detected field-spanning write (size 13) of single field "pNew->szName" VBoxNetFlt.c:1043

[Trevor Hemsley]

Updated Fedora 38 to the latest 6.5.5 kernel and when starting a VBox VM (OS/2) I received the following stacktrace on the host.

Hardware is AMD Ryzen 5700X on an Asus Prime X570-Pro motherboard with 128GB ECC RAM. Network cards are Solarflare SFN8522 10GbE.

[Fri Sep 29 01:11:45 2023] ------------[ cut here ]------------
[Fri Sep 29 01:11:45 2023] memcpy: detected field-spanning write (size 13) of single field "pNew->szName" at /tmp/akmodsbuild.PE0xDICD/BUILD/VirtualBox-kmod-7.0.10/_kmod_build_6.5.5-200.fc38.x86_64/vboxnetflt/VBoxNetFlt.c:1043 (size 1)
[Fri Sep 29 01:11:45 2023] WARNING: CPU: 7 PID: 8237 at /tmp/akmodsbuild.PE0xDICD/BUILD/VirtualBox-kmod-7.0.10/_kmod_build_6.5.5-200.fc38.x86_64/vboxnetflt/VBoxNetFlt.c:1043 vboxNetFltFactoryCreateAndConnect+0x2ff/0x360 [vboxnetflt]
[Fri Sep 29 01:11:45 2023] Modules linked in: drbd lru_cache snd_seq_dummy snd_hrtimer vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) ip6t_REJECT nf_reject_ipv6 ip6table_filter ip6_tables ipt_REJECT nf_reject_ipv4 xt_set xt_multiport xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables ip_set_hash_ip nct6775 ip_set nct6775_core nfnetlink hwmon_vid xfs snd_seq_midi snd_seq_midi_event intel_rapl_msr intel_rapl_common amd64_edac edac_mce_amd snd_usb_audio snd_hda_codec_hdmi snd_usbmidi_lib snd_hda_intel snd_ump kvm_amd snd_rawmidi snd_intel_dspcfg snd_intel_sdw_acpi mc cp210x asus_ec_sensors kvm snd_hda_codec irqbypass snd_hda_core rapl eeepc_wmi snd_hwdep snd_seq asus_wmi ledtrig_audio sparse_keymap platform_profile rfkill snd_seq_device wmi_bmof mxm_wmi pcspkr snd_pcm k10temp i2c_piix4 sfc snd_timer snd mdio soundcore mtd raid10 joydev essiv dm_crypt nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse loop hid_logitech_hidpp hid_logitech_dj amdgpu i2c_algo_bit drm_ttm_helper ttm video drm_suballoc_helper amdxcp
[Fri Sep 29 01:11:45 2023]  iommu_v2 drm_buddy gpu_sched crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni uas polyval_generic ghash_clmulni_intel usb_storage sha512_ssse3 drm_display_helper ccp nvme cec sp5100_tco nvme_core nvme_common wmi scsi_dh_rdac scsi_dh_emc scsi_dh_alua dm_multipath i2c_dev
[Fri Sep 29 01:11:45 2023] CPU: 7 PID: 8237 Comm: EMT Tainted: G           OE      6.5.5-200.fc38.x86_64 #1
[Fri Sep 29 01:11:45 2023] Hardware name: System manufacturer System Product Name/PRIME X570-PRO, BIOS 4802 06/15/2023
[Fri Sep 29 01:11:45 2023] RIP: 0010:vboxNetFltFactoryCreateAndConnect+0x2ff/0x360 [vboxnetflt]
[Fri Sep 29 01:11:45 2023] Code: 00 00 0f 85 c8 fe ff ff b9 01 00 00 00 48 c7 c2 90 b6 bf c1 4c 89 f6 48 c7 c7 20 b7 bf c1 c6 05 69 37 0b 00 01 e8 91 bf 5c e2 <0f> 0b e9 9f fe ff ff 49 c7 45 60 00 00 00 00 4c 89 ef e8 6a f7 ff
[Fri Sep 29 01:11:45 2023] RSP: 0018:ffff9e1090f77c30 EFLAGS: 00010282
[Fri Sep 29 01:11:45 2023] RAX: 0000000000000000 RBX: ffff8f4260e7dd54 RCX: 0000000000000027
