VM Crash when inserting CCID Smart Card

[Floyd21_fr]

Hello everyone,

Problem: VM crash when inserting a specific CCID smart card reader
Smart Card model: Weneo SIM ​http://www.neowave.fr/en/weneo_std_pass_sim.html
Host: Ubuntu 13.04 64bits and Windows 7 64bits

Guest : Tested with Ubuntu 12.04, 12.10, 13.04 64bits, Debian 7.1 64bits
There is no problem with Ubuntu 11.10 as guest
VirtualBox version tested: 4.2.10, 4.2.12, and from SVN

The VM crashes when the Smart Card is inserted and if pcscd daemon is launched. If not, it doesn't crash. As soon as pcscd is launched, the VM crashes 5s later (aborted).
The VM doesn't crash with other smart card readers (such as Gemalto USB Shell Token V2).
PSCSD and libccid have been used with the official packages (stable) and compiled manually.
A lot of combination have been tested.

We have been able to detect the problem and produce a workaround:

The log in /var/log/syslog gives us a clue:

Jun 17 11:22:49 ubuntu kernel: [233678.352861] EMT[16311]: segfault at b0 ip 00007f75f81ed9c9 sp 00007f75fabe1a30 error 4 in VBoxDD.so[7f75f80f9000+230000]

When using gdb:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fd3d1ce3700 (LWP 26958)]
usbProxyLinuxUrbCancel (pUrb=0x7fd3c835abe0) at /home/florent/vmware/vbox/src/VBox/Devices/USB/linux/USBProxyDevice-linux.cpp:1919
1919        if (pUrbLnx->pSplitHead)
(gdb)

So the problem comes from USBProxyDevice-linux.cpp line 1919.

The problem is that when using a Weneo reader, the struct pointer pUrbLnx is NULL...

Attached three files with an extract of the debugging using gdb:

1. debug_gemalto: output when using a reader which doesn't make the VM crash
   
2. debug_neowave: output when using a Weneo reader which makes the VM crash (notice the pvPrivate pointer which is NULL)
   
3. debug_neowave_FIXED: output when using a Weneo reader with our patch
   

You'll also find these files:

4. The VBox.log file
   
5. The core dump file
   

These files have been produced using the VirtualBox source code from the trunk branch but it will also work with the 4.2.12 version.

We've been able to fix the problem by applying the attached patch (updateUSB.patch) to the file USBProxyDevice-linux.cpp

Regards

[Klaus Espenlaub]

For the record: the attached patch isn't meeting the quality standards and thus has no chance of getting applied. It is an unexplained magical change to code which shouldn't need to handle the NULL case. If anyone would explain to us what situation this handles differently (and why it makes any sense cancelling a NULL URB) this might change, but the place where the fix is applied doesn't look sane.

The patch could be adapted to 4.3 without much effort, but we'd rather get the information (or the USB device to work on the problem ourselves) necessary to create a proper fix than dragging on this incorrect solution.

[Floyd21_fr]

Hello,

Thanks for the clarification of the poor quality of the patch we submitted. I think we got the message.

I am not a qualified developer and I do not know your developing rules. This patch was merely a quick and dirty workaround to get things working.

The point of this defect was to describe a behaviour in which VirtualBox is crashing. This is not a magical situation. At some point, the pointer is null which leads to a segmentation fault. This is a fact. This proves that, yes, you have to handle the NULL case. Handling Null pointers is a coding rule, doesn't it? And just asserting it doesn't need to be handled seems a little bit overconfident to me (I am sorry, I also don't understand why it would be stupid to cancel a NULL URB. This is apparently what the patch is doing. It is certainly wrong but at that time it was the only solution I've found. Your reply is the first in a year...)

Now, from a more constructive point of view, we managed to get more information.

Yes the behaviour happens with our USB device - a smartcard reader. This is what makes VirtualBox crash :

• use a USB device which doesn't handle the USB GetDataRates function
• in the VM, use a libccid version (< 1.4.15) which doesn't check is the device supports this function and ask even so the rates. Below the log of the pcscd daemon :

00000034 ccid_usb.c:964:get_data_rates() Wrong GET DATA RATES size: 251

• the device responds in a inconsistent manner. This is badly "interpreted" by VirtualBox during the communication with the reader, which leads to this NULL pointer.

So I think you would be able to reproduce the situation with the following set-up:

• Host : Ubuntu 12.04
• Guest : Ubuntu 12.04 with pcscd and libccid from the Ubuntu repository (libccid 1.4.5)
• a USB smartcard reader which doesn't handle the GetDataRates function (apparently, it is rarely supported). You can check that with the lsusb command :

login@ubuntu:~$ lsusb -d 1e0d:0013 -v

Bus 003 Device 085: ID 1e0d:0013
Couldn't open device, some information will be missing
Device Descriptor:
[...]
        bNumDataRatesSupp.      0
[...]

• attach the reader to the guest and launch pcscd

I don't know if it will also "work" with another USB device (printer, memory stick, ...) and launch "manually" the GetDataRates function from the Guest.

Best regards

[aeichner]

Please reopen if still relevant with a recent VirtualBox release.