From 93e9c8ffed8b2eee294b7e8140935c7e7dd43641 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Mon, 28 Jan 2019 19:08:08 -0500
Subject: Avoid a harmless data race in RSA decryption

Both threads called Modular_Reducer::reduce on m, which caused the
significant words result to be written twice in an unsynchronized way.
By calling it once beforehand it is computed and cached and so no
additional writes occur.

Found with helgrind.
---
 src/lib/pubkey/rsa/rsa.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'src/lib')

diff --git a/src/lib/pubkey/rsa/rsa.cpp b/src/lib/pubkey/rsa/rsa.cpp
index 441127984..0cd8bbdf4 100644
--- a/src/lib/pubkey/rsa/rsa.cpp
+++ b/src/lib/pubkey/rsa/rsa.cpp
@@ -249,6 +249,13 @@ class RSA_Private_Operation
 #endif
 
 #if defined(BOTAN_RSA_USE_ASYNC)
+         /*
+         * Precompute m.sig_words in the main thread before calling async. Otherwise
+         * the two threads race (during Modular_Reducer::reduce) and while the output
+         * is correct in both threads, helgrind warns.
+         */
+         m.sig_words();
+
          auto future_j1 = std::async(std::launch::async, [this, &m, &d1_mask, powm_window]() {
 #endif
          const BigInt masked_d1 = m_key.get_d1() + (d1_mask * (m_key.get_p() - 1));
-- 
cgit v1.2.3