Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UBSAN: array-index-out-of-bounds in rtl8188eus/core/rtw_wlan_util.c when loading rtl8818eu wifi usb adaptor #300

Open
sardChen opened this issue Nov 3, 2024 · 0 comments

Comments

@sardChen
Copy link

sardChen commented Nov 3, 2024

When executing fuzzing test for loading rtl8818eu, I found four array-index-out-of-bounds bugs reported by UBSAN in dmesg logs:

[  333.949883] ================================================================================
[  333.949938] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8188eus/core/rtw_wlan_util.c:1817:48
[  333.949955] index 1 is out of range for type 'u8 [1]'
[  333.949968] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G           OE      6.6.58 #1
[  333.949981] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[  333.949988] Call Trace:
[  333.949994]  <IRQ>
[  333.950002]  dump_stack_lvl+0x48/0x70
[  333.950027]  dump_stack+0x10/0x20
[  333.950039]  __ubsan_handle_out_of_bounds+0xa2/0x100
[  333.950053]  ? read_profile+0x321/0x660
[  333.950066]  HT_caps_handler+0x1d1/0x850 [8188eu]
[  333.950439]  ? __pfx_HT_caps_handler+0x10/0x10 [8188eu]
[  333.950771]  OnAssocRsp+0x513/0x5e0 [8188eu]
[  333.951089]  _mgt_dispatcher+0x11b/0x1a0 [8188eu]
[  333.951388]  ? __pfx__mgt_dispatcher+0x10/0x10 [8188eu]
[  333.951674]  ? _raw_spin_lock_bh+0x86/0xf0
[  333.951691]  mgt_dispatcher+0x3a7/0x4a0 [8188eu]
[  333.951985]  ? rtw_get_stainfo+0x30c/0x360 [8188eu]
[  333.952357]  ? __pfx_mgt_dispatcher+0x10/0x10 [8188eu]
[  333.952654]  ? recvframe_chk_defrag+0x15c/0x280 [8188eu]
[  333.953011]  validate_recv_mgnt_frame+0x178/0x4b0 [8188eu]
[  333.953350]  validate_recv_frame+0x548/0x670 [8188eu]
[  333.953682]  ? __pfx_validate_recv_frame+0x10/0x10 [8188eu]
[  333.954006]  ? rx_query_phy_status+0x926/0x990 [8188eu]
[  333.954338]  recv_func_prehandle+0x85/0xe0 [8188eu]
[  333.954658]  recv_func+0x56/0x340 [8188eu]
[  333.954973]  rtw_recv_entry+0x3b/0x140 [8188eu]
[  333.955143]  pre_recv_entry+0x7f/0x150 [8188eu]
[  333.955202]  recvbuf2recvframe+0x5b2/0x710 [8188eu]
[  333.955269]  usb_recv_tasklet+0x12b/0x230 [8188eu]
[  333.955347]  tasklet_action_common.constprop.0+0x275/0x670
[  333.955351]  tasklet_action+0x22/0x30
[  333.955353]  handle_softirqs+0x192/0x5d0
[  333.955356]  __irq_exit_rcu+0x15c/0x1b0
[  333.955359]  irq_exit_rcu+0xe/0x20
[  333.955361]  common_interrupt+0xa4/0xb0
[  333.955363]  </IRQ>
[  333.955364]  <TASK>
[  333.955365]  asm_common_interrupt+0x27/0x40
[  333.955367] RIP: 0010:cpuidle_enter_state+0x1df/0x520
[  333.955370] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f
[  333.955372] RSP: 0018:ffff888100dd7d30 EFLAGS: 00000246
[  333.955375] RAX: 0000000000000000 RBX: ffff88885c34ffe0 RCX: 0000000000000000
[  333.955376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  333.955378] RBP: ffff888100dd7d80 R08: 0000000000000000 R09: 0000000000000000
[  333.955379] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb50627c0
[  333.955380] R13: 0000000000000004 R14: 0000000000000004 R15: 0000004dc0f4894b
[  333.955382]  ? __pfx_menu_select+0x10/0x10
[  333.955386]  cpuidle_enter+0x4f/0xb0
[  333.955388]  call_cpuidle+0x47/0xd0
[  333.955391]  do_idle+0x372/0x460
[  333.955394]  ? __pfx_do_idle+0x10/0x10
