From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id DF10DA0C50; Wed, 21 Jul 2021 14:51:29 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id A1DC54014E; Wed, 21 Jul 2021 14:51:29 +0200 (CEST) Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mails.dpdk.org (Postfix) with ESMTP id 719384014D; Wed, 21 Jul 2021 14:51:28 +0200 (CEST) X-IronPort-AV: E=McAfee;i="6200,9189,10051"; a="211426909" X-IronPort-AV: E=Sophos;i="5.84,258,1620716400"; d="scan'208";a="211426909" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 21 Jul 2021 05:51:27 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.84,258,1620716400"; d="scan'208";a="415556345" Received: from silpixa00400355.ir.intel.com (HELO silpixa00400355.ger.corp.intel.com) ([10.237.223.24]) by orsmga003.jf.intel.com with ESMTP; 21 Jul 2021 05:51:25 -0700 From: Ciara Power To: dev@dpdk.org Cc: gakhil@marvell.com, roy.fan.zhang@intel.com, Ciara Power , declan.doherty@intel.com, stable@dpdk.org, ZhihongX Peng , Anoob Joseph Date: Wed, 21 Jul 2021 12:51:22 +0000 Message-Id: <20210721125122.185019-1-ciara.power@intel.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH] crypto: fix heap use after free bug X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" The PMD destroy function was calling the release function, which frees cryptodev->data, and then tries to free cryptodev->data->dev_private, which causes the heap use after free issue. A temporary pointer is set before the free of cryptodev->data, which can then be used afterwards to free dev_private. The free cannot be moved to before the release function is called, as dev_private is used in the QAT close function while being released. Fixes: 9e6edea41805 ("cryptodev: add APIs to assist PMD initialisation") Cc: declan.doherty@intel.com Cc: stable@dpdk.org Reported-by: ZhihongX Peng Signed-off-by: Ciara Power --- The same issue is found in crypto/octeontx, which may need to be addressed by maintainers. Cc: Anoob Joseph --- lib/cryptodev/rte_cryptodev_pmd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/cryptodev/rte_cryptodev_pmd.c b/lib/cryptodev/rte_cryptodev_pmd.c index 0912004127..900acd7ba4 100644 --- a/lib/cryptodev/rte_cryptodev_pmd.c +++ b/lib/cryptodev/rte_cryptodev_pmd.c @@ -140,6 +140,7 @@ int rte_cryptodev_pmd_destroy(struct rte_cryptodev *cryptodev) { int retval; + void *tmp_dev_private = cryptodev->data->dev_private; CDEV_LOG_INFO("Closing crypto device %s", cryptodev->device->name); @@ -149,7 +150,7 @@ rte_cryptodev_pmd_destroy(struct rte_cryptodev *cryptodev) return retval; if (rte_eal_process_type() == RTE_PROC_PRIMARY) - rte_free(cryptodev->data->dev_private); + rte_free(tmp_dev_private); cryptodev->device = NULL; -- 2.25.1