Cannot start VMs due to VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED

[Stevel]

On some windows hosts VirtualBox will not start VMs with DigitalGuardian installed. An error message box with "VERR_SUP_VP_REPLACE_VIRTUAL_MEMORY_FAILED ... supR3HardNtChildPurify what:5" appears. This has been reproduced on both a Windows 7 and 2K8R2 systems but not all Win7 and 2K8R2 machines. This is system configuration depended. I have a windows 7 machine where I uninstalled DG but left our driver in place and it still failed. I then copied an MS driver, vms3cat.sys, into dgmaster.sys rebooted and it still failed. I believe there is a logic error in the code that replaces suspect virtual memory.

I have a 2K8R2 VM that reproduces the issue.

[Frank Mehnert]

Please attach the VBoxHardening.log file for such a VM session.

[Stevel]

Hardening log of VirtualBox 5.1.10 and DG 7.3.0.0160

[Stevel]

VBox.log of VirtualBox 5.1.10 and DG 7.3.0.0160

[Stacy Petruzzi]

Can you modify this ticket to be submitted by this account, or do we need to open a new ticket?

[Frank Mehnert]

I don't think a modiciation is required. You will get noficiation email as you added a comment to the ticket. So you see the same problem with VBox 5.1.12 as well? Could you add another VBoxHardening.log file for a 5.1.12 session?

[Stacy Petruzzi]

Retested with 5.1.12, attached.

[Stacy Petruzzi]

Hi! Frank,

I have uploaded VBoxHardening.log file for a 5.1.12 session week ago. Can you please update the case with your findings? Please escalate the case or change the priority to highest level? We have multiple customer that has reported this issue.

[Stacy Petruzzi]

01/20 Issue is gaining visibility within Management and updates are required at the earliest. Any further information you can provide based upon log review would be greatly appreciated. Kindly ensure that this issue is escalated within Oracle, as we are getting great pressure from our end users and their Mgmt. Very Kindly, Stacy Petruzzi Customer Success Manager

[Frank Mehnert]

DGSupport, do you have an Oracle support contract?

[Frank Mehnert]

I will contact you by private e-mail.

[Frank Mehnert]

I removed the published CSI number. The number you posted is for the product Oracle VM, not Oracle VM VirtualBox. Anyway, see the private e-mail I sent to the address of the DGSupport account.

[Stacy Petruzzi]

Hi Frank, We are at an impasse, as none that monitor this issue are included in the "private email" that you sent regarding this issue. We now have 3 customers with issues related to Virtual Box with no movement since we have thus far been unable to work this issue collectively due to communication issues such as this. Why was the CSI number we were given when we purchased Oracle support removed? Do we need to have a new CSI number created to include Oracle VM VirtualBox vs Oracle VM? Please, please advise as we have three customers facing issues that we have been unable to resolve without your assistance, guidance, etc. Both myself Stacy Petruzzi (CSM- Digital Guardian) Spetruzzi@… and Mike Foresto (Director of Support - Digital Guardian) Mforesto@… are trying to work this issue as we have customers without resolve since our contract was created. Anything you can do to expedite, guide accordingly would be greatly appreciated. To clarify, the only info we have thus far to point to is as follows: VBox Case 16259 CSI - CSI Number for software and services products: 20918592 Thanks, Stacy Petruzzi

[Stacy Petruzzi]

Replying to frank:

I removed the published CSI number. The number you posted is for the product Oracle VM, not Oracle VM VirtualBox. Anyway, see the private e-mail I sent to the address of the DGSupport account.

Hi Frank, We are at an impasse, as none that monitor this issue are included in the "private email" that you sent regarding this issue. We now have 3 customers with issues related to Virtual Box with no movement since we have thus far been unable to work this issue collectively due to communication issues such as this. Why was the CSI number we were given when we purchased Oracle support removed? Do we need to have a new CSI number created to include Oracle VM VirtualBox vs Oracle VM? Please, please advise as we have three customers facing issues that we have been unable to resolve without your assistance, guidance, etc. Both myself Stacy Petruzzi (CSM- Digital Guardian) Spetruzzi@… and Mike Foresto (Director of Support - Digital Guardian) Mforesto@… are trying to work this issue as we have customers without resolve since our contract was created. Anything you can do to expedite, guide accordingly would be greatly appreciated. To clarify, the only info we have thus far to point to is as follows: VBox Case 16259 CSI - CSI Number for software and services products: <censored> Thanks, Stacy Petruzzi

[Stevel]

I have been double checking results yesterday and today. Debugging has been concentrated on Win2k8, where most failures occurred. If a Vbox launch is attempted right after booting it almost always fails and almost always continues to fail. If a delay of a minute is introduced before the first launch of the virtual box GUI and hence the VM, it almost always works and continues to work. In the failure case the image name (ImageFileName) in the kernel EProcess structure is not set. This is used to determine if the process should be injected. After implementing an alternate method of determining the image name being created to use when the primary method does not work the virtual machine launches every time. I have not done any further testing on other versions as this was the version with the most failures. Failures were also seen on Win7, which is very similar code to 2k8. The public source for VirtualBox shows the driver hooking the CreateProcess call and also being in the ProcessNotify callbacks. Is it possible that the name is not getting set because of these hooks or could this be a Win7/2K8 system problem?

[Klaus Espenlaub]

Could it be that you're expecting something to be set which isn't guaranteed? The first executable loaded into the process is an extremely minimal executable (containing a custom stub which also is much smaller than usual). You can see the code in the VirtualBox sources or by looking at an executable on disk. It's designed to have only the absolutely vital executable header entries.

It has happened before that AV software wasn't prepared to deal with such an executable, even though it's clearly valid as all versions of Windows have no trouble loading it.

The job of hardening is to keep untrusted parties from influencing the behavior of the VM processes - and that needs quite drastic measures on Windows as generally the OS is way too generous.

[bird]

FYI. I've just uploaded a test build (r114478+) with the start of a fix (our side). However, the fix requires a DgMaster.sys file with a FileVersion value (properties -> details) of 7.3.0.0171 or higher.

[Frank Mehnert]

The test build can be found here.