[Fri Sep 29 01:11:45 2023] RDX: ffff8f5f2ebe1548 RSI: 0000000000000001 RDI: ffff8f5f2ebe1540
[Fri Sep 29 01:11:45 2023] RBP: ffffffffc1bf7790 R08: 0000000000000000 R09: ffff9e1090f77ac0
[Fri Sep 29 01:11:45 2023] R10: 0000000000000003 R11: ffffffffa6345d28 R12: ffff8f4260e7d3f0
[Fri Sep 29 01:11:45 2023] R13: ffff8f4260e7d210 R14: 000000000000000d R15: ffffffffc1bf7780
[Fri Sep 29 01:11:45 2023] FS:  00007f21f7fff6c0(0000) GS:ffff8f5f2ebc0000(0000) knlGS:0000000000000000
[Fri Sep 29 01:11:45 2023] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[Fri Sep 29 01:11:45 2023] CR2: 00007f219d74e5c0 CR3: 00000002de184000 CR4: 0000000000750ee0
[Fri Sep 29 01:11:45 2023] PKRU: 55555554
[Fri Sep 29 01:11:45 2023] Call Trace:
[Fri Sep 29 01:11:45 2023]  <TASK>
[Fri Sep 29 01:11:45 2023]  ? vboxNetFltFactoryCreateAndConnect+0x2ff/0x360 [vboxnetflt]
[Fri Sep 29 01:11:45 2023]  ? __warn+0x81/0x130
[Fri Sep 29 01:11:45 2023]  ? vboxNetFltFactoryCreateAndConnect+0x2ff/0x360 [vboxnetflt]
[Fri Sep 29 01:11:45 2023]  ? report_bug+0x171/0x1a0
[Fri Sep 29 01:11:45 2023]  ? prb_read_valid+0x1b/0x30
[Fri Sep 29 01:11:45 2023]  ? srso_alias_return_thunk+0x5/0x7f
[Fri Sep 29 01:11:45 2023]  ? handle_bug+0x3c/0x80
[Fri Sep 29 01:11:45 2023]  ? exc_invalid_op+0x17/0x70
[Fri Sep 29 01:11:45 2023]  ? asm_exc_invalid_op+0x1a/0x20
[Fri Sep 29 01:11:45 2023]  ? vboxNetFltFactoryCreateAndConnect+0x2ff/0x360 [vboxnetflt]
[Fri Sep 29 01:11:45 2023]  ? srso_alias_return_thunk+0x5/0x7f
[Fri Sep 29 01:11:45 2023]  ? SUPR0ObjRegister+0x138/0x190 [vboxdrv]
[Fri Sep 29 01:11:45 2023]  ? srso_alias_return_thunk+0x5/0x7f
[Fri Sep 29 01:11:45 2023]  ? supdrvIOCtl+0x17fb/0x31d0 [vboxdrv]
[Fri Sep 29 01:11:45 2023]  ? __check_object_size+0x264/0x2d0
[Fri Sep 29 01:11:45 2023]  ? VBoxDrvLinuxIOCtl_7_0_10+0x169/0x260 [vboxdrv]
[Fri Sep 29 01:11:45 2023]  ? __x64_sys_ioctl+0x97/0xd0
[Fri Sep 29 01:11:45 2023]  ? do_syscall_64+0x60/0x90
[Fri Sep 29 01:11:45 2023]  ? srso_alias_return_thunk+0x5/0x7f
[Fri Sep 29 01:11:45 2023]  ? __x64_sys_ioctl+0xaf/0xd0
[Fri Sep 29 01:11:45 2023]  ? srso_alias_return_thunk+0x5/0x7f
[Fri Sep 29 01:11:45 2023]  ? syscall_exit_to_user_mode+0x2b/0x40
[Fri Sep 29 01:11:45 2023]  ? srso_alias_return_thunk+0x5/0x7f
[Fri Sep 29 01:11:45 2023]  ? do_syscall_64+0x6c/0x90
[Fri Sep 29 01:11:45 2023]  ? srso_alias_return_thunk+0x5/0x7f
[Fri Sep 29 01:11:45 2023]  ? exc_page_fault+0x7f/0x180
[Fri Sep 29 01:11:45 2023]  ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[Fri Sep 29 01:11:45 2023]  </TASK>
[Fri Sep 29 01:11:45 2023] ---[ end trace 0000000000000000 ]---
[Fri Sep 29 01:11:45 2023] VBoxNetFlt: attached to 'enp12s0f0np0' / xx:xx:xx:xx:xx:xx

Was immediately followed by a second stacktrace [Fri Sep 29 01:11:45 2023] memcpy: detected field-spanning write (size 1652) of single field "pLoggerInt->afGroups" at /tmp/akmodsbuild.PE0xDICD/BUILD/VirtualBox-kmod-7.0.10/_kmod_build_6.5.5-200.fc38.x86_64/vboxdrv/common/log/log.c:2934 (size 4)

but I assume that was related to the first.

