Bug 18362 - Possible kernel memory corruption due to wrong usage of CDROM_SEND_PACKET
Possible kernel memory corruption due to wrong usage of CDROM_SEND_PACKET
Status: NEW
Product: IO/Storage
Classification: Unclassified
Component: SCSI
All Linux
: P1 normal
Assigned To: linux-scsi@vger.kernel.org
Depends on:
  Show dependency treegraph
Reported: 2010-09-12 20:46 UTC by Alexander Eichner
Modified: 2012-05-14 14:51 UTC (History)
3 users (show)

See Also:
Kernel Version: 2.6.32-23-generic
Tree: Mainline
Regression: No

Kernel log (9.45 KB, text/x-log)
2010-09-12 20:46 UTC, Alexander Eichner
The raw packet trace leading to the corruption. Every line is exactly one CDB (383.45 KB, application/octet-stream)
2010-09-12 20:47 UTC, Alexander Eichner
Testcase (35.34 KB, application/x-gzip)
2010-09-12 20:52 UTC, Alexander Eichner

Description Alexander Eichner 2010-09-12 20:46:52 UTC
Created attachment 29672 [details]
Kernel log


a recent bug in VirtualBox showed a possible problem with buffer length and transfer direction validation for SCSI commands issued with the CDROM_SEND_PACKET ioctl.
What happened is that the bug resulted in a 0 buffer length reported to the kernel for a READ CD SCSI command (0xbe) while the CDB indicated a data transfer.
My guess is that the device overwrites random system memory when transferring the data. This resulted in random hangs, GP faults or messages about corrupted page tables.

The host is Ubuntu 10.04 amd64. The CD drive is attached through SATA. This happens only when reading a audio CD.

I'll attach a sample from the kernel log, the raw CDB packet trace which leads to the corruption and a sample application which shows the problem here. I can't say if this happens with every audio CD or if the sample application works with everyone.

An alternative way is to checkout the public VirtualBox svn repository before revision r32068 (see http://www.virtualbox.org/wiki/Downloads), configure a VM which has a host CD/DVD attached and passthrough enabled. Then insert a audio CD and try to play it in the guest. This leads to one of the mentioned issues sooner or later.

I opened this bug because I couldn't find anything similar or a note that this is a known issue. Hope this is of use for someone.
Comment 1 Alexander Eichner 2010-09-12 20:47:42 UTC
Created attachment 29682 [details]
The raw packet trace leading to the corruption. Every line is exactly one CDB
Comment 2 Alexander Eichner 2010-09-12 20:52:26 UTC
Created attachment 29692 [details]

The testcase contains 3 files:

gen-cmd-trace.sh generates a header from the packet trace.
cmd_trace.h contains the output of the script
cd_passthrough_oops.c is the main source of the program.

Compile with: gcc -o test cd_passthrough_oops.c

Then insert an audio CD and execute ./test
You need read/write access to /dev/sr0 (if your device is named different change the path in the source accordingly).

The testcase was made rather quickly so it has a few rough edges :) You have to remove the last , in the generated header for example to make it compile.

Note You need to log in before you can comment on or make changes to this bug.