
   exit 2
fi
ssh_public_key="$2"
echo "Check ssh public key \"${ssh_public_key}\""
if [ -r "${ssh_public_key}" ]
then
   ssh_fingerprint="$(ssh-keygen -l -f "${ssh_public_key}" | cut -d ' ' -f 2)"
else
   echo "Error: The ssh public key file is not readable" 1>&2
   exit 3
fi

readonly vm_name='TestVirtualBox'
readonly vboxvm_vdi=~/"Library/VirtualBox/${vm_name}/${vm_name}.vdi"

VBoxManage createvm --name "${vm_name}" --ostype RedHat_64 --register
VBoxManage modifyvm "${vm_name}" --memory 600 --vram=10 --boot1 dvd --boot2 disk --boot3 none --boot4 none --rtcuseutc on --graphicscontroller vmsvga --firmware bios --defaultfrontend headless --nic1 nat --nictype1 virtio --mouse ps2 --keyboard ps2 --audio none --cpus 2
VBoxManage setextradata "${vm_name}" 'GUI/ScaleFactor' 2
VBoxManage createmedium disk --filename "${vboxvm_vdi}" --size 3072
VBoxManage storagectl "${vm_name}" --name 'DiskController' --add sas --hostiocache on --bootable on
VBoxManage storagectl "${vm_name}" --name 'DVDController' --add sata --hostiocache on --bootable on
VBoxManage storageattach "${vm_name}" --storagectl 'DiskController' --type hdd --port 0 --device 0 --medium "${vboxvm_vdi}"
VBoxManage storageattach "${vm_name}" --storagectl 'DVDController' --type dvddrive --port 0 --device 0 --medium "${dvd_iso}"
VBoxManage unattended install "${vm_name}" --iso="${dvd_iso}" --hostname="${vm_name}.${vm_name}" --package-selection-adjustment='minimal' --script-template="redhat.kickstart" --post-install-command="mkdir -m 700 \"\${MY_TARGET}/root/.ssh\" && echo '$(cat "${ssh_public_key}")' >>\"\${MY_TARGET}/root/.ssh/authorized_keys\"" --start-vm='headless' --extra-install-kernel-parameters='net.ifnames=0 biosdevname=0 ks=cdrom:/ks.cfg' # --locale='ru_RU' --time-zone="Europe/Moscow"

Kickstart file:

#platform=x86, AMD64, or Intel EM64T
#version=DEVEL

eula --agreed

# Firewall configuration
firewall --disabled

# Install OS instead of upgrade
install

# Use CDROM installation media
cdrom

# Root password
rootpw --plaintext @@VBOX_INSERT_ROOT_PASSWORD_SH@@

# System authorization information
auth  --useshadow  --passalgo=sha512

# Use text mode install
text

# System keyboard
keyboard --vckeymap=us

# System language
lang @@VBOX_INSERT_LOCALE@@

# OL 6.4 needs this, but it doesn't work with RHEL60.
#unsupported_hardware

# SELinux configuration
selinux --enforcing

# Installation logging level
logging --level=info

# System timezone
timezone@@VBOX_COND_IS_RTC_USING_UTC@@ --utc@@VBOX_COND_END@@ @@VBOX_INSERT_TIME_ZONE_UX@@

# Network information
network --device=eth0 --onboot=on --bootproto=dhcp --noipv6 --activate

# System bootloader configuration
bootloader --location=mbr --append="nomodeset crashkernel=auto net.ifnames=0 biosdevname=0"
zerombr

# Partition clearing information
clearpart --all --initlabel

# Disk partitioning information
part / --label system --fstype ext4 --grow --asprimary

# Reboot after installation
# Note! Not sure exctly when the --eject option was added. Need to find out an make it optional.
reboot --eject

%packages
-plymouth
-chrony
-kexec-tools
-NetworkManager
-NetworkManager-team
-NetworkManager-tui
-NetworkManager-wifi
%end

# Post install happens in a different script.
# Note! We mount the CDROM explictily here since the location differs between fedora 26 to rhel5
#       and apparently there isn't any way to be certain that anaconda didn't unmount it already.
%post --nochroot --log=/mnt/sysimage/root/ks-post.log
df -h
mkdir -p /tmp/vboxcdrom
mount /dev/cdrom /tmp/vboxcdrom
cp /tmp/vboxcdrom/vboxpostinstall.sh /mnt/sysimage/root/vboxpostinstall.sh
chmod a+x /mnt/sysimage/root/vboxpostinstall.sh
/bin/bash /mnt/sysimage/root/vboxpostinstall.sh --rhel
umount /tmp/vboxcdrom
%end

%addon com_redhat_kdump --disable
%end

Here is an environment:

$ locale
LANG="ru_RU.UTF-8"
LC_COLLATE="ru_RU.UTF-8"
LC_CTYPE="ru_RU.UTF-8"
LC_MESSAGES="ru_RU.UTF-8"
LC_MONETARY="ru_RU.UTF-8"
LC_NUMERIC="ru_RU.UTF-8"
LC_TIME="ru_RU.UTF-8"
LC_ALL="ru_RU.UTF-8"
$ sudo systemsetup -gettimezone
Password:
Time Zone: Europe/Moscow

When I with default timezone and locale, the VirtualBox does not get it from the OS:

VBoxManage: info: Starting unattended installation of RedHat_64 in machine 'TestVirtualBox' (084b9732-228c-42d2-b4a7-84495815cadc).
VBoxManage: info: Using values:
                           isoPath = /Users/olleg/prog/CentOS-7-x86_64-Minimal-2003.iso
                              user = vboxuser
                          password = changeme
                      fullUserName =
                        productKey =
                  additionsIsoPath = /Applications/VirtualBox.app/Contents/MacOS/VBoxGuestAdditions.iso
             installGuestAdditions = false
              validationKitIsoPath =
            installTestExecService = false
                            locale = en_US
                           country = RU
                          timeZone = Etc/UTC
                             proxy =
                          hostname = TestVirtualBox.TestVirtualBox
       packageSelectionAdjustments = minimal
                 auxiliaryBasePath = /Users/olleg/Library/VirtualBox/TestVirtualBox/Unattended-084b9732-228c-42d2-b4a7-84495815cadc-
                        imageIndex = 1
                scriptTemplatePath = /Users/olleg/prog/redhat.kickstart
     postInstallScriptTemplatePath = /Applications/VirtualBox.app/Contents/MacOS/UnattendedTemplates/redhat_postinstall.sh
                postInstallCommand = mkdir -m 700 "${MY_TARGET}/root/.ssh" && echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9PrVXezMvKBPbSYDL5b/dtlQKlhLoamO5Ga47xa+KG olleg@petrel' >>"${MY_TARGET}/root/.ssh/authorized_keys"
      extraInstallKernelParameters = net.ifnames=0 biosdevname=0 ks=cdrom:/ks.cfg
                          language = en-US
                  detectedO
{{{

}}}
STypeId = RedHat_64
                 detectedOSVersion = 7
                  detectedOSFlavor =
               detectedOSLanguages = en-US
                   detectedOSHints =
VBoxManage: info: Waiting for VM 'TestVirtualBox' to power on...
VBoxManage: info: VM 'TestVirtualBox' (084b9732-228c-42d2-b4a7-84495815cadc) has been successfully started.

But if I uncomment this options in the scripts, all works:

VBoxManage: info: Starting unattended installation of RedHat_64 in machine 'TestVirtualBox' (cf49aefb-c275-4422-9952-b505aecf1346).
VBoxManage: info: Using values:
                           isoPath = /Users/olleg/prog/CentOS-7-x86_64-Minimal-2003.iso
                              user = vboxuser
                          password = changeme
                      fullUserName =
                        productKey =
                  additionsIsoPath = /Applications/VirtualBox.app/Contents/MacOS/VBoxGuestAdditions.iso
             installGuestAdditions = false
              validationKitIsoPath =
            installTestExecService = false
                            locale = ru_RU
                           country = RU
                          timeZone = Europe/Moscow
                             proxy =
                          hostname = TestVirtualBox.TestVirtualBox
       packageSelectionAdjustments = minimal
                 auxiliaryBasePath = /Users/olleg/Library/VirtualBox/TestVirtualBox/Unattended-cf49aefb-c275-4422-9952-b505aecf1346-
                        imageIndex = 1
                scriptTemplatePath = /Users/olleg/prog/redhat.kickstart
     postInstallScriptTemplatePath = /Applications/VirtualBox.app/Contents/MacOS/UnattendedTemplates/redhat_postinstall.sh
                postInstallCommand = mkdir -m 700 "${MY_TARGET}/root/.ssh" && echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB9PrVXezMvKBPbSYDL5b/dtlQKlhLoamO5Ga47xa+KG olleg@petrel' >>"${MY_TARGET}/root/.ssh/authorized_keys"
      extraInstallKernelParameters = net.ifnames=0 biosdevname=0 ks=cdrom:/ks.cfg
                          language = en-US
                  detectedOSTypeId = RedHat_64
                 detectedOSVersion = 7
                  detectedOSFlavor =
               detectedOSLanguages = en-US
                   detectedOSHints =
VBoxManage: info: Waiting for VM 'TestVirtualBox' to power on...
VBoxManage: info: VM 'TestVirtualBox' (cf49aefb-c275-4422-9952-b505aecf1346) has been successfully started.
Batch Modify
Note: See TracBatchModify for help on using batch modify.
Note: See TracQuery for help on using queries.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy