From 7ba33f49f03129ea74fc61a2e5cd1ed865292fda Mon Sep 17 00:00:00 2001
From: Anton <anton@lightbitslabs.com>
Date: Sat, 22 Oct 2022 03:28:04 +0300
Subject: [PATCH] lib/idxd: fix use after free due to stale crc_dst in chained
 ops

When crc32c is invoked with a multiple entry input iov,
only the last op has crc_dst set in order to write the final
crc value into the user supplied location.

spdk_idxd_process_events() for every successfully completed
CRC op writes the value into *op->crc_dst
UNLESS it is NULL.

The problem is that _idxd_prep_batch_cmd() that allocates
new ops left op->crc_dst uninitialized.

This results in a memory corruption (use after free)
in the following scenario:
1) op A is allocated an crc_dst is set to point to user memory X.
2) Op A is compeleted
3) User memory X is freed.
4) Ops B and C are allocated (chained), C has crc_dst set.
   => B reused op A memory and crc_dst still points to the
   now stale user location (1)
5) B is complered, spdk_idxd_process_events() writes into X
   as B->crc_dst = X.

Fix: _idxd_prep_batch_cmd() should initialize crc_dst to NULL.

Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
Change-Id: I9e7d57ec43a8fbcb3750906015a5cb7291278c35
Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/15115
Tested-by: SPDK CI Jenkins <sys_sgci@intel.com>
Community-CI: Mellanox Build Bot
Reviewed-by: Paul Luse <paul.e.luse@intel.com>
Reviewed-by: Ben Walker <benjamin.walker@intel.com>
Reviewed-by: Jim Harris <james.r.harris@intel.com>
---
 lib/idxd/idxd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/idxd/idxd.c b/lib/idxd/idxd.c
index 5a79e6cbf..b8cfc53f2 100644
--- a/lib/idxd/idxd.c
+++ b/lib/idxd/idxd.c
@@ -461,6 +461,7 @@ _idxd_prep_batch_cmd(struct spdk_idxd_io_channel *chan, spdk_idxd_req_cb cb_fn,
 	op->batch = batch;
 	op->parent = NULL;
 	op->count = 1;
+	op->crc_dst = NULL;
 
 	return 0;
 }