[Trevor Hemsley]

vbox log file

[tekstryder]

Thanks for filing this @TrevorPH.

I ran into a field-spanning write as well with VB 7.0.10 on kernel 6.5.3, but forgot to file an issue.

In my case it was pLoggerInt->afGroups

Sep 12 11:00:48 kernel: SUPR0GipMap: fGetGipCpu=0x1b
Sep 12 11:00:49 kernel: vboxdrv: 000000008dd8f8a5 VMMR0.r0
Sep 12 11:00:49 kernel: vboxdrv: 00000000471f66f1 VBoxDDR0.r0
Sep 12 11:00:49 kernel: ------------[ cut here ]------------
Sep 12 11:00:49 kernel: memcpy: detected field-spanning write (size 1652) of single field "pLoggerInt->afGroups" at /var/lib/dkms/vboxhost/7.0.10_OSE/build/vboxdrv/common/log/log.c:2934 (size 4)
Sep 12 11:00:49 kernel: WARNING: CPU: 8 PID: 168236 at /var/lib/dkms/vboxhost/7.0.10_OSE/build/vboxdrv/common/log/log.c:2934 VBoxHost_RTLogBulkUpdate+0x176/0x180 [vboxdrv]
Sep 12 11:00:49 kernel: Modules linked in: rfkill xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter dm_crypt cbc encrypted_keys trusted asn1_encoder tee hid_logitech_hidpp mousedev hid_logitech_dj snd_usb_audio snd_usbmidi_lib snd_ump snd_rawmidi snd_seq_device joydev mc snd_sof_pci_intel_tgl snd_sof_intel_hda_common soundwire_intel snd_sof_intel_hda_mlink nls_iso8859_1 soundwire_cadence snd_sof_intel_hda vfat snd_sof_pci fat snd_sof_xtensa_dsp snd_sof snd_sof_utils snd_soc_hdac_hda snd_hda_ext_core snd_soc_acpi_intel_match snd_soc_acpi soundwire_generic_allocation soundwire_bus intel_rapl_msr intel_rapl_common snd_soc_core intel_uncore_frequency intel_uncore_frequency_common snd_compress ac97_bus x86_pkg_temp_thermal intel_powerclamp snd_pcm_dmaengine coretemp kvm_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm snd_hda_core snd_hwdep iTCO_wdt irqbypass snd_pcm intel_pmc_bxt rapl mei_pxp pmt_telemetry iTCO_vendor_support mei_hdcp ee1004 spi_nor snd_timer intel_cstate pmt_class wmi_bmof
Sep 12 11:00:49 kernel:  i2c_i801 intel_uncore mei_me mtd snd mxm_wmi pcspkr igc soundcore i2c_smbus mei intel_vsec serial_multi_instantiate acpi_tad acpi_pad mac_hid vboxnetflt(OE) vboxnetadp(OE) vboxdrv(OE) sg crypto_user fuse loop dm_mod ip_tables x_tables usbhid nvidia_uvm(POE) nvidia_drm(POE) nvidia_modeset(POE) raid10 md_mod nvidia(POE) ext4 crc32c_generic crc16 mbcache jbd2 crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni polyval_generic gf128mul ghash_clmulni_intel nvme sha512_ssse3 aesni_intel nvme_core crypto_simd spi_intel_pci cryptd xhci_pci spi_intel nvme_common video xhci_pci_renesas wmi
Sep 12 11:00:49 kernel: CPU: 8 PID: 168236 Comm: EMT-0 Tainted: P           OE      6.5.2-arch1-1 #1 d2912f929551bc8e9b95af790b8285a77c25fa29
Sep 12 11:00:49 kernel: Hardware name: Micro-Star International Co., Ltd. MS-7D31/MPG Z690 EDGE WIFI DDR4 (MS-7D31), BIOS 1.30 03/22/2022
Sep 12 11:00:49 kernel: RIP: 0010:VBoxHost_RTLogBulkUpdate+0x176/0x180 [vboxdrv]