[  333.955397]  cpu_startup_entry+0x58/0x70
[  333.955399]  start_secondary+0x220/0x2b0
[  333.955402]  ? __pfx_start_secondary+0x10/0x10
[  333.955404]  secondary_startup_64_no_verify+0x18f/0x19b
[  333.955408]  </TASK>
[  333.955410] ================================================================================
[  333.955412] ================================================================================
[  333.955413] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8188eus/core/rtw_wlan_util.c:1822:75
[  333.955416] index 2 is out of range for type 'u8 [1]'
[  333.955418] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G           OE      6.6.58 #1
[  333.955420] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[  333.955421] Call Trace:
[  333.955422]  <IRQ>
[  333.955423]  dump_stack_lvl+0x48/0x70
[  333.955425]  dump_stack+0x10/0x20
[  333.955427]  __ubsan_handle_out_of_bounds+0xa2/0x100
[  333.955429]  ? read_profile+0x322/0x660
[  333.955431]  HT_caps_handler+0x2e2/0x850 [8188eu]
[  333.955496]  ? __pfx_HT_caps_handler+0x10/0x10 [8188eu]
[  333.955557]  OnAssocRsp+0x513/0x5e0 [8188eu]
[  333.955618]  _mgt_dispatcher+0x11b/0x1a0 [8188eu]
[  333.955675]  ? __pfx__mgt_dispatcher+0x10/0x10 [8188eu]
[  333.955728]  ? _raw_spin_lock_bh+0x86/0xf0
[  333.955731]  mgt_dispatcher+0x3a7/0x4a0 [8188eu]
[  333.955783]  ? rtw_get_stainfo+0x30c/0x360 [8188eu]
[  333.955848]  ? __pfx_mgt_dispatcher+0x10/0x10 [8188eu]
[  333.955903]  ? recvframe_chk_defrag+0x15c/0x280 [8188eu]
[  333.955967]  validate_recv_mgnt_frame+0x178/0x4b0 [8188eu]
[  333.956028]  validate_recv_frame+0x548/0x670 [8188eu]
[  333.956087]  ? __pfx_validate_recv_frame+0x10/0x10 [8188eu]
[  333.956144]  ? rx_query_phy_status+0x926/0x990 [8188eu]
[  333.956203]  recv_func_prehandle+0x85/0xe0 [8188eu]
[  333.956260]  recv_func+0x56/0x340 [8188eu]
[  333.956318]  rtw_recv_entry+0x3b/0x140 [8188eu]
[  333.956374]  pre_recv_entry+0x7f/0x150 [8188eu]
[  333.956431]  recvbuf2recvframe+0x5b2/0x710 [8188eu]
[  333.956496]  usb_recv_tasklet+0x12b/0x230 [8188eu]
[  333.956572]  tasklet_action_common.constprop.0+0x275/0x670
[  333.956576]  tasklet_action+0x22/0x30
[  333.956578]  handle_softirqs+0x192/0x5d0
[  333.956581]  __irq_exit_rcu+0x15c/0x1b0
[  333.956583]  irq_exit_rcu+0xe/0x20
[  333.956585]  common_interrupt+0xa4/0xb0
[  333.956587]  </IRQ>
[  333.956588]  <TASK>
[  333.956589]  asm_common_interrupt+0x27/0x40
[  333.956591] RIP: 0010:cpuidle_enter_state+0x1df/0x520
[  333.956593] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f
[  333.956594] RSP: 0018:ffff888100dd7d30 EFLAGS: 00000246
[  333.956596] RAX: 0000000000000000 RBX: ffff88885c34ffe0 RCX: 0000000000000000
[  333.956597] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  333.956598] RBP: ffff888100dd7d80 R08: 0000000000000000 R09: 0000000000000000
[  333.956600] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb50627c0
[  333.956601] R13: 0000000000000004 R14: 0000000000000004 R15: 0000004dc0f4894b
[  333.956603]  ? __pfx_menu_select+0x10/0x10
[  333.956606]  cpuidle_enter+0x4f/0xb0
[  333.956608]  call_cpuidle+0x47/0xd0
[  333.956610]  do_idle+0x372/0x460
[  333.956613]  ? __pfx_do_idle+0x10/0x10
[  333.956616]  cpu_startup_entry+0x58/0x70
[  333.956618]  start_secondary+0x220/0x2b0
[  333.956620]  ? __pfx_start_secondary+0x10/0x10
