VirtualBox

Custom Query (16363 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (2488 - 2490 of 16363)

Ticket Resolution Summary Owner Reporter
#12611 fixed [trace+patch] VBoxHeadless crashes when connected by vncviewer if VNC/VRDE is enabled at runtime => Fixed in SVN Dennis Chen
Description

VBoxHeadless crashes when connected by vncviewer if VNC/VRDE is enabled at runtime.

Root Cause

VNC screen's frame buffer is not initialized properly when VNCServerImpl::VRDEEnableConnections is invoked without the first call to VNCServerImpl::VRDEResize, which causes the VNC client output thread to crash on null frame buffer.

Test Environment

4.3.6 and 4.2.20 on CentOS 6.2 x86_64

Affected Versions

4.3.x and 4.2.x

Reproducible Steps

  1. Create a live snapshot of Windows VM with VRDE disabled.
  2. Resume the Windows VM (e.g., win7), then enable VRDE with the following commands:
    • # VBoxManage controlvm win7 vrdeport 5901
    • # VBoxManage controlvm win7 vrde on
  3. Use a vncviewer (e.g., tightvnc) to connect to the VM console.
  4. VBoxHeadless crashes at the client output thread with SIGSEGV.

Stack Trace

# gdb
GNU gdb Fedora (6.8-37.el5)
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
(gdb) file VBoxHeadless
Reading symbols from /home/tests/virtualbox.4.2.20/bin/VBoxHeadless...done.
(gdb) r -s win7 -vrde config
Starting program: /home/tests/virtualbox.4.2.20/bin/VBoxHeadless -s win7 -vrde config
[Thread debugging using libthread_db enabled]
[New Thread 0x2b541d243190 (LWP 28344)]
[New Thread 0x40020940 (LWP 28347)]
[New Thread 0x40041940 (LWP 28348)]
[Thread 0x40041940 (LWP 28348) exited]
[Thread 0x40020940 (LWP 28347) exited]
Oracle VM VirtualBox Headless Interface 4.2.20_OSE
(C) 2008-2014 Oracle Corporation
All rights reserved.

Detaching after fork from child process 28349.
[New Thread 0x40020940 (LWP 28353)]
[New Thread 0x40041940 (LWP 28354)]
Detaching after fork from child process 28355.
[New Thread 0x400c2940 (LWP 28388)]
[New Thread 0x40143940 (LWP 28390)]
[New Thread 0x401c4940 (LWP 28391)]
[New Thread 0x40245940 (LWP 28392)]
[New Thread 0x40346940 (LWP 28393)]
[New Thread 0x403c7940 (LWP 28394)]
[New Thread 0x40448940 (LWP 28395)]
[New Thread 0x404c9940 (LWP 28396)]
[New Thread 0x4054a940 (LWP 28397)]
[New Thread 0x405cb940 (LWP 28398)]
[New Thread 0x4064c940 (LWP 28399)]
[New Thread 0x406cd940 (LWP 28400)]
[New Thread 0x406ee940 (LWP 28401)]
[New Thread 0x4070f940 (LWP 28402)]
[New Thread 0x40730940 (LWP 28403)]
[New Thread 0x407b1940 (LWP 28404)]
[New Thread 0x40832940 (LWP 28405)]
[Thread 0x40832940 (LWP 28405) exited]
[Thread 0x401c4940 (LWP 28391) exited]

Program received signal SIGINT, Interrupt.
0x00000036992cced2 in select () from /lib64/libc.so.6
(gdb) b VBoxVNC.cpp:667
No source file named VBoxVNC.cpp.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (VBoxVNC.cpp:667) pending.
(gdb) c
Continuing.
[New Thread 0x407c2940 (LWP 31663)]
14/01/2014 02:51:23 Listening for VNC connections on TCP port 5901
VRDE server is listening on port 5901.
[Switching to Thread 0x40041940 (LWP 29752)]

Breakpoint 1, VNCServerImpl::VRDEEnableConnections (hServer=<value optimized out>, fEnable=<value optimized out>)
    at /home/tests/VirtualBox-4.2.20/src/VBox/ExtPacks/VNC/VBoxVNC.cpp:667
667	/home/tests/VirtualBox-4.2.20/src/VBox/ExtPacks/VNC/VBoxVNC.cpp: No such file or directory.
	in /home/tests/VirtualBox-4.2.20/src/VBox/ExtPacks/VNC/VBoxVNC.cpp
(gdb) p vncServer->frameBuffer
$1 = 0x0
(gdb) c
Continuing.
[New Thread 0x40843940 (LWP 29785)]
14/01/2014 02:01:10 Listening for VNC connections on TCP port 5901
VRDE server is listening on port 5901.
[New Thread 0x41044940 (LWP 29786)]
14/01/2014 02:01:18   other clients:
[New Thread 0x41845940 (LWP 29865)]
[New Thread 0x42046940 (LWP 29866)]
14/01/2014 02:01:18 Client Protocol Version 3.8
14/01/2014 02:01:18 Protocol version sent 3.8, using 3.8
14/01/2014 02:01:18 rfbProcessClientSecurityType: executing handler for type 2
14/01/2014 02:01:19 Using image quality level 6 for client 127.0.0.1
14/01/2014 02:01:19 Enabling NewFBSize protocol extension for client 127.0.0.1
14/01/2014 02:01:19 Enabling LastRect protocol extension for client 127.0.0.1
14/01/2014 02:01:19 Enabling cursor position updates for client 127.0.0.1
14/01/2014 02:01:19 Enabling full-color cursor updates for client 127.0.0.1
14/01/2014 02:01:19 Using raw encoding for client 127.0.0.1
14/01/2014 02:01:19 Pixel format for client 127.0.0.1:
14/01/2014 02:01:19   32 bpp, depth 24, little endian
14/01/2014 02:01:19   true colour: max r 255 g 255 b 255, shift r 16 g 8 b 0