Sep 12 11:00:49 kernel: Code: 3d ff 05 02 00 00 75 92 b9 04 00 00 00 48 c7 c2 00 6d 42 c4 4c 89 e6 48 c7 c7 68 6c 42 c4 c6 05 e0 05 02 00 01 e8 9a 0b 70 bf <0f> 0b e9 69 ff ff ff 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90
Sep 12 11:00:49 kernel: RSP: 0018:ffffbd78472afcc8 EFLAGS: 00010286
Sep 12 11:00:49 kernel: RAX: 0000000000000000 RBX: ffff9437a2551010 RCX: 0000000000000027
Sep 12 11:00:49 kernel: RDX: ffff9446302216c8 RSI: 0000000000000001 RDI: ffff9446302216c0
Sep 12 11:00:49 kernel: RBP: ffffbd78472afcf8 R08: 0000000000000000 R09: ffffbd78472afb58
Sep 12 11:00:49 kernel: R10: 0000000000000003 R11: ffff9446707a78a8 R12: 0000000000000674
Sep 12 11:00:49 kernel: R13: ffff9437a25510cc R14: 000000000000019d R15: ffff943ddc3fa858
Sep 12 11:00:49 kernel: FS:  00007f4f4e1ff6c0(0000) GS:ffff944630200000(0000) knlGS:0000000000000000
Sep 12 11:00:49 kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Sep 12 11:00:49 kernel: CR2: 00007f4f66e03650 CR3: 00000001d54ae000 CR4: 0000000000f50ee0
Sep 12 11:00:49 kernel: PKRU: 55555554
Sep 12 11:00:49 kernel: Call Trace:
Sep 12 11:00:49 kernel:  <TASK>
Sep 12 11:00:49 kernel:  ? VBoxHost_RTLogBulkUpdate+0x176/0x180 [vboxdrv a8007100fe3747a14f46b794a79332fd9cbd3da2]
Sep 12 11:00:49 kernel:  ? __warn+0x81/0x130
Sep 12 11:00:49 kernel:  ? VBoxHost_RTLogBulkUpdate+0x176/0x180 [vboxdrv a8007100fe3747a14f46b794a79332fd9cbd3da2]
Sep 12 11:00:49 kernel:  ? report_bug+0x171/0x1a0
Sep 12 11:00:49 kernel:  ? prb_read_valid+0x1b/0x30
Sep 12 11:00:49 kernel:  ? handle_bug+0x3c/0x80
Sep 12 11:00:49 kernel:  ? exc_invalid_op+0x17/0x70
Sep 12 11:00:49 kernel:  ? asm_exc_invalid_op+0x1a/0x20
Sep 12 11:00:49 kernel:  ? VBoxHost_RTLogBulkUpdate+0x176/0x180 [vboxdrv a8007100fe3747a14f46b794a79332fd9cbd3da2]
Sep 12 11:00:49 kernel:  ? VBoxHost_RTLogBulkUpdate+0x176/0x180 [vboxdrv a8007100fe3747a14f46b794a79332fd9cbd3da2]
Sep 12 11:00:49 kernel:  ? supdrvIOCtl+0x17e9/0x31b0 [vboxdrv a8007100fe3747a14f46b794a79332fd9cbd3da2]
Sep 12 11:00:49 kernel:  ? __check_object_size+0x264/0x2d0
Sep 12 11:00:49 kernel:  ? VBoxDrvLinuxIOCtl_7_0_10+0x169/0x260 [vboxdrv a8007100fe3747a14f46b794a79332fd9cbd3da2]
Sep 12 11:00:49 kernel:  ? __x64_sys_ioctl+0x94/0xd0
Sep 12 11:00:49 kernel:  ? do_syscall_64+0x5d/0x90
Sep 12 11:00:49 kernel:  ? __count_memcg_events+0x42/0x90
Sep 12 11:00:49 kernel:  ? count_memcg_events.constprop.0+0x1a/0x30
Sep 12 11:00:49 kernel:  ? handle_mm_fault+0x9e/0x350
Sep 12 11:00:49 kernel:  ? do_user_addr_fault+0x225/0x640
Sep 12 11:00:49 kernel:  ? exc_page_fault+0x7f/0x180
Sep 12 11:00:49 kernel:  ? entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Sep 12 11:00:49 kernel:  </TASK>
Sep 12 11:00:49 kernel: ---[ end trace 0000000000000000 ]---

[Trevor Hemsley]

The one you quoted looks like the second one that I got.

