From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 63F25A0C40; Fri, 30 Jul 2021 21:11:21 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4F20940040; Fri, 30 Jul 2021 21:11:21 +0200 (CEST) Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) by mails.dpdk.org (Postfix) with ESMTP id 34A8B4003F; Fri, 30 Jul 2021 21:11:19 +0200 (CEST) Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 16UJ6MtC004157; Fri, 30 Jul 2021 12:11:18 -0700 Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1anam02lp2046.outbound.protection.outlook.com [104.47.57.46]) by mx0a-0016f401.pphosted.com with ESMTP id 3a4866ud76-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 30 Jul 2021 12:11:18 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h8QGk1lftACkMrPdzcIFhy6ZgzNfIXbCD4K/4cbBrOHSlqMBRAUylZoxoHzOh0wnVqkWvl5LSAAxugCpu6vqzhp4yW4zuwzEAer1wRvy+zKP3CMBvlWTj4DUM8UahqRQZCLpgi2S8yGpTKnv0zApRn7She0of9gLdEc1q3uhyhuKfyfBvV5vuHAuCC0Owrmkma7yAshfVGaRDtWTyG4uks3ZzeQJ+j3grnoZaPaHMY2OquGfDrH9QYo4umqoOU5mag4eitQviqsWIQ/dh3+gncqO4VZm20v2i6DKpjHH/gtNs0W2oZetLEMUPk2gnL7p8aq5avo0Rs6rsD6nL9nIyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7yUSfHfkgM/LOr4WilRxnOzXJc87Fv0kby9ZNjT+e3I=; b=DdrWiutyucxx9MT72hatHiA58liNrq7M8qqq0JwIQ3GSRTtonLYcp5MVkkcLpsutGUpVcu8f1xbNlHTvWCD+ySlHU1Jc3zgb8J9KXrTygNAwA1mPyHej+1DlUU+EU7lCDmbmZVjoFvI3fgUn9l3iw8uQJ5agc0riWH6Kh/Q2WaWjp3SFjnUlMwtArMxMOB2B63Z/9UGaNq279Bw9jzwVxKXPpWRnpm1JND7yWdDyihJyfPuXPwmeWV1eLnmpTHmMkj36LjJig8K/NpJ2OMUHiqOKXPHeCHxvhN+zE0Seg5fzB0XU3Z2G4Fj9XqpypX2vEqcfDMV+WYPTkbDh1187eA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=marvell.com; dmarc=pass action=none header.from=marvell.com; dkim=pass header.d=marvell.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marvell.onmicrosoft.com; s=selector1-marvell-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7yUSfHfkgM/LOr4WilRxnOzXJc87Fv0kby9ZNjT+e3I=; b=j2NdC810U/xp/P1Bbd7/oRyIsTIpoc2tstGVzVj0EoyecBcLEd4GZmFNwQZpCTraE6JwSEZOR8aA9bn0+F2h6KIoKBxNn4CiNKXSMywMPE45RBzwzvGAFmPr6JEzt/9Wrir7Nw4i37lf1/2HviM9lf3lwJF2+7pmDzYF8qX7AsQ= Received: from CO6PR18MB4484.namprd18.prod.outlook.com (2603:10b6:5:359::9) by CO1PR18MB4746.namprd18.prod.outlook.com (2603:10b6:303:e9::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.19; Fri, 30 Jul 2021 19:11:15 +0000 Received: from CO6PR18MB4484.namprd18.prod.outlook.com ([fe80::1455:9a67:a6e7:e557]) by CO6PR18MB4484.namprd18.prod.outlook.com ([fe80::1455:9a67:a6e7:e557%7]) with mapi id 15.20.4373.025; Fri, 30 Jul 2021 19:11:15 +0000 From: Akhil Goyal To: Ciara Power , "dev@dpdk.org" CC: "roy.fan.zhang@intel.com" , "declan.doherty@intel.com" , "stable@dpdk.org" , ZhihongX Peng , Anoob Joseph Thread-Topic: [EXT] [PATCH] crypto: fix heap use after free bug Thread-Index: AQHXfi8hVvtCIX5JRECJ3pMQLabSP6tXJtrAgATJCiCAAADnQA== Date: Fri, 30 Jul 2021 19:11:15 +0000 Message-ID: References: <20210721125122.185019-1-ciara.power@intel.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: intel.com; dkim=none (message not signed) header.d=none;intel.com; dmarc=none action=none header.from=marvell.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 3cdf7c8c-94f7-4c4b-0a2b-08d9538dcd82 x-ms-traffictypediagnostic: CO1PR18MB4746: x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:9508; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: UjrkryI9awkW4r2dMxcq1B+lCulOzv1udl3qN8vSSj0+L4x4GU2cHpicZjVE2O2HKbfYCLCMVJOks8R+KvnR1qvX4Yq/pqG9DH0c4Q39c7IjrXSaP7vb3jatnUiYEhyCajZ/PC8yxM65YwqihjuIpJh8SXbE1dUWQgB8QZbr3CEf5pxtoP3OVg9Il1TcpZPQZbSTvnaMfwrn/Dixwf3HVBbMG87Zox9BmcdazTWotwbFAWgSS+fE/Hi3ka7hniGwz/E3mvFCfaTeBOixh8mbgGhsADJIlxIGrixt4eWheZp2HWZ2rfyvaBsX3iwIuHm85t2iAuvnyFWJN+D/RBpjig8FmBxpAobWZ80fk5ipSU9kAuSDY1mIEIFTQeYYkdVVEsNCPI/LJyjQ4r6/NZLv7paz+Au0PYr8qsVWQeKWNYy2y03/sxkQcdbIDmuf5jPuylPzOXHhfoH6FX9pqgdjDJyO9qu8n9tzF6oeOMmQfFh+E4A0jd9rFKGxyEj3DcV+CEtJnJCofbc0YvJ6MnuFkASrEBH9Zq/QCsOZiVbQYRbhOXN6erK55RxE2k/c60MDRXIdzGeawF+ygw9rXXfwHaZdiMXk5xIrMt3xVf7RaI5JRBng+GeWOvzlXOrvX7ejCQlSQooqEwu37PAMkjbz0FK/Hkmc/TQkgIosimjDMPUtnPT0SK5G/aCmup6XAtyzejWMER3cAU52sLxt0Ame+g== x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR18MB4484.namprd18.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(376002)(39860400002)(136003)(366004)(71200400001)(5660300002)(55016002)(55236004)(2940100002)(4326008)(66476007)(76116006)(66556008)(66446008)(64756008)(8676002)(9686003)(38070700005)(478600001)(7696005)(6506007)(8936002)(66946007)(52536014)(122000001)(54906003)(83380400001)(33656002)(107886003)(2906002)(186003)(316002)(86362001)(110136005)(38100700002)(26005); DIR:OUT; SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?xdNqRJFmeppJNSqsxh4oW+VTMve5RZvS3jckr5itNwwNx23xkcyLx/RQlJDo?= =?us-ascii?Q?PvHrGFPHO88c12sakDZxEHriUMta9wnxfNNdA+Ai/GQj2VYmbrTCvaQL/vZS?= =?us-ascii?Q?JoyPX7AKw5waV7m1oyoD2bba/tp71J2Jn9/I0LFXSL6wfxvAdb0Y1lZ4DSy8?= =?us-ascii?Q?hYcj9UMn+t18ohlsQQwP7UOiWSGGrOWDDoa1z/+O2MNNAM4mkPV3ItRYtVx3?= =?us-ascii?Q?OCblBrFyUhGQlV0astLssGzYwqaCMOi/+RdIPHBDv2z1pGuziF8/2UC1plrR?= =?us-ascii?Q?vALI1kYZNV6+3HdZaRA3dXlRWTOK16Sy+17eZJrvKrLlRoxruVBfx01EjJb1?= =?us-ascii?Q?DXo0uLgEhxYYOGp7rTrQMR3R0qSLPq7z+0SU897rLOlWjrX+jp02FvHyliMR?= =?us-ascii?Q?dFOwpp49jeywpbk1/xl+zl4MSIxmsBttRRqL4xTcRqXuohgogZTVkzz1eXxJ?= =?us-ascii?Q?wj+t1fEoiqj/qQmuwC9QeZbkqOLMP2fWZqmD4KSstKVA5DfBkZ4cDJmxifDh?= =?us-ascii?Q?UoGgjL3GQE0nswZukPRxsSf42Jpt9yBnP5fCNwX/btaAbfE30VvF+XPgKLQ6?= =?us-ascii?Q?aGWYv7x30Z/96n3DOPpARUN0Z5XYlgZvtxUmiw9dZXCG5VmZgjJlLoOvGwz8?= =?us-ascii?Q?CeIqZg5pdPvEKC7fMXO5udcdfEdpoJTasycP/TC47PFmqt5rg3Ypd8whq2MO?= =?us-ascii?Q?0ECmfFCyBe8dgwD/LlSLwljKQUHcb6yVBQHO78whb34meL509le5ObXL6IcD?= =?us-ascii?Q?wunpsPQmNos8A87+/KpWzgW+PIBKUurjrR/dtlgQ0FEM4oHkLbQYLW5lqU0l?= =?us-ascii?Q?1l1pa+dRaFElnH7kBr0Xp4CxBkz3V8i6C2toBnwOt3puhozGQpXXrjsob66O?= =?us-ascii?Q?7G+eAXNllHljTF0tza4hNSwc1YPUiEFeGRs+5Ib8k4kzYz7YIIBRpoDH0er+?= =?us-ascii?Q?f3gf5lzZbzSThwBLGcUTv+grnPJu3TWwufa+pqCJwimfs84AurHLfhFCEdKs?= =?us-ascii?Q?B3nBq4f8zMjXCzbJrZB93ezK9pm86m74nJnX94ABY+OC09RbFiao/OMbbk3g?= =?us-ascii?Q?IvXTH7XdVeMwgA4HbbILozJ9TXgcVSF0sOiXbKqpq6qdj8UVyAlllvNhHvcz?= =?us-ascii?Q?QxC3cp7IyYQl3KW7l0fbumJBfyHlu32dNGHMR31VgKB4eyaJyUN4PxjRzJLY?= =?us-ascii?Q?bZYdy9oOoy0r5vzoFoGMB9YpPdR63oSJIm92YUBbsV814aWt6tLawmUxIXh1?= =?us-ascii?Q?OF3XfLhaBgbdkNI2jnMNsa4YC6KKSdytOxOojb0ZWP2XgjREzM+EzCkrrxCG?= =?us-ascii?Q?b8GSg66ZHObMbySP0gd5zYL0?= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: marvell.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: CO6PR18MB4484.namprd18.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3cdf7c8c-94f7-4c4b-0a2b-08d9538dcd82 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jul 2021 19:11:15.1139 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70e1fb47-1155-421d-87fc-2e58f638b6e0 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: CljOq+zs1EyyUT2FV3dMdfqoCD3rKHexckwF8lAfrOFR+RR5ha7Ae5P4Kjvk2SF1ebedRvm2WgRDEGIHGyIaOA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR18MB4746 X-Proofpoint-GUID: pzm3bS4buzGAihvrA_WQf1Ut8Q4EZCPB X-Proofpoint-ORIG-GUID: pzm3bS4buzGAihvrA_WQf1Ut8Q4EZCPB X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-07-30_11:2021-07-30, 2021-07-30 signatures=0 Subject: Re: [dpdk-dev] [EXT] [PATCH] crypto: fix heap use after free bug X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" > Fixed title > Cryptodev: fix heap use after free > > > The PMD destroy function was calling the release function, which free= s > > > cryptodev->data, and then tries to free cryptodev->data->dev_private, > > > which causes the heap use after free issue. > > > > > > A temporary pointer is set before the free of cryptodev->data, > > > which can then be used afterwards to free dev_private. > > > The free cannot be moved to before the release function is called, > > > as dev_private is used in the QAT close function while being released= . > I believe all PMDs use dev_private for close. > Hence replaces QAT with PMD > > > > > > Fixes: 9e6edea41805 ("cryptodev: add APIs to assist PMD initialisatio= n") > > > Cc: declan.doherty@intel.com > > > Cc: stable@dpdk.org > > > > > > Reported-by: ZhihongX Peng > > > Signed-off-by: Ciara Power > > > > > > --- > > > The same issue is found in crypto/octeontx, > > > which may need to be addressed by maintainers. > > > Cc: Anoob Joseph > > > --- > > > lib/cryptodev/rte_cryptodev_pmd.c | 3 ++- > > > 1 file changed, 2 insertions(+), 1 deletion(-) > > > > > > diff --git a/lib/cryptodev/rte_cryptodev_pmd.c > > > b/lib/cryptodev/rte_cryptodev_pmd.c > > > index 0912004127..900acd7ba4 100644 > > > --- a/lib/cryptodev/rte_cryptodev_pmd.c > > > +++ b/lib/cryptodev/rte_cryptodev_pmd.c > > > @@ -140,6 +140,7 @@ int > > > rte_cryptodev_pmd_destroy(struct rte_cryptodev *cryptodev) > > > { > > > int retval; > > > + void *tmp_dev_private =3D cryptodev->data->dev_private; > > > > Can we rename this pointer as dev_private? >=20 > Renamed this while merging, as we have RC3 deadline today. > > > > > > > > CDEV_LOG_INFO("Closing crypto device %s", cryptodev->device- > > > >name); > > > > > > @@ -149,7 +150,7 @@ rte_cryptodev_pmd_destroy(struct rte_cryptodev > > > *cryptodev) > > > return retval; > > > > > > if (rte_eal_process_type() =3D=3D RTE_PROC_PRIMARY) > > > - rte_free(cryptodev->data->dev_private); > > > + rte_free(tmp_dev_private); > > > > > > > > > cryptodev->device =3D NULL; Acked-by: Akhil Goyal Applied to dpdk-next-crypto