Oracle Virtualbox - be aware of version 7

mikeymikec

Lifer
May 19, 2011
18,471
11,093
136
From what I've been reading about 7 in general (including when Windows is the host operating system - as opposed to guest) as well as my subsequent issues with 7 with a Linux host is that it's a bit of a clown car.

I've spent at least an hour (maybe two) over the last few days to nail down a VB7 issue which appears to be Win7 guest + ICH9 chipset = Win7 either freezes on shut down, never shuts down, or the VM doesn't gracefully close after OS shutdown. I set the chipset back to PIIX3 (the default) and the problem went away. Another user's solution was changing the VM config from just OCHI to XHCI.

I've never had this sort of problem with VB until 7 (and I only upgraded to VB7 on Linux Mint 21 because I'm running AM5 and apparently a recent kernel update fudged VB6 completely). IMO if you're using version 6 without issue, I'd stay with it for as long as you can.
 

ssokolow

Member
Jun 15, 2024
27
10
51
ssokolow.com
Would the breakage with that recent kernel update be UBSAN failures in the VirtualBox kernel modules?

I got those on Kubuntu 22.04 LTS with the 6.5 HWE kernel and I had to downgrade my mother's laptop to to the 5.x non-HWE series because 6.5 was also causing UBSAN failures with the AMD video drivers.

Another thing you could try (I haven't yet but, according to a Phoronix commenter, it does work on AMD even if it's only officially ready on Intel) is this project, which allows VirtualBox to use KVM on the backend instead of the VirtualBox kernel modules:

 

mikeymikec

Lifer
May 19, 2011
18,471
11,093
136
Would the breakage with that recent kernel update be UBSAN failures in the VirtualBox kernel modules?

I got those on Kubuntu 22.04 LTS with the 6.5 HWE kernel and I had to downgrade my mother's laptop to to the 5.x non-HWE series because 6.5 was also causing UBSAN failures with the AMD video drivers.

I don't know but in response to my original query a Mint forum user said this:

"The reason why the 6.50 version (default on Mint) doesn't work anymore is explained in a sticky post on the Virtualbox forum, and it has to do with something called IBT, which I won't pretend to know much about."
 

ssokolow

Member
Jun 15, 2024
27
10
51
ssokolow.com
Ahh. According to this Reddit thread, it's also affecting the combination of nVidia binary drivers and newer-generation Intel CPUs.

Basically, IBT (short for Indirect Branch Tracking) is a security feature where either the compiler or, in fancier cases, the program needs to mark the intended behaviours and then the CPU hardware itself will faul into the kernel if things don't unfold that way.

First was protected mode, where programs in OSes with memory protection (eg. Windows NT, parts of Windows 9x not needed for backwards compatibility, Linux, Mac OS X, etc.) would slam into a wall and die if they tried to read or write memory they hadn't asked the kernel to grant them, thus preventing them from corrupting or crashing other things. (Technically, that works by having the kernel only install virtual-to-physical mappings for memory addresses granted to the program, so the CPU will jump into the kernel with a "couldn't look that up" error.)

Then, AMD's NX-bit (No eXecute) which Intel called ED-bit (Execute Disable) and Microsoft referred to by the broader term "Hardware DEP", which allowed the OS to adopt a policy that, except for old programs that need backwards compatibility, memory is either marked as writable or as executable but not both and programs like JIT compilers needed to be updated to stop opting out of it and, instead, all a special API to say "OK, I'm done generating this code, now lock it and allow it to be executed". (Again, the CPU then jumps into a kernel handler if it runs into a disallowed operation.)

This is also why trying to dereference NULL pointers crashes programs. As a protection, modern kernels leave page of memory (i.e. 1K to 4K, depending on platform) containing the 0 address (or whichever NULL is as a literal value) unmapped.

IBT is part of a set of new protections Intel cooked up named CET (Control-flow Enforcement Technology). I can't remember which Ryzen generation added them.

I'm not particularly familiar with IBT specifically, but I think you'll get the gist of what the CET suite of features do if I explain Shadow Stack (another piece of CET) instead.

Basically, the idea behind Shadow Stack is that, whenever the program hits a CALL instruction to call a function, the CPU not only updates the visible call stack, but also a hidden backup copy stored in "a location who cannot be named" (i.e. stored in physical memory with no virtual address mapping to it). When the program hits a RET instruction to return from the function, the CPU verifies that the visible and hidden copies match and jumps into the kernel handler if they don't. (Basically, think of it as solving an exploit where you could no longer bulldoze a road in front of you wherever you want, but you could go anywhere as long as you forged the map of where you've been and let the system think it was just retracing its steps. This, known as ROP or Return-Oriented Programming, has become popular since things like NX-bit started to get proper uptake in things like the JIT engines in JavaScript runtimes which need to be able to write to memory and then execute it at certain points in their operation but not others.)

IBT, Shadow Stack, etc. all handle different ways that an exploit can trick a program off the rails into executing code the attacker wants.

As for what IBT is. "Branch" is the CPU term for instructions like "jump to memory address A if the values we just compared were not equal" (JNE) and an indirect branch is one where, instead of "Jump to memory address A", it's "Read an address B from the memory at address A and then jump to that address B".

I think you can see why something that emulates or virtualizes another OS or platform would require the most manual programmer involvement in these sorts of things.

Because indirect branches, by their very nature, are for things that cannot be guaranteed to be known at compile time, IBT works by creating a new CPU instruction that just means "it's valid to land here" and changing the branching operations so, if they jump and the requested target isn't a valid landing pad, they'll fault into the kernel instead where, as with all of these other protections, the kernel can then choose to kill the program (the default) or hand off to the debugger so you can inspect it.

https://blog.danielwellman.com/2008/10/real-life-tron-on-an-apple-iigs.html has a very entertaining exploration of what happens when this sort of thing goes awry on a platform without memory protection.
 
  • Like
Reactions: blckgrffn