VirtualBox

Opened 8 years ago

Closed 4 years ago

#15718 closed defect (obsolete)

XPCOM DeserializeResult invalid pointer

Reported by: gim Owned by:
Component: other Version: VirtualBox 5.0.20
Keywords: xpcom, python, DeserializeResult Cc:
Guest type: Windows Host type: Linux

Description

$ python --version
Python 2.7.6

$ gdb /usr/bin/python CoreDump
GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1
...
#0  0x00007f12a97d8b92 in DeserializeResult (v=..., t=..., reader=...) at .../VirtualBox-5.0.20/src/libs/xpcom18a4/ipc/ipcd/extensions/dconnect/src/ipcDConnectService.cpp:726
726           *((PRUint32 *) v.val.p) = reader.GetInt32();

(gdb) list
721           *((PRUint16 *) v.val.p) = reader.GetInt16();
722           break;
723
724         case nsXPTType::T_I32:
725         case nsXPTType::T_U32:
726           *((PRUint32 *) v.val.p) = reader.GetInt32();
727           break;
728
729         case nsXPTType::T_I64:
730         case nsXPTType::T_U64:

(gdb) print v
$1 = (nsXPTCMiniVariant &) @0x7f11337fc090: {val = {i8 = 20 '\024', i16 = 20, i32 = 20, i64 = 20, u8 = 20 '\024', u16 = 20, u32 = 20, u64 = 20, f = 2.80259693e-44, d = 9.8813129168249309e-323, b = 20,
    c = 20 '\024', wc = 20, p = 0x14}}

So the problem is we trying write data to invalid pointer address 0x14

(gdb) bt
#0  0x00007f12a97d8b92 in DeserializeResult (v=..., t=..., reader=...) at .../VirtualBox-5.0.20/src/libs/xpcom18a4/ipc/ipcd/extensions/dconnect/src/ipcDConnectService.cpp:726
#1  DConnectStub::CallMethod (this=0x7f11e800e720, aMethodIndex=<optimized out>, aInfo=<optimized out>, aParams=<optimized out>)
    at .../VirtualBox-5.0.20/src/libs/xpcom18a4/ipc/ipcd/extensions/dconnect/src/ipcDConnectService.cpp:2682
#2  0x00007f12af4fbc48 in PrepareAndDispatch (self=0x7f11e800e720, methodIndex=<optimized out>, args=<optimized out>, gpregs=0x7f11337fc150, fpregs=0x7f11337fc180)
    at .../VirtualBox-5.0.20/src/libs/xpcom18a4/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:156
#3  0x00007f12af4fb0b5 in SharedStub () from .../VirtualBox-5.0.20/out/linux.amd64/release/bin/VBoxXPCOM.so
#4  0x00007f12af4fbfbb in VBoxNsxpXPTC_InvokeByIndex (that=0x7f11e800e720, methodIndex=8, paramCount=3, params=<optimized out>)
    at .../VirtualBox-5.0.20/src/libs/xpcom18a4/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_linux.cpp:209
#5  0x00007f12afcea2be in PyXPCOMMethod_XPTC_InvokeByIndex (self=<optimized out>, args=<optimized out>) at .../VirtualBox-5.0.20/src/libs/xpcom18a4/python/src/module/_xpcom.cpp:266
#6  0x000000000049968d in PyEval_EvalFrameEx ()
#7  0x0000000000499ef2 in PyEval_EvalFrameEx ()
#8  0x00000000004a1c9a in ?? ()
#9  0x0000000000505f96 in PyObject_Call ()
#10 0x000000000049b07a in PyEval_EvalFrameEx ()
#11 0x00000000004a090c in PyEval_EvalCodeEx ()
#12 0x000000000049ab45 in PyEval_EvalFrameEx ()
#13 0x00000000004a1c9a in ?? ()
#14 0x0000000000505f96 in PyObject_Call ()
#15 0x000000000049b07a in PyEval_EvalFrameEx ()
#16 0x00000000004a1c9a in ?? ()
#17 0x0000000000505f96 in PyObject_Call ()
#18 0x000000000049b07a in PyEval_EvalFrameEx ()
#19 0x00000000004a1c9a in ?? ()
#20 0x0000000000505f96 in PyObject_Call ()
#21 0x000000000049b07a in PyEval_EvalFrameEx ()
#22 0x0000000000499ef2 in PyEval_EvalFrameEx ()
#23 0x0000000000499ef2 in PyEval_EvalFrameEx ()
#24 0x00000000004a090c in PyEval_EvalCodeEx ()
#25 0x0000000000499a52 in PyEval_EvalFrameEx ()
#26 0x0000000000499ef2 in PyEval_EvalFrameEx ()
#27 0x00000000004a1c9a in ?? ()
#28 0x0000000000505f96 in PyObject_Call ()
#29 0x000000000049b07a in PyEval_EvalFrameEx ()
#30 0x0000000000499ef2 in PyEval_EvalFrameEx ()
#31 0x0000000000499ef2 in PyEval_EvalFrameEx ()
#32 0x00000000004a1c9a in ?? ()
#33 0x00000000004dfe94 in ?? ()
#34 0x00000000004dc9cb in PyEval_CallObjectWithKeywords ()
#35 0x0000000000588b12 in ?? ()
#36 0x00007f12b41ca184 in start_thread (arg=0x7f11337fe700) at pthread_create.c:312
#37 0x00007f12b3ef737d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(gdb) up
#1  DConnectStub::CallMethod (this=0x7f11e800e720, aMethodIndex=<optimized out>, aInfo=<optimized out>, aParams=<optimized out>)
    at .../VirtualBox-5.0.20/src/libs/xpcom18a4/ipc/ipcd/extensions/dconnect/src/ipcDConnectService.cpp:2682
2682            DeserializeResult(reader, paramInfo.GetType(), aParams[i]);

