On 3/28/18 11:07 AM, Piotr Gabriel Kosinski wrote:
> When trying to read raw data from a CD drive using CDROMREADRAW ioctl
> when a CD is not present, the kernel crashes with a stack corruption
> error in mmc_ioctl_cdrom_read_data.
>
> From my (cursory) analysis it looks like the bug is caused by size
> mismatch between:
> - struct request_sense (64 bytes), used inside mmc_ioctl_cdrom_read_data
> - unsigned char[96], expected inside scsi_execute
>
> When the request_sense struct is passed to the cdrom_read_block, which
> then ultimately calls scsi_execute, the struct gets overwritten and
> overrun in drivers/scsi/scsi_lib.c:289:
>
> if (sense && rq->sense_len)
> memcpy(sense, rq->sense, SCSI_SENSE_BUFFERSIZE);
>
> I have recompiled the module with a hacky fix which replaces (in
> mmc_ioctl_cdrom_read_data):
>
> struct request_sense sense;
>
> with
>
> union {
> struct request_sense data;
> unsigned char buf[SCSI_SENSE_BUFFERSIZE];
> } sense;
>
> and that fixes the problem completely. The ioctl returns ENOMEDIUM as
> expected.
Thanks for debugging this. However, the scsi code looks a bit dangerous,
if it assumes that ->sense_len is >= SCSI_SENSE_BUFFERSIZE. I think the
correct fix would be to fix that assumption, and ensure that the path
of sr is correctly setting sense_len.
--
Jens Axboe
