Heap corruption in VBoxSVC.exe leading to crash (possible double free) (#18002)

idrassi · Post by **idrassi** » 22. Sep 2018, 12:12

ModEdit; related ticket: #18002: Heap corruption in VBoxSVC.exe leading to a crash (possibly due to double free)

i have encountered a crash of latest VBoxSVC.exe 5.2.18.24319 on a Windows 10 host while running two VMs in parallel (one Windows VM and one Linux VM). The crash happend while I was accessing internet resources from Linux VM.

I have collected a crash dump (minimal) which indicates that the crash is caused by a heap corruption in VBoxSVC.exe while calling free function from msvcr100.dll .So, this looks like a double-free issue in VBoxSVC.exe.

Usually such issue can be considered a security one since it wan be exploited so I don't know if I should post the crash dump to the public bug tracker or I should instead send it to Oracle security email address.

Thank you in advance for your advice.

Post by **socratis** » 22. Sep 2018, 12:31

It seems that you know your way around.

Here however are the user forums, the first line of defense. I would go to the bug tracker and open a new ticket. The developers would then advice you what's the best course of action.

BTW, is this thing reproducible?

idrassi · Post by **idrassi** » 22. Sep 2018, 16:14

Thank you for the suggestion. I will open a ticket on the bug tracker.

I could not find a way to reproduce this crash. I use VirtualBox quiet often and this is the first time I see this. Usually, I run 3 or 4 VMs at the same time but VBoxSVC never crashed but this time just with 2 VMs and no extensive CPU load (just internet browsing) and it crashed. I just hope it was not some kind of exploit!

Post by **socratis** » 22. Sep 2018, 16:20

idrassi wrote:I could not find a way to reproduce this crash

Then I wouldn't bother with a ticket. A one off crash, that can't be reproduced at will, is going to be hard to track down and fix, no?

idrassi · Post by **idrassi** » 22. Sep 2018, 17:00

I think the developers will be able to locate the cause of the crash thanks to the crash dump I created.
Normally, If one has access to the debug symbols of the official VirtualBox build, then he can identify the functions and/or methods involved in freeing this specific memory location and from there he would analyze the code execution path to identify the weaknesses in the code that allowed this memory to be corrupted or double freed. At least, this is how I would have done it.

Anyway, I created a ticket in the bug tracker and I will see if there will be any response.

Post by **socratis** » 22. Sep 2018, 17:37

That's fine, I know just enough to be dangerous in any event...

I linked the ticket and the discussion.

virtualbox.org

Heap corruption in VBoxSVC.exe leading to crash (possible double free) (#18002)

Heap corruption in VBoxSVC.exe leading to crash (possible double free) (#18002)

Re: Heap corruption in VBoxSVC.exe leading to crash (possible double free)

Re: Heap corruption in VBoxSVC.exe leading to crash (possible double free)

Re: Heap corruption in VBoxSVC.exe leading to crash (possible double free)

Re: Heap corruption in VBoxSVC.exe leading to crash (possible double free)

Re: Heap corruption in VBoxSVC.exe leading to crash (possible double free) (#18002)