From: Akhil Goyal <gakhil@marvell.com>
To: Akhil Goyal <gakhil@marvell.com>,
Ciara Power <ciara.power@intel.com>,
"dev@dpdk.org" <dev@dpdk.org>
Cc: "roy.fan.zhang@intel.com" <roy.fan.zhang@intel.com>,
"declan.doherty@intel.com" <declan.doherty@intel.com>,
"stable@dpdk.org" <stable@dpdk.org>,
ZhihongX Peng <zhihongx.peng@intel.com>,
Anoob Joseph <anoobj@marvell.com>
Subject: Re: [dpdk-dev] [EXT] [PATCH] crypto: fix heap use after free bug
Date: Fri, 30 Jul 2021 19:10:23 +0000 [thread overview]
Message-ID: <CO6PR18MB44849460E0AC88113F729262D8EC9@CO6PR18MB4484.namprd18.prod.outlook.com> (raw)
In-Reply-To: <PH0PR18MB4491A7059B135724136C7B96D8E99@PH0PR18MB4491.namprd18.prod.outlook.com>
Fixed title
Cryptodev: fix heap use after free
> > The PMD destroy function was calling the release function, which frees
> > cryptodev->data, and then tries to free cryptodev->data->dev_private,
> > which causes the heap use after free issue.
> >
> > A temporary pointer is set before the free of cryptodev->data,
> > which can then be used afterwards to free dev_private.
> > The free cannot be moved to before the release function is called,
> > as dev_private is used in the QAT close function while being released.
I believe all PMDs use dev_private for close.
Hence replaces QAT with PMD
> >
> > Fixes: 9e6edea41805 ("cryptodev: add APIs to assist PMD initialisation")
> > Cc: declan.doherty@intel.com
> > Cc: stable@dpdk.org
> >
> > Reported-by: ZhihongX Peng <zhihongx.peng@intel.com>
> > Signed-off-by: Ciara Power <ciara.power@intel.com>
> >
> > ---
> > The same issue is found in crypto/octeontx,
> > which may need to be addressed by maintainers.
> > Cc: Anoob Joseph <anoobj@marvell.com>
> > ---
> > lib/cryptodev/rte_cryptodev_pmd.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/lib/cryptodev/rte_cryptodev_pmd.c
> > b/lib/cryptodev/rte_cryptodev_pmd.c
> > index 0912004127..900acd7ba4 100644
> > --- a/lib/cryptodev/rte_cryptodev_pmd.c
> > +++ b/lib/cryptodev/rte_cryptodev_pmd.c
> > @@ -140,6 +140,7 @@ int
> > rte_cryptodev_pmd_destroy(struct rte_cryptodev *cryptodev)
> > {
> > int retval;
> > + void *tmp_dev_private = cryptodev->data->dev_private;
>
> Can we rename this pointer as dev_private?
Renamed this while merging, as we have RC3 deadline today.
>
> >
> > CDEV_LOG_INFO("Closing crypto device %s", cryptodev->device-
> > >name);
> >
> > @@ -149,7 +150,7 @@ rte_cryptodev_pmd_destroy(struct rte_cryptodev
> > *cryptodev)
> > return retval;
> >
> > if (rte_eal_process_type() == RTE_PROC_PRIMARY)
> > - rte_free(cryptodev->data->dev_private);
> > + rte_free(tmp_dev_private);
> >
> >
> > cryptodev->device = NULL;
> > --
> > 2.25.1
next prev parent reply other threads:[~2021-07-30 19:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-21 12:51 [dpdk-dev] [PATCH] crypto: fix heap use after free bug Ciara Power
2021-07-27 18:04 ` [dpdk-dev] [EXT] " Akhil Goyal
2021-07-30 19:10 ` Akhil Goyal [this message]
2021-07-30 19:11 ` Akhil Goyal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CO6PR18MB44849460E0AC88113F729262D8EC9@CO6PR18MB4484.namprd18.prod.outlook.com \
--to=gakhil@marvell.com \
--cc=anoobj@marvell.com \
--cc=ciara.power@intel.com \
--cc=declan.doherty@intel.com \
--cc=dev@dpdk.org \
--cc=roy.fan.zhang@intel.com \
--cc=stable@dpdk.org \
--cc=zhihongx.peng@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.