(gdb) print aParams
$1 = <optimized out>

(gdb) print reader
$2 = {mBuf = 0x7f1124001b0c "", mBufEnd = 0x7f1124001b10 " ", mBufPtr = 0x7f1124001b10 " ", mError = 0}

(gdb) print paramCount
$3 = <optimized out>

(gdb) print paramInfo
$4 = <optimized out>

(gdb) print completion
$6 = {<DConnectCompletion> = {<ipcIMessageObserver> = {<nsISupports> = {_vptr.nsISupports = 0x7f12a99e3ad0 <vtable for DConnectInvokeCompletion+16>}, <No data fields>},
    mSelector = {<ipcIMessageObserver> = {<nsISupports> = {_vptr.nsISupports = 0x7f12a99e3a90 <vtable for DConnectMsgSelector+16>}, <No data fields>}, mPeer = 1, mOpCodeMajor = 5 '\005',
      mRequestIndex = 1501327}}, mReply = 0x7f1124001b00, mParamsLen = 4}

(gdb) print rv
$7 = 0

(gdb) print invoke
$8 = {<DConnectOp> = {opcode_major = 3 '\003', opcode_minor = 0 '\000', flags = 0, request_index = 1501327}, instance = 140060494138576, method_index = 8}


(gdb) up
#2  0x00007f12af4fbc48 in PrepareAndDispatch (self=0x7f11e800e720, methodIndex=<optimized out>, args=<optimized out>, gpregs=0x7f11337fc150, fpregs=0x7f11337fc180)
    at .../VirtualBox-5.0.20/src/libs/xpcom18a4/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:156
156         result = self->CallMethod((PRUint16) methodIndex, info, dispatchParams);


(gdb) print *info
$13 = {<XPTMethodDescriptor> = {name = 0x2f72bc0 "timeRemaining", params = 0x2f72bd0, result = 0x2f72bd8, flags = 128 '\200', num_args = 1 '\001'}, <No data fields>}

(gdb) print *dispatchParams
$15 = {val = {i8 = 20 '\024', i16 = 20, i32 = 20, i64 = 20, u8 = 20 '\024', u16 = 20, u32 = 20, u64 = 20, f = 2.80259693e-44, d = 9.8813129168249309e-323, b = 20, c = 20 '\024', wc = 20, p = 0x14}}

So val.p stil 0x14 here...

(gdb) print paramBuffer
$16 = {{val = {i8 = 20 '\024', i16 = 20, i32 = 20, i64 = 20, u8 = 20 '\024', u16 = 20, u32 = 20, u64 = 20, f = 2.80259693e-44, d = 9.8813129168249309e-323, b = 20, c = 20 '\024', wc = 20, p = 0x14}}, {
    val = {i8 = 80 'P', i16 = 80, i32 = 80, i64 = 80, u8 = 80 'P', u16 = 80, u32 = 80, u64 = 80, f = 1.12103877e-43, d = 3.9525251667299724e-322, b = 80, c = 80 'P', wc = 80, p = 0x50}}, {val = {
      i8 = 96 '`', i16 = -16032, i32 = 864010592, i64 = 139711855182176, u8 = 96 '`', u16 = 49504, u32 = 864010592, u64 = 139711855182176, f = 5.95476877e-08, d = 6.9026827962260493e-310, b = 864010592,
      c = 96 '`', wc = 49504, p = 0x7f11337fc160}}, {val = {i8 = 80 'P', i16 = -16048, i32 = 864010576, i64 = 139711855182160, u8 = 80 'P', u16 = 49488, u32 = 864010576, u64 = 139711855182160,
      f = 5.95476308e-08, d = 6.9026827962252588e-310, b = 864010576, c = 80 'P', wc = 49488, p = 0x7f11337fc150}}, {val = {i8 = -64 '\300', i16 = -16192, i32 = 864010432, i64 = 139711855182016,
      u8 = 192 '\300', u16 = 49344, u32 = 864010432, u64 = 139711855182016, f = 5.95471192e-08, d = 6.9026827962181443e-310, b = 864010432, c = -64 '\300', wc = 49344, p = 0x7f11337fc0c0}}, {val = {
      i8 = -52 '\314', i16 = -31284, i32 = 901809612, i64 = 901809612, u8 = 204 '\314', u16 = 34252, u32 = 901809612, u64 = 901809612, f = 1.43440548e-06, d = 4.4555314837862396e-315, b = 901809612,
      c = -52 '\314', wc = 34252, p = 0x35c085cc}}, {val = {i8 = -44 '\324', i16 = -15916, i32 = 864010708, i64 = 139711855182292, u8 = 212 '\324', u16 = 49620, u32 = 864010708, u64 = 139711855182292,
      f = 5.95480998e-08, d = 6.9026827962317805e-310, b = 864010708, c = -44 '\324', wc = 49620, p = 0x7f11337fc1d4}}, {val = {i8 = -101 '\233', i16 = -22629, i32 = -1353930853, i64 = 139718227175323,
      u8 = 155 '\233', u16 = 42907, u32 = 2941036443, u64 = 139718227175323, f = -1.86132373e-10, d = 6.9029976145169962e-310, b = -1353930853, c = -101 '\233', wc = 42907,
      p = 0x7f12af4ca79b <SearchTable+95>}}, {val = {i8 = 0 '\000', i16 = 0, i32 = 0, i64 = 0, u8 = 0 '\000', u16 = 0, u32 = 0, u64 = 0, f = 0, d = 0, b = 0, c = 0 '\000', wc = 0, p = 0x0}}, {val = {
      i8 = 95 '_', i16 = 95, i32 = -1353711521, i64 = 2941255775, u8 = 95 '_', u16 = 95, u32 = 2941255775, u64 = 2941255775, f = -1.89176216e-10, d = 1.4531734340596711e-314, b = -1353711521, c = 95 '_',
      wc = 95, p = 0xaf50005f}}, {val = {i8 = -128 '\200', i16 = -16000, i32 = 864010624, i64 = 139711855182208, u8 = 128 '\200', u16 = 49536, u32 = 864010624, u64 = 139711855182208, f = 5.95478014e-08,
      d = 6.9026827962276303e-310, b = 864010624, c = -128 '\200', wc = 49536, p = 0x7f11337fc180}}, {val = {i8 = -112 '\220', i16 = -15984, i32 = 864010640, i64 = 139711855182224, u8 = 144 '\220',
      u16 = 49552, u32 = 864010640, u64 = 139711855182224, f = 5.95478582e-08, d = 6.9026827962284208e-310, b = 864010640, c = -112 '\220', wc = 49552, p = 0x7f11337fc190}}, {val = {i8 = -112 '\220',
      i16 = 4752, i32 = 1469780624, i64 = 1469780624, u8 = 144 '\220', u16 = 4752, u32 = 1469780624, u64 = 1469780624, f = 3.41008055e+14, d = 7.2616811324151035e-315, b = 1469780624, c = -112 '\220',
      wc = 4752, p = 0x579b1290}}, {val = {i8 = 102 'f', i16 = 31590, i32 = -63669402, i64 = 4231297894, u8 = 102 'f', u16 = 31590, u32 = 4231297894, u64 = 4231297894, f = -3.74846501e+36,
      d = 2.0905389267458164e-314, b = -63669402, c = 102 'f', wc = 31590, p = 0xfc347b66}}, {val = {i8 = -16 '\360', i16 = 10224, i32 = 49227760, i64 = 49227760, u8 = 240 '\360', u16 = 10224,
      u32 = 49227760, u64 = 49227760, f = 3.51408167e-37, d = 2.4321745037717883e-316, b = 49227760, c = -16 '\360', wc = 10224, p = 0x2ef27f0}}, {val = {i8 = 64 '@', i16 = -29632, i32 = 9538624,
      i64 = 9538624, u8 = 64 '@', u16 = 35904, u32 = 9538624, u64 = 9538624, f = 1.33664592e-38, d = 4.7127064269968145e-317, b = 9538624, c = 64 '@', wc = 35904, p = 0x918c40 <PyInstance_Type>}}}