[  333.956622]  secondary_startup_64_no_verify+0x18f/0x19b
[  333.956626]  </TASK>
[  333.956627] ================================================================================
[  333.956629] ================================================================================
[  333.956630] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8188eus/core/rtw_wlan_util.c:1828:76
[  333.956632] index 2 is out of range for type 'u8 [1]'
[  333.956634] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G           OE      6.6.58 #1
[  333.956636] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[  333.956637] Call Trace:
[  333.956638]  <IRQ>
[  333.956639]  dump_stack_lvl+0x48/0x70
[  333.956641]  dump_stack+0x10/0x20
[  333.956643]  __ubsan_handle_out_of_bounds+0xa2/0x100
[  333.956645]  ? read_profile+0x322/0x660
[  333.956647]  HT_caps_handler+0x35e/0x850 [8188eu]
[  333.956712]  ? __pfx_HT_caps_handler+0x10/0x10 [8188eu]
[  333.956775]  OnAssocRsp+0x513/0x5e0 [8188eu]
[  333.956834]  _mgt_dispatcher+0x11b/0x1a0 [8188eu]
[  333.956891]  ? __pfx__mgt_dispatcher+0x10/0x10 [8188eu]
[  333.956943]  ? _raw_spin_lock_bh+0x86/0xf0
[  333.956946]  mgt_dispatcher+0x3a7/0x4a0 [8188eu]
[  333.956998]  ? rtw_get_stainfo+0x30c/0x360 [8188eu]
[  333.957064]  ? __pfx_mgt_dispatcher+0x10/0x10 [8188eu]
[  333.957117]  ? recvframe_chk_defrag+0x15c/0x280 [8188eu]
[  333.957182]  validate_recv_mgnt_frame+0x178/0x4b0 [8188eu]
[  333.957242]  validate_recv_frame+0x548/0x670 [8188eu]
[  333.957299]  ? __pfx_validate_recv_frame+0x10/0x10 [8188eu]
[  333.957356]  ? rx_query_phy_status+0x926/0x990 [8188eu]
[  333.957414]  recv_func_prehandle+0x85/0xe0 [8188eu]
[  333.957470]  recv_func+0x56/0x340 [8188eu]
[  333.957525]  rtw_recv_entry+0x3b/0x140 [8188eu]
[  333.957580]  pre_recv_entry+0x7f/0x150 [8188eu]
[  333.957635]  recvbuf2recvframe+0x5b2/0x710 [8188eu]
[  333.957701]  usb_recv_tasklet+0x12b/0x230 [8188eu]
[  333.957777]  tasklet_action_common.constprop.0+0x275/0x670
[  333.957780]  tasklet_action+0x22/0x30
[  333.957782]  handle_softirqs+0x192/0x5d0
[  333.957785]  __irq_exit_rcu+0x15c/0x1b0
[  333.957787]  irq_exit_rcu+0xe/0x20
[  333.957790]  common_interrupt+0xa4/0xb0
[  333.957791]  </IRQ>
[  333.957792]  <TASK>
[  333.957793]  asm_common_interrupt+0x27/0x40
[  333.957795] RIP: 0010:cpuidle_enter_state+0x1df/0x520
[  333.957796] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f
[  333.957798] RSP: 0018:ffff888100dd7d30 EFLAGS: 00000246
[  333.957800] RAX: 0000000000000000 RBX: ffff88885c34ffe0 RCX: 0000000000000000
[  333.957801] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  333.957802] RBP: ffff888100dd7d80 R08: 0000000000000000 R09: 0000000000000000
[  333.957803] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb50627c0
[  333.957804] R13: 0000000000000004 R14: 0000000000000004 R15: 0000004dc0f4894b
[  333.957807]  ? __pfx_menu_select+0x10/0x10
[  333.957809]  cpuidle_enter+0x4f/0xb0
[  333.957811]  call_cpuidle+0x47/0xd0
[  333.957814]  do_idle+0x372/0x460
[  333.957816]  ? __pfx_do_idle+0x10/0x10
[  333.957819]  cpu_startup_entry+0x58/0x70
[  333.957822]  start_secondary+0x220/0x2b0
[  333.957824]  ? __pfx_start_secondary+0x10/0x10
[  333.957826]  secondary_startup_64_no_verify+0x18f/0x19b
[  333.957829]  </TASK>