I was also wrong about when this occurs. I thought it was at VM startup but it's not, I think it is when vboxdrv starts during boot though so far, everything seems to be working and my VM runs.

[fth0]

FWIW, VirtualBox uses several internal structures where the last element has a flexible size and where a memcpy() will trigger this warning on Linux hosts/guests.

The two structures mentioned in your reports are clearly of this type, so IMHO you can regard the warnings as a red herring.

Disclaimer: I'm not affiliated to Oracle or the VirtualBox development.

[tekstryder]

Replying to fth0:

FWIW, VirtualBox uses several internal structures where the last element has a flexible size and where a memcpy() will trigger this warning on Linux hosts/guests.

The two structures mentioned in your reports are clearly of this type, so IMHO you can regard the warnings as a red herring.

I believe you are mistakenly using the term 'red herring', as the issue here is the memcpy() warning(s) themselves.

If the kernel is generating a WARNING and stacktrace, there's a good chance Virtualbox code is doing something it shouldn't. The smaller, less likely possibility would be that there's a bug in memcopy() triggering these warnings as false-positives.

[Trevor Hemsley]

"size 13" and "pNew->szName" I would suspect is trying to copy the name of the interface in question to the field as my bridged connection is using enp12s0f0np0 as its interface (12 chars + \0).

[fth0]

No, I really meant what I wrote. ;)

For example, pNew->szName is the last element of the C++ structure VBOXNETFLTINS and deliberately declared as char szName[1]; (note the 1). When dynamically allocating the memory for a VBOXNETFLTINS object at run-time, the correct size is calculated and used for the allocation and the memcpy() (e.g. +13). The "stricter memcpy() compile-time bounds checking" compares the run-time size value (13) with the compile-time array size (1) and emits the warning.

[tekstryder]

Great explanation for what's happening, thanks @fth0. Been quite a while (decades) since I did any serious professional development in C++, and I'm not familiar with modern techniques to avoid this scenario off the top of my head. I'll do some research. Clearly this issue should be addressed with some 'best practice'.

Again, tho, and just arguing semantics here I guess... it's not a red herring. It's an issue in and of itself. If, for example, my host system or Virtualbox were crashing around the time of this error, and I suspected this error was the cause... then we could call this warning a 'red herring'. ;)

[fth0]

If you want to start splitting hairs, then you shouldn't promote a warning to an error IMHO. ;)

I'll have to admit that English is not my native language, so thanks for pointing out that a red herring needs something to distract from. What I wanted to express is that in my understanding the warning message misleads its readers to think that there's a problem, while there isn't any. Although, if I wanted to split hairs, the warning distracts you from thinking everything is alright.

I'm pretty sure that the VirtualBox devs know how to circumvent the warning, because they've already done that in several other places.

[tekstryder]

Replying to fth0:

If you want to start splitting hairs, then you shouldn't promote a warning to an error IMHO. ;)

Glad you caught that 'error'!

I'll have to admit that English is not my native language

I suspected as much but did not want to assume. Idioms are tough.

I'm pretty sure that the VirtualBox devs know how to circumvent the warning, because they've already done that in several other places.

If so, let's hope they can address this/these occurrences similarly. Cheers!

[galitsyn]

Hi guys,

This issue should now be fixed on the development branch. Please consider to give it a try to one of the builds from Test Builds page. Thank you for reporting.

[tekstryder]

Replying to galitsyn:

Hi guys,

This issue should now be fixed on the development branch. Please consider to give it a try to one of the builds from Test Builds page. Thank you for reporting.

Thanks so much for the quick resolution here @galitsyn.

I won't be able to test until 7.0.12 release, but look forward to (not) seeing this change.

[galitsyn]

Hi guys,

We just released a new version of VirtualBox today. This issue should be fixed there. Closing it. Please leave a comment if it is still actual for you. As usual, builds are available on Downloads page. Thank you for reporting.