(gdb) p/x gpregs[1]
$36 = 0x14

Still 0x14...

(gdb) up
#3  0x00007f12af4fb0b5 in SharedStub () from .../VirtualBox-5.0.20/out/linux.amd64/release/bin/VBoxXPCOM.so

(gdb) up
#4  0x00007f12af4fbfbb in VBoxNsxpXPTC_InvokeByIndex (that=0x7f11e800e720, methodIndex=8, paramCount=3, params=<optimized out>)
    at .../VirtualBox-5.0.20/src/libs/xpcom18a4/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_linux.cpp:209
209         PRUint32 result = ((Method)methodAddress)(a0, a1, a2, a3, a4, a5);

(gdb) p/x gpregs
$2 = {0x2fbdb20, 0x14, 0x7f1124006c60, 0x7f1124000de0, 0x18, 0x7f11337fc2f0}

(gdb) print fpregs
$3 = {6.902991684694722e-310, 1.4821969375237396e-323, 4.9406564584124654e-324, -3.0976499285403956e-66, 6.9029916275372556e-310, 6.902669951351264e-310, 6.902682796245812e-310, 4.9406564584124654e-324}

So as you can see 0x14 comes with arguments. Don't know how it's possible...

I was able to reproduce this bug twice. In another one pointer was 0x6 and results type was nsXPTType::T_WCHAR_STR:

#0  0x00007f57a9afcd39 in DeserializeResult (v=..., t=..., reader=...) at .../VirtualBox-5.0.20/src/libs/xpcom18a4/ipc/ipcd/extensions/dconnect/src/ipcDConnectService.cpp:803
803          *((PRUnichar **) v.val.p) = buf;

(gdb) print v
$1 = (nsXPTCMiniVariant &) @0x7f57337fc090: {val = {i8 = 6 '\006', i16 = 6, i32 = 6, i64 = 6, u8 = 6 '\006', u16 = 6, u32 = 6, u64 = 6, f = 8.40779079e-45, d = 2.9643938750474793e-323, b = 6, c = 6 '\006',
    wc = 6, p = 0x6}}

(gdb) up
#1  DConnectStub::CallMethod (this=0x7f56fc007770, aMethodIndex=<optimized out>, aInfo=<optimized out>, aParams=<optimized out>)
    at .../VirtualBox-5.0.20/src/libs/xpcom18a4/ipc/ipcd/extensions/dconnect/src/ipcDConnectService.cpp:2682
2682            DeserializeResult(reader, paramInfo.GetType(), aParams[i]);

(gdb) up
#2  0x00007f57af81fc48 in PrepareAndDispatch (self=0x7f56fc007770, methodIndex=<optimized out>, args=<optimized out>, gpregs=0x7f57337fc150, fpregs=0x7f57337fc180)
    at .../VirtualBox-5.0.20/src/libs/xpcom18a4/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:156
156         result = self->CallMethod((PRUint16) methodIndex, info, dispatchParams);

(gdb) print *info
$2 = {<XPTMethodDescriptor> = {name = 0x22ba5a0 "name", params = 0x22ba5a8, result = 0x22ba5b0, flags = 128 '\200', num_args = 1 '\001'}, <No data fields>}

(gdb) print *dispatchParams
$3 = {val = {i8 = 6 '\006', i16 = 6, i32 = 6, i64 = 6, u8 = 6 '\006', u16 = 6, u32 = 6, u64 = 6, f = 8.40779079e-45, d = 2.9643938750474793e-323, b = 6, c = 6 '\006', wc = 6, p = 0x6}}
...

Change History (1)

comment:1 by aeichner, 4 years ago

Resolution: obsolete
Status: newclosed
Note: See TracTickets for help on using tickets.

© 2023 Oracle
ContactPrivacy policyTerms of Use