[dpdk-dev] [PATCH] crypto/octeontx: fix heap use after free

Fri, 30 Jul 2021 11:17:22 -0700 

When the PMD is removed, rte_cryptodev_pmd_release_device
is called which frees cryptodev->data, and then tries to free
cryptodev->data->dev_private, which causes the heap use
after free issue.

A temporary pointer is set before the free of cryptodev->data,
which can then be used afterwards to free dev_private.

Fixes: bfe2ae495ee2 ("crypto/octeontx: add PMD skeleton")
Cc: sta...@dpdk.org

Reported-by: ZhihongX Peng <zhihongx.p...@intel.com>
Signed-off-by: Akhil Goyal <gak...@marvell.com>
---
 drivers/crypto/octeontx/otx_cryptodev.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/octeontx/otx_cryptodev.c 
b/drivers/crypto/octeontx/otx_cryptodev.c
index 7207909abb..3822c0d779 100644
--- a/drivers/crypto/octeontx/otx_cryptodev.c
+++ b/drivers/crypto/octeontx/otx_cryptodev.c
@@ -75,6 +75,7 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev)
 {
        struct rte_cryptodev *cryptodev;
        char name[RTE_CRYPTODEV_NAME_MAX_LEN];
+       void *dev_priv;
 
        if (pci_dev == NULL)
                return -EINVAL;
@@ -88,11 +89,13 @@ otx_cpt_pci_remove(struct rte_pci_device *pci_dev)
        if (pci_dev->driver == NULL)
                return -ENODEV;
 
+       dev_priv = cryptodev->data->dev_private;
+
        /* free crypto device */
        rte_cryptodev_pmd_release_device(cryptodev);
 
        if (rte_eal_process_type() == RTE_PROC_PRIMARY)
-               rte_free(cryptodev->data->dev_private);
+               rte_free(dev_priv);
 
        cryptodev->device->driver = NULL;
        cryptodev->device = NULL;
-- 
2.25.1

Reply via email to