18362 – Possible kernel memory corruption due to wrong usage of CDROM_SEND_PACKET

Bug 18362 - Possible kernel memory corruption due to wrong usage of CDROM_SEND_PACKET

Summary: Possible kernel memory corruption due to wrong usage of CDROM_SEND_PACKET

Status:	NEW

Alias:	None

Product:	IO/Storage
Classification:	Unclassified
Component:	SCSI (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	linux-scsi@vger.kernel.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2010-09-12 20:46 UTC by Alexander Eichner
Modified:	2012-05-14 14:51 UTC (History)
CC List:	3 users (show)

See Also:
Kernel Version:	2.6.32-23-generic
Subsystem:
Regression:	No
Bisected commit-id:

Attachments
Kernel log (9.45 KB, text/x-log) 2010-09-12 20:46 UTC, Alexander Eichner	Details
The raw packet trace leading to the corruption. Every line is exactly one CDB (383.45 KB, application/octet-stream) 2010-09-12 20:47 UTC, Alexander Eichner	Details
Testcase (35.34 KB, application/x-gzip) 2010-09-12 20:52 UTC, Alexander Eichner	Details
Add an attachment (proposed patch, testcase, etc.)

Description Alexander Eichner 2010-09-12 20:46:52 UTC

Created attachment 29672 [details]
Kernel log

Hi,

a recent bug in VirtualBox showed a possible problem with buffer length and transfer direction validation for SCSI commands issued with the CDROM_SEND_PACKET ioctl.
What happened is that the bug resulted in a 0 buffer length reported to the kernel for a READ CD SCSI command (0xbe) while the CDB indicated a data transfer.
My guess is that the device overwrites random system memory when transferring the data. This resulted in random hangs, GP faults or messages about corrupted page tables.

The host is Ubuntu 10.04 amd64. The CD drive is attached through SATA. This happens only when reading a audio CD.

I'll attach a sample from the kernel log, the raw CDB packet trace which leads to the corruption and a sample application which shows the problem here. I can't say if this happens with every audio CD or if the sample application works with everyone.

An alternative way is to checkout the public VirtualBox svn repository before revision r32068 (see http://www.virtualbox.org/wiki/Downloads), configure a VM which has a host CD/DVD attached and passthrough enabled. Then insert a audio CD and try to play it in the guest. This leads to one of the mentioned issues sooner or later.

I opened this bug because I couldn't find anything similar or a note that this is a known issue. Hope this is of use for someone.

Comment 1 Alexander Eichner 2010-09-12 20:47:42 UTC

Created attachment 29682 [details]
The raw packet trace leading to the corruption. Every line is exactly one CDB

Comment 2 Alexander Eichner 2010-09-12 20:52:26 UTC

Created attachment 29692 [details]
Testcase

The testcase contains 3 files:

gen-cmd-trace.sh generates a header from the packet trace.
cmd_trace.h contains the output of the script
cd_passthrough_oops.c is the main source of the program.

Compile with: gcc -o test cd_passthrough_oops.c

Then insert an audio CD and execute ./test
You need read/write access to /dev/sr0 (if your device is named different change the path in the source accordingly).

The testcase was made rather quickly so it has a few rough edges :) You have to remove the last , in the generated header for example to make it compile.

Note You need to log in before you can comment on or make changes to this bug.