VirtualBox

Ticket #13190 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

VBoxManage showvminfo crash

Reported by: enodata Owned by:
Priority: major Component: VM control
Version: VirtualBox 4.3.14 Keywords: vboxmanage
Cc: Guest type: all
Host type: Windows

Description

VirtualBox 4.3.14, Windows 8.1 x64

When vm has saved state, "VBoxManage showvminfo" crashes when listing Shared Folders.

Here's event log report:

Faulting application name: VBoxManage.exe, version: 0.0.0.0, time stamp: 0x53c537ed
Faulting module name: VBoxC.dll, version: 4.3.14.0, time stamp: 0x53c537cc
Exception code: 0x80000003
Fault offset: 0x000000000014cfb9
Faulting process id: 0x1c68
Faulting application start time: 0x01cfa14c0731a17c
Faulting application path: C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
Faulting module path: C:\Program Files\Oracle\VirtualBox\VBoxC.dll
Report Id: 44f46752-0d3f-11e4-8267-2089843fea36
Faulting package full name: 
Faulting package-relative application ID: 

Attachments

VBox.log Download (94.9 KB) - added by enodata 3 years ago.
Test vm.vbox Download (8.0 KB) - added by mskov 3 years ago.
dummy VM

Change History

comment:1 Changed 3 years ago by frank

I cannot reproduce this with VBox 4.3.14 on Windows 7 and I don't believe that there is really a difference in this regards between Windows 7 and Windows 8.1. Could you attach a VBox.log file of a VM session when you run this VM? Perhaps the name of the shared folders is relevant?

Changed 3 years ago by enodata

comment:2 Changed 3 years ago by enodata

Log attached.

Perhaps I was not clear enough how to reproduce this, sorry.

The VM in question does not have any shared folders. The crash happens when VM is suspended (stopped) with saved state. VBoxManage showvminfo works fine when VM is running or has been shut down.

Please let me know if there is any other info I can provide.

Last edited 3 years ago by enodata (previous) (diff)

comment:3 Changed 3 years ago by frank

Unfortunately still no success. Tried several combinations, also without any shared folder and with the VM having a saved state. I assume it has something to do with snapshot as your VBox.log shows that your VM has a snapshot.

I would appreciate if you could provide a reproduction scenario, perhaps with a dummy VM (no hard disk attached, guest will not boot but stop after showing the BIOS logo). Having instructions like 1. create VM without a shared folder, 2. start the VM, 3. create a snapshot, 4. terminate the VM with saving the state, 5. VBoxManage showvminfo foo would help greatly because I'm not able to reproduce the problem

comment:4 Changed 3 years ago by mskov

I am having the same problem on Win7 x64. Unfortunately, this bug is very hard to reproduce. In my case the problem occurs at line 2253 in file  http://www.virtualbox.org/svn/vbox/trunk/src/VBox/Frontends/VBoxManage/VBoxManageInfo.cpp

CHECK_ERROR_RET(console, COMGETTER(SharedFolders)ComSafeArrayAsOutParam(folders)), rc);

in the /* transient mappings */ section. The problem does not occur on 4.2.26 and 4.3.12, and only happens on 4.3.14 (I did not try the current svn version of the sources). In my case the crash also occurs when VM is suspended.

Last edited 3 years ago by mskov (previous) (diff)

Changed 3 years ago by mskov

dummy VM

comment:5 Changed 3 years ago by mskov

Ok, so I was able to get a dummy VM to reproduce the bug (Test vm.vbox). 1) Start vm 2) create a snapshot 3) save machine state 4) execute VBoxManage.exe showvminfo "Test vm"

comment:6 Changed 3 years ago by mhanor

I can reproduce the issue with an Oracle test build (4.3.15), and an optimized hardened OSE build, but not with a debug (unoptimized) build and not with an optimised no-hardening OSE build. From what I can see, stack corruption occurs before or after the com::Utf8Str::copyFrom method is called. Here's the stack (4.3.14 sources):

