[Pcsclite-muscle] Data races related to SCardCancel
Maksim Ivanov
emaxx
Wed Jan 18 12:47:20 PST 2017
Hello,
It seems that there are still some issues with regard to the blocking
requests cancellation functionality in PC/SC-Lite:
1. Extra SCARD_E_CANCELLED events may be sent by the daemon to the
client that was previously performing an SCardGetStatusChange call.
One scenario is that two concurrent SCardCancel calls succeeding
simultaneously, and another scenario is an SCardCancel call
succeeding simultaneously with an event sending from the status
handler thread.
As a result, the app<->daemon communication will break.
2. Use-after-free possible in SCardCancel.
This is probably a low-severity issue, as the deallocated memory will
be accessed only for reading an int, which would be then used for
deciding whether to fail fast or to send a request to the daemon
(the latter is expected to fail anyway).
Suggested solutions:
For #1, suggesting to change the SCARD_CANCEL handler to firstly do
EHUnregisterClientForEvent, and, only if it returns success, then
send the SCARD_E_CANCELLED event to the client.
For #2, the suggestion is to move the reading of the
currentContextMap->cancellable flag under the clientMutex lock.
Also it may be advisable to change the SCardGetAndLockContext
function interface so that it's more difficult to use it in thread-unsafe
manner: remove the second parameter "int lock" and make the
locking behavior the default one, and introduce another function
that does no locks and returns a boolean instead of an
SCONTEXTMAP* pointer.
Regards,
Maksim
More information about the pcsclite-muscle
mailing list