[  333.957831] ================================================================================
[  333.957832] ================================================================================
[  333.957834] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8188eus/core/rtw_wlan_util.c:1831:34
[  333.957836] index 2 is out of range for type 'u8 [1]'
[  333.957838] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G           OE      6.6.58 #1
[  333.957839] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[  333.957840] Call Trace:
[  333.957841]  <IRQ>
[  333.957842]  dump_stack_lvl+0x48/0x70
[  333.957844]  dump_stack+0x10/0x20
[  333.957846]  __ubsan_handle_out_of_bounds+0xa2/0x100
[  333.957848]  ? read_profile+0x322/0x660
[  333.957850]  HT_caps_handler+0x378/0x850 [8188eu]
[  333.957915]  ? __pfx_HT_caps_handler+0x10/0x10 [8188eu]
[  333.957978]  OnAssocRsp+0x513/0x5e0 [8188eu]
[  333.958039]  _mgt_dispatcher+0x11b/0x1a0 [8188eu]
[  333.958095]  ? __pfx__mgt_dispatcher+0x10/0x10 [8188eu]
[  333.958146]  ? _raw_spin_lock_bh+0x86/0xf0
[  333.958149]  mgt_dispatcher+0x3a7/0x4a0 [8188eu]
[  333.958201]  ? rtw_get_stainfo+0x30c/0x360 [8188eu]
[  333.958268]  ? __pfx_mgt_dispatcher+0x10/0x10 [8188eu]
[  333.958321]  ? recvframe_chk_defrag+0x15c/0x280 [8188eu]
[  333.958387]  validate_recv_mgnt_frame+0x178/0x4b0 [8188eu]
[  333.958448]  validate_recv_frame+0x548/0x670 [8188eu]
[  333.958509]  ? __pfx_validate_recv_frame+0x10/0x10 [8188eu]
[  333.958568]  ? rx_query_phy_status+0x926/0x990 [8188eu]
[  333.958627]  recv_func_prehandle+0x85/0xe0 [8188eu]
[  333.958686]  recv_func+0x56/0x340 [8188eu]
[  333.958744]  rtw_recv_entry+0x3b/0x140 [8188eu]
[  333.958801]  pre_recv_entry+0x7f/0x150 [8188eu]
[  333.958859]  recvbuf2recvframe+0x5b2/0x710 [8188eu]
[  333.958924]  usb_recv_tasklet+0x12b/0x230 [8188eu]
[  333.958999]  tasklet_action_common.constprop.0+0x275/0x670
[  333.959002]  tasklet_action+0x22/0x30
[  333.959004]  handle_softirqs+0x192/0x5d0
[  333.959007]  __irq_exit_rcu+0x15c/0x1b0
[  333.959010]  irq_exit_rcu+0xe/0x20
[  333.959012]  common_interrupt+0xa4/0xb0
[  333.959014]  </IRQ>
[  333.959014]  <TASK>
[  333.959016]  asm_common_interrupt+0x27/0x40
[  333.959017] RIP: 0010:cpuidle_enter_state+0x1df/0x520
[  333.959019] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f
[  333.959020] RSP: 0018:ffff888100dd7d30 EFLAGS: 00000246
[  333.959022] RAX: 0000000000000000 RBX: ffff88885c34ffe0 RCX: 0000000000000000
[  333.959023] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[  333.959024] RBP: ffff888100dd7d80 R08: 0000000000000000 R09: 0000000000000000
[  333.959026] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb50627c0
[  333.959027] R13: 0000000000000004 R14: 0000000000000004 R15: 0000004dc0f4894b
[  333.959029]  ? __pfx_menu_select+0x10/0x10
[  333.959032]  cpuidle_enter+0x4f/0xb0
[  333.959034]  call_cpuidle+0x47/0xd0
[  333.959036]  do_idle+0x372/0x460
[  333.959039]  ? __pfx_do_idle+0x10/0x10
[  333.959042]  cpu_startup_entry+0x58/0x70
[  333.959044]  start_secondary+0x220/0x2b0
[  333.959046]  ? __pfx_start_secondary+0x10/0x10
[  333.959048]  secondary_startup_64_no_verify+0x18f/0x19b
[  333.959051]  </TASK>
[  333.959053] ================================================================================

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant