Heap corruption in VBoxSVC.exe leading to a crash (possibly due to double free)

[idrassi]

I have encountered a crash of latest VBoxSVC.exe 5.2.18.24319 on a Windows 10 host while running two VMs in parallel (one Windows VM and one Linux VM). The crash happend while I was accessing internet resources from the Linux VM.

I have collected a crash dump which indicates that the crash is caused by a heap corruption in VBoxSVC.exe while calling free function from msvcr100.dll. So, this looks like a double-free issue in VBoxSVC.exe.

I could not find a way to reproduce this crash. Usually, I run 3 or 4 VMs at the same time but VBoxSVC never crashed but this time just with 2 VMs and no extensive CPU load (just internet browsing) and it crashed.

I'm attaching the full log from Linux machine. For the crash dump, I can post it but since it is related to potential double free issue in VBoxSVC which are sometime a security vulnerability I prefer to confirm with you first that it is ok to post here.

[Socratis]

Related discussion in the forums: ​https://forums.virtualbox.org/viewtopic.php?f=6&t=89548

[aeichner]

Please send the crash dump to alexander (dot) eichner (at) oracle (dot) com and the matching VBoxSVC.log. Thanks!

[idrassi]

Email sent encrypted with PGP Key 0x37FAE132B47831ABE98A2CDD9D6378FD1C6719C7 (subkey 0xB67FA30BEE97C622A0C1BAD96B6F8379EB3A12FA)

[aeichner]

The core dump showed that the crash in VBoxSVC happened while processing a extradata related API call from the GUI. Unfortunately I couldn't get enough information from the core dump to find the cause of the heap corruption and I also wasn't able to reproduce the issue locally. I couldn't find a possible double free invocation in the affected area. I fear that there is not much we can do without a reproduction scenario because there is no hint where the heap corruption/double free originated from. Do you happen to get this crash on a regular basis or was this a one time event only?

[Socratis]

Replying to aeichner:

Do you happen to get this crash on a regular basis or was this a one time event only?

According to the OP's statement in the ​related forum discussion:

I could not find a way to reproduce this crash. I use VirtualBox quiet often and this is the first time I see this. Usually, I run 3 or 4 VMs at the same time but VBoxSVC never crashed but this time just with 2 VMs and no extensive CPU load (just internet browsing) and it crashed.

@idrassi
If, according to aeichner, this is an extradata related API call, could you post your ".vbox" for the VM? Right-click on the VM in the VirtualBox Manager. Select "Show in Explorer". Attach the selected ".vbox" file to your response.