[Pcsclite-muscle] Data races related to SCardCancel

Ludovic Rousseau ludovic.rousseau
Fri Jan 27 02:06:14 PST 2017 

2017-01-18 21:47 GMT+01:00 Maksim Ivanov <emaxx at google.com>:

> Hello,
>

Hi,


>
> It seems that there are still some issues with regard to the blocking
> requests cancellation functionality in PC/SC-Lite:
>
> 1. Extra SCARD_E_CANCELLED events may be sent by the daemon to the
>    client that was previously performing an SCardGetStatusChange call.
>
>    One scenario is that two concurrent SCardCancel calls succeeding
>    simultaneously, and another scenario is an SCardCancel call
>    succeeding simultaneously with an event sending from the status
>    handler thread.
>
>    As a result, the app<->daemon communication will break.
>
> 2. Use-after-free possible in SCardCancel.
>
>    This is probably a low-severity issue, as the deallocated memory will
>    be accessed only for reading an int, which would be then used for
>    deciding whether to fail fast or to send a request to the daemon
>    (the latter is expected to fail anyway).
>
>
> Suggested solutions:
>
> For #1, suggesting to change the SCARD_CANCEL handler to firstly do
>    EHUnregisterClientForEvent, and, only if it returns success, then
>    send the SCARD_E_CANCELLED event to the client.
>

Fixed in
https://github.com/LudovicRousseau/PCSC/commit/b662aa1ae24267150d816a08f757b1c1539411ca


> For #2, the suggestion is to move the reading of the
>    currentContextMap->cancellable flag under the clientMutex lock.
>

Fixed in
https://github.com/LudovicRousseau/PCSC/commit/9a21c82330fc4b73ac00faf2c5cf948da5f8ab07

   Also it may be advisable to change the SCardGetAndLockContext
>    function interface so that it's more difficult to use it in
> thread-unsafe
>    manner: remove the second parameter "int lock" and make the
>    locking behavior the default one, and introduce another function
>    that does no locks and returns a boolean instead of an
>    SCONTEXTMAP* pointer.
>
>
Fixed in
https://github.com/LudovicRousseau/PCSC/commit/8193d6fad84539af03a329e0f6911125f96497d0

Thanks a lot Maksim for your bug reports and fixes. I appreciate.
Regards,

-- 
 Dr. Ludovic Rousseau
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pcsclite-muscle/attachments/20170127/32c20aa8/attachment.html>

More information about the pcsclite-muscle mailing list