Kernel Bug Tracker – Bug 18362
Possible kernel memory corruption due to wrong usage of CDROM_SEND_PACKET
Last modified: 2012-05-14 14:51:22 UTC
Created attachment 29672 [details]
a recent bug in VirtualBox showed a possible problem with buffer length and transfer direction validation for SCSI commands issued with the CDROM_SEND_PACKET ioctl.
What happened is that the bug resulted in a 0 buffer length reported to the kernel for a READ CD SCSI command (0xbe) while the CDB indicated a data transfer.
My guess is that the device overwrites random system memory when transferring the data. This resulted in random hangs, GP faults or messages about corrupted page tables.
The host is Ubuntu 10.04 amd64. The CD drive is attached through SATA. This happens only when reading a audio CD.
I'll attach a sample from the kernel log, the raw CDB packet trace which leads to the corruption and a sample application which shows the problem here. I can't say if this happens with every audio CD or if the sample application works with everyone.
An alternative way is to checkout the public VirtualBox svn repository before revision r32068 (see http://www.virtualbox.org/wiki/Downloads), configure a VM which has a host CD/DVD attached and passthrough enabled. Then insert a audio CD and try to play it in the guest. This leads to one of the mentioned issues sooner or later.
I opened this bug because I couldn't find anything similar or a note that this is a known issue. Hope this is of use for someone.
Created attachment 29682 [details]
The raw packet trace leading to the corruption. Every line is exactly one CDB
Created attachment 29692 [details]
The testcase contains 3 files:
gen-cmd-trace.sh generates a header from the packet trace.
cmd_trace.h contains the output of the script
cd_passthrough_oops.c is the main source of the program.
Compile with: gcc -o test cd_passthrough_oops.c
Then insert an audio CD and execute ./test
You need read/write access to /dev/sr0 (if your device is named different change the path in the source accordingly).
The testcase was made rather quickly so it has a few rough edges :) You have to remove the last , in the generated header for example to make it compile.