00000000`002bc1a0 000007fe`e2a7c9e9 VBoxC!com::Utf8Str::copyFrom(
			wchar_t * a_pbstr = 0x00000000`002bc2b8 "㲘O")+0x10 [c:\work_x64\vbox\src\vbox\main\glue\string.cpp @ 167]
00000000`002bc230 000007fe`e2a7cbc0 VBoxC!Console::loadDataFromSavedState(void)+0xa9 [c:\work_x64\vbox\src\vbox\main\src-client\consoleimpl.cpp @ 1537]
00000000`002bc2b0 00000001`3f96bf61 VBoxC!Console::get_SharedFolders(
			struct tagSAFEARRAY ** aSharedFolders = 0x00000000`00000000)+0xd0 [c:\work_x64\vbox\src\vbox\main\src-client\consoleimpl.cpp @ 2041]
00000000`002bc340 00000001`3f9706fc VBoxManage!showVMInfo(
			class ComPtr<IVirtualBox> * virtualBox = 0x00000000`002bf740, 
			class ComPtr<IMachine> * machine = 0x00000000`002bf738, 
			VMINFO_DETAILS details = VMINFO_STANDARD (0n1), 
			class ComPtr<IConsole> * console = 0x00000000`002bf708)+0x102c1 [c:\work_x64\vbox\src\vbox\frontends\vboxmanage\vboxmanageinfo.cpp @ 2186]
00000000`002bf6c0 00000001`3f905fc8 VBoxManage!handleShowVMInfo(
			struct HandlerArg * a = 0x00000000`004d9230)+0x52c [c:\work_x64\vbox\src\vbox\frontends\vboxmanage\vboxmanageinfo.cpp @ 2677]
00000000`002bf810 00000001`3f9ae2a6 VBoxManage!main(
			int argc = 0n1, 
			char ** argv = 0x00000063`a6fb7aa5)+0x6f8 [c:\work_x64\vbox\src\vbox\frontends\vboxmanage\vboxmanage.cpp @ 561]
00000000`002bf990 00000000`779759ed VBoxManage!__tmainCRTStartup(void)+0x11a [f:\dd\vctools\crt_bld\self_64_amd64\crt\src\crtexe.c @ 555]
00000000`002bf9c0 00000000`77bac541 kernel32!BaseThreadInitThunk+0xd
00000000`002bf9f0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

The com::Utf8Str::copyFrom parameters get scrambled. I do not understand why it happens, but you must hit this piece of code. To reproduce, terminate the existing COM service process and overwrite the existing .vbox VM file with the previous copy (that contains the snapshot and saved state references).

With the official build, you hit the "int 3" instruction, in VBoxCLazyLoading, the "badload" jump (..\obj\VMMR3LazyImp\VMMR3LazyLoad.asm)

Last edited 3 years ago by mhanor (previous) (diff)

comment:7 Changed 3 years ago by mhanor

Actually, I was wrong about the stack corruption. The debugger is not able to track the variables, with all the code optimizations.

Last edited 3 years ago by mhanor (previous) (diff)

comment:8 Changed 3 years ago by mhanor

This is what it logs:

main     SUPR3HardenedLdrLoadAppPriv: pszFilename=000007fee25a5d54:{VBoxVMM} phLdrMod=000007fee2704e90 fFlags=00000000 pErrInfo=0000000000000000
main     AssertLogRel C:\work_x64\vbox\src\VBox\HostDrivers\Support\SUPR3HardenedIPRT.cpp(141) int __cdecl supR3HardenedErrorV(int,bool,const char *,char *): <NULL>
main     supR3HardenedVerifyFileInternal: 'C:\work_x64\vbox\out\win.amd64\debug\bin/VBoxVMM.dll': Image verify error rc=VERR_WRONG_ORDER: supHardenedWinVerifyImageByHandle: supHardenedWinInitImageVerifier was not called.
main     supR3HardenedLdrLoadIt: Verification of "C:\work_x64\vbox\out\win.amd64\debug\bin\VBoxVMM.DLL" failed, rc=VERR_WRONG_ORDER
main     SUPR3HardenedLdrLoadAppPriv: returns VERR_WRONG_ORDER

The RTCrX509Certificate_IsPresent check fails, in supHardenedWinVerifyImageByHandle() - 4.3.14 sources:

VBoxRT!supHardenedWinVerifyImageByHandle(
			void * hFile = 0x00000000`00000210, 
			unsigned short * pwszName = 0x00000000`00307c80, 
			unsigned int fFlags = 1, 
			bool * pfCacheable = 0x00000000`00000000, 
			struct RTERRINFO * pErrInfo = 0x00000000`003093b8)+0x5c [c:\work_x64\vbox\src\vbox\hostdrivers\support\win\suphardenedverifyimage-win.cpp @ 906]
VBoxRT!supHardenedWinVerifyImageByHandleNoName(
			void * hFile = 0x00000000`00000210, 
			unsigned int fFlags = 1, 
			struct RTERRINFO * pErrInfo = 0x00000000`003093b8)+0xcd [c:\work_x64\vbox\src\vbox\hostdrivers\support\win\suphardenedverifyimage-win.cpp @ 1070]
VBoxRT!supR3HardenedVerifyFileInternal(
			int iFile = 0n7, 
			bool fFatal = false, 
			bool fLeaveFileOpen = false)+0x256 [c:\work_x64\vbox\src\vbox\hostdrivers\support\supr3hardenedverify.cpp @ 555]
VBoxRT!supR3HardenedVerifyFixedFile(
			char * pszFilename = 0x00000000`003095f0 "C:\work_x64\vbox\out\win.amd64\debug\bin\VBoxVMM.DLL", 
			bool fFatal = false)+0xb8 [c:\work_x64\vbox\src\vbox\hostdrivers\support\supr3hardenedverify.cpp @ 738]
VBoxRT!supR3HardenedLdrLoadIt(
			char * pszFilename = 0x00000000`003095f0 "C:\work_x64\vbox\out\win.amd64\debug\bin\VBoxVMM.DLL", 
			struct RTLDRMODINTERNAL ** phLdrMod = 0x000007fe`dfbb4e90, 
			unsigned int fFlags = 0, 
			struct RTERRINFO * pErrInfo = 0x00000000`00000000)+0x39 [c:\work_x64\vbox\src\vbox\hostdrivers\support\suplib.cpp @ 2192]
VBoxRT!SUPR3HardenedLdrLoad(
			char * pszFilename = 0x00000000`003095f0 "C:\work_x64\vbox\out\win.amd64\debug\bin\VBoxVMM.DLL", 
			struct RTLDRMODINTERNAL ** phLdrMod = 0x000007fe`dfbb4e90, 
			unsigned int fFlags = 0, 
			struct RTERRINFO * pErrInfo = 0x00000000`00000000)+0x220 [c:\work_x64\vbox\src\vbox\hostdrivers\support\suplib.cpp @ 2237]
VBoxRT!SUPR3HardenedLdrLoadAppPriv(
			char * pszFilename = 0x000007fe`dfa55d54 "VBoxVMM", 
			struct RTLDRMODINTERNAL ** phLdrMod = 0x000007fe`dfbb4e90, 
			unsigned int fFlags = 0, 
			struct RTERRINFO * pErrInfo = 0x00000000`00000000)+0x3b2 [c:\work_x64\vbox\src\vbox\hostdrivers\support\suplib.cpp @ 2289]
VBoxC!LazyLoading+0x2a [C:\work_x64\vbox\out\win.amd64\debug\obj\VMMR3LazyImp\VMMR3LazyLoad.asm @ 8731]
VBoxC!LazyLoading+0x3d [C:\work_x64\vbox\out\win.amd64\debug\obj\VMMR3LazyImp\VMMR3LazyLoad.asm @ 8753]
............
Last edited 3 years ago by mhanor (previous) (diff)

comment:9 Changed 3 years ago by neilo

Ticket 13583 might be the same issue. On that ticket I uploaded a script that reliably reproduces the issue for me. If you have a MINGW environment with bash and curl the script should work as-is, otherwise you should be able to make the equivalent .bat or just do the steps manually, there's not much to it.

comment:10 Changed 3 years ago by maoueh

I'm seeing the same problem, here some information on my host:

When I run the command, the last output I received before it crashed was:

...
Shared folders:

Name: 'vagrant', Host path: 'C:/Users/Matt/Work/project' (machine mapping), writable
<Crash>

This was initially an issue with Vagrant, some debugging of the issue I had leads me here. I can reproduce this all time. Save sate of VM in VirtualBox UI and then run the VBoxManage showvminfo command.

Regards, Matt

comment:11 Changed 3 years ago by frank

We think we found and fixed this problem. Could you install this test build and confirm that the problem is gone? Thank you!

comment:12 Changed 3 years ago by mhanor

I can crash 4.3.18-96516 every time, but I can't seem to crash your test build. Host OS: Win8.1 x64

comment:13 Changed 3 years ago by neilo

Test build 4.3.19-96923 fixes this for me.

comment:14 Changed 3 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed

Thanks for the feedback. VBox 4.3.20 contains the fix.

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use