Weird Windows XP storage drivers behavior

Today, using http://members.aol.com/plscsi/tools/pldd/ I made a concrete test for read over media boundaries using a command such as:

pldd of=c:\test.txt if=\\.\d: bs=64k skip=45000 count=16

D: is my dvd-rom drive, containing a disc of 44800 blocks of 64 kb (according to IOCTL_DISK_GET_DRIVE_GEOMETRY response*).

This generate the following bus activity (captured with busTRACE 5.0 under Windows XP, administrator privileges):

Error Indicator:                 Success
Originator:                      cdrom.sys
Command 1:                       Test Unit Ready
Command 2:                       00 00 00 00 00 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      udfs.sys
Command 1:                       Read Capacity (10)
Command 2:                       25 00 00 00 00 00 00 00 00 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Failure
Originator:                      udfs.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 F9 00 00 00 20 00

Error Summary:                   21h 00h (Logical block address out of range)
IRP Status:                      00000000h (The operation completed successfully.)
Target Status:                   02h (SCSISTAT_CHECK_CONDITION)
Sense Key:                       05h (Illegal Request)
Sense Code:                      21h 00h (Logical block address out of range)
Sense Data:                      70 00 05 00 00 00 00 0A 00 00 00 00 21 00 00 00 00 00

A fairly out of range address behaves the same (I tested pldd of=c:\test.txt if=\\.\d: bs=64k skip=99000 count=16 ).

So with the file system performing the read it does check the disc size… But does not block I/Os out of bounds.

Surprizingly, testing this under user privileges test account, a different driver gets to perform the requested read, classpnp.sys. And this one does not even permit reading all the disk:

C:\test>pldd of=c:\test\test.txt if=\\.\d: bs=64k skip=44828 count=10
618496 = 0x97000 bytes copied, 655360 = 0xA0000 bytes tried

Matching bus activity:

Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E3 80 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E3 A0 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E3 C0 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E3 E0 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E4 00 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E4 20 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E4 40 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E4 60 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E4 80 00 00 20 00

Error Summary:                   Command completed successfully without error

———————————————————————————
Error Indicator:                 Success
Originator:                      classpnp.sys
Command 1:                       Read (10)
Command 2:                       28 00 00 15 E4 A0 00 00 0E 00

Error Summary:                   Command completed successfully without error

Notice the truncate to 0Eh read size instead of 20h for the last read.

Manually provoked Read Capacity:

———————————————————————————
Error Indicator:                 Success
Originator:                      incdrm.sys
Command 1:                       Read Capacity (10)
Command 2:                       25 00 00 00 00 00 00 00 00 00

Error Summary:                   Command completed successfully without error

Raw Data
00000000  –  00 15 E5 4F 00 00 08 00                          –  …O…. 

Why does classpnp.sys stops reading at 15 E4 AE when the disc is 15 E5 4F big??? Is that a bug?

This study result was submitted to T10 and Mt Fuji reflector were a discussion over command set for Hybrid Disc (HD DVD and BD flavors) is going on. Microsoft engineer Henry previously reported:

 

"[…] my previous e-mail regarding normal READ operation restrictions on CDROM media was incorrect.  This information was based on my looking at new Microsoft Windows Vista sources.  So, while reads past the end of capacity are acceptable for Win2k/XP/Server2003, Windows Vista will have different restrictions based on the current media type inserted.  In all cases (including Windows Vista), the READ_CD command (IOCTL_CDROM_RAW_READ) is never checked for valid LBAs, and must be properly handled by the drive firmware.  So, there will always be a method to read from past the capacity of the media."

"There is no IOCTL for a READ.  READ and WRITE are handled by the normal operation of the file systems or by normal READ request by application on the device."

 

I attempted to confirm his theoretical study by a concrete testing.

 

*: I could not match the value 44800 blocks (700 cylinders, 64 tracks per cylinder, 32 sectors per track, 2048 bytes per sector), so 15E000h sectors, with the value capacity returned by the device (15E550h). Why are 550h sectors lost?

PS: pldd is a nice tool (thanks Pat LaVarre for pointing me to it) but use it with care as you may easily erase/destroy with harddisk file system with its output.

Advertisements
This entry was posted in Non classé. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s