From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Monjalon Subject: Re: [PATCH v2] ipc: fix use-after-free on failed send Date: Thu, 22 Nov 2018 23:09:57 +0100 Message-ID: <3087286.9lSO7AOfn4@xps> References: <3ac0562bbdfbabbcb2bdf5fec9e0ffa777475e2b.1542727150.git.anatoly.burakov@intel.com> <69497bc41646c6dd5eebb097b3bdc8a2136aeb53.1542730524.git.anatoly.burakov@intel.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7Bit Cc: dev@dpdk.org To: Anatoly Burakov Return-path: Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) by dpdk.org (Postfix) with ESMTP id 0440E5424 for ; Thu, 22 Nov 2018 23:10:03 +0100 (CET) In-Reply-To: <69497bc41646c6dd5eebb097b3bdc8a2136aeb53.1542730524.git.anatoly.burakov@intel.com> List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" 20/11/2018 17:18, Anatoly Burakov: > Previous fix for rte_panic has moved setting of alarm before > sending the message. This means that whether we send a message, > the alarm would still trigger. The comment noted that cleanup > would happen in the alarm handler, but that's not what actually > happened - instead, in the event of failed send we freed the > memory in-place, before putting the request on the queue. > > This works OK when the message is sent, but when sending the > message fails, the alarm would still trigger with a pointer > argument that points to non-existent memory, and cause > memory corruption. > > There probably is a "proper" fix for this issue, with correct > handling of sent vs. unsent requests, however it would be > simpler just to sacrifice the sent request in the (extremely > unlikely) event of alarm set failing. The other process would > still send a response, but it will be ignored by the sender. > > Fixes: 45e5f49e87fb ("ipc: remove panic in async request") > > Signed-off-by: Anatoly Burakov Applied, thanks