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x42046940 (LWP 29866)]
rfbTranslateWithRGBTables32to32 (table=0x6fe240 "", in=0x6e97a8, out=<value optimized out>, iptr=0x0, optr=0x6f20dc "���\021���",
    bytesBetweenInputLines=<value optimized out>, width=800, height=9) at tabletranstemplate.c:104
104     tabletranstemplate.c: No such file or directory.
        in tabletranstemplate.c
Current language:  auto; currently c
(gdb) bt
#0  rfbTranslateWithRGBTables32to32 (table=0x6fe240 "", in=0x6e97a8, out=<value optimized out>, iptr=0x0, optr=0x6f20dc "???\021???", 
    bytesBetweenInputLines=<value optimized out>, width=800, height=9) at tabletranstemplate.c:104
#1  0x00002aaaefe22e93 in rfbSendRectEncodingRaw (cl=0x6f1ff0, x=<value optimized out>, y=<value optimized out>, w=800, h=600) at rfbserver.c:3010
#2  0x00002aaaefe24505 in rfbSendFramebufferUpdate (cl=0x6f1ff0, givenUpdateRegion=<value optimized out>) at rfbserver.c:2840
#3  0x00002aaaefe21a3e in clientOutput (data=<value optimized out>) at main.c:497
#4  0x0000003699a064a7 in start_thread () from /lib64/libpthread.so.0
#5  0x00000036992d3c2d in clone () from /lib64/libc.so.6
(gdb) info locals
ip = (uint32_t *) 0x0
op = (uint32_t *) 0x6f20dc
ipextra = 0
opLineEnd = (uint32_t *) 0x6f2d5c
greenTable = (uint32_t *) 0x6fe640
blueTable = (uint32_t *) 0x6fea40
(gdb) up
#1  0x00002aaaefe22e93 in rfbSendRectEncodingRaw (cl=0x6f1ff0, x=<value optimized out>, y=<value optimized out>, w=800, h=600) at rfbserver.c:3010
3010    rfbserver.c: No such file or directory.
        in rfbserver.c
(gdb) p cl->scaledScreen->frameBuffer
$6 = 0x0
(gdb) p cl->screen->frameBuffer
$7 = 0x0
(gdb) 

Patch

This patch also fixes memory leaks with VNC handle when enabling/disabling VNC connections.

diff -Naur VirtualBox-4.3.6.orig/src/VBox/ExtPacks/VNC/VBoxVNC.cpp VirtualBox-4.3.6/src/VBox/ExtPacks/VNC/VBoxVNC.cpp
--- VirtualBox-4.3.6.orig/src/VBox/ExtPacks/VNC/VBoxVNC.cpp	2013-11-29 02:34:11.000000000 +0800
+++ VirtualBox-4.3.6/src/VBox/ExtPacks/VNC/VBoxVNC.cpp	2014-01-06 10:19:27.000000000 +0800
@@ -66,6 +66,7 @@
 public:
     VNCServerImpl()
     {
+        mVNCServer = NULL;
         mFrameBuffer = NULL;
         mScreenBuffer = NULL;
         mCursor = NULL;
@@ -79,6 +80,9 @@
         if (mCursor)
             rfbFreeCursor(mCursor);
         memset(szVNCPassword, '\0', sizeof(szVNCPassword));
+
+        if (mVNCServer)
+            rfbScreenCleanup(mVNCServer);
     }
 
     int Init(const VRDEINTERFACEHDR *pCallbacks, void *pvCallback);
@@ -257,11 +261,18 @@
 #endif
     LogFlowFunc(("enter\n"));
 
+    if (instance->mVNCServer)
+        rfbShutdownServer(instance->mVNCServer, TRUE);
+
+    if (!fEnable)
+        return VINF_SUCCESS;
+
     // query server for the framebuffer
     VRDEFRAMEBUFFERINFO info;
     int rc = instance->mCallbacks->VRDECallbackFramebufferQuery(instance->mCallback, 0, &info);
 
     rfbScreenInfoPtr vncServer = rfbGetScreen(0, NULL, info.cWidth, info.cHeight, 8, 3, VNC_SIZEOFRGBA);
+    rfbScreenInfoPtr oldVNCServer = instance->mVNCServer;
     instance->mVNCServer = vncServer;
     vncServer->serverFormat.redShift = 16;
     vncServer->serverFormat.greenShift = 8;
@@ -269,6 +280,11 @@
     vncServer->screenData = (void *)instance;
     vncServer->desktopName = "VBoxVNC";
 
+    VRDEResize(hServer);
+
+    if (oldVNCServer)
+        rfbScreenCleanup(oldVNCServer);
+
 #ifndef VBOX_USE_IPV6
 
     // get listen address
#3482 invalid [security] Shared Folders >> Add Share >> Other defaults to system32 directory! cboyd
Description

I just noticed this and it seems like a horrible security flaw. See attached screenshots. When you specify sharing of a folder, the tree view dialog that pops up defaults to system32. You should default to something more benign.

#17914 wontfix [security] NAT VM bypasses host firewall tweevosha
Description

a NAT VM is able to completely bypass the host firewall and access services on blocked ports. for example, the guest can ping the host (even if host firewall blocks pings) and can access host web server (even if host firewall blocks access to web server). there may be a zillion other non-public host services which are accessible to the guest.

affects linux hosts running iptables-based firewall.

Batch Modify
Note: See TracBatchModify for help on using batch modify.
Note: See TracQuery for help on using queries.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy