7ba33f49f0
When crc32c is invoked with a multiple entry input iov, only the last op has crc_dst set in order to write the final crc value into the user supplied location. spdk_idxd_process_events() for every successfully completed CRC op writes the value into *op->crc_dst UNLESS it is NULL. The problem is that _idxd_prep_batch_cmd() that allocates new ops left op->crc_dst uninitialized. This results in a memory corruption (use after free) in the following scenario: 1) op A is allocated an crc_dst is set to point to user memory X. 2) Op A is compeleted 3) User memory X is freed. 4) Ops B and C are allocated (chained), C has crc_dst set. => B reused op A memory and crc_dst still points to the now stale user location (1) 5) B is complered, spdk_idxd_process_events() writes into X as B->crc_dst = X. Fix: _idxd_prep_batch_cmd() should initialize crc_dst to NULL. Signed-off-by: Anton Eidelman <anton@lightbitslabs.com> Change-Id: I9e7d57ec43a8fbcb3750906015a5cb7291278c35 Reviewed-on: https://review.spdk.io/gerrit/c/spdk/spdk/+/15115 Tested-by: SPDK CI Jenkins <sys_sgci@intel.com> Community-CI: Mellanox Build Bot Reviewed-by: Paul Luse <paul.e.luse@intel.com> Reviewed-by: Ben Walker <benjamin.walker@intel.com> Reviewed-by: Jim Harris <james.r.harris@intel.com> |
||
|---|---|---|
| .. | ||
| idxd_internal.h | ||
| idxd_kernel.c | ||
| idxd_user.c | ||
| idxd.c | ||
| Makefile | ||
| spdk_idxd.map | ||