UBSAN: array-index-out-of-bounds for rtw_wlan_util.c and phydm_math_lib.c

[KeyWeeUsr]

• UBSAN: array-index-out-of-bounds in core/rtw_wlan_util.c:1912:48

• UBSAN: array-index-out-of-bounds in core/rtw_wlan_util.c:1917:75

• UBSAN: array-index-out-of-bounds in core/rtw_wlan_util.c:1923:76

• UBSAN: array-index-out-of-bounds in core/rtw_wlan_util.c:1926:34

pIE->Length is probably initialized to something incorrect. I can't find the original struct PNDIS_802_11_VARIABLE_IEs declaration anywhere, however I found these which seem to match:

  typedef struct _NDIS_802_11_VARIABLE_IEs {
    UCHAR ElementID;
    UCHAR Length;
    UCHAR data[1];
  } NDIS_802_11_VARIABLE_IEs, *PNDIS_802_11_VARIABLE_IEs;

(source1, source2, source3)

data is a single-element UCHAR array, so the whole for (i = 0; i < (pIE->Length); i++) doesn't make much of a sense unless it's a hack for a variable-length array with array-like declaration instead of UCHAR* data. If it's the latter, only bad fixes come to my mind:

• sizeof (pIE->data) / sizeof (*(pIE->data)) eventually breaking due to the nature of malloc()
• calloc() + NULL requiring the driver allocating memory (doesn't seem to be the case?)

and something probably easier to solve:

• UBSAN: array-index-out-of-bounds in hal/phydm/phydm_math_lib.c:172:26

is probably missing a row here or the input is garbage value.

Logs:

================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1912:48
index 1 is out of range for type 'u8 [1]'
CPU: 0 PID: 0 Comm: swapper/0 Tainted: P           OE      6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
 <IRQ>
 dump_stack_lvl+0x48/0x70
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xc6/0x110
 HT_caps_handler+0xc8/0x310 [8821ce]
 OnAssocRsp+0x1bb/0x290 [8821ce]
 _mgt_dispatcher+0x70/0xc0 [8821ce]
 mgt_dispatcher+0x15d/0x1c0 [8821ce]
 validate_recv_mgnt_frame+0x8e/0x130 [8821ce]
 validate_recv_frame+0x1a3/0x1f0 [8821ce]
 ? odm_phy_status_query+0x144/0x200 [8821ce]
 recv_func_prehandle+0x2b/0x70 [8821ce]
 recv_func+0x2c/0x100 [8821ce]
 rtw_recv_entry+0x19/0x50 [8821ce]
 pre_recv_entry+0x44/0x80 [8821ce]
 rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
 ? __tasklet_schedule_common+0x47/0xa0
 tasklet_action_common.constprop.0+0xfa/0x1e0
 tasklet_hi_action+0x1f/0x30
 __do_softirq+0xd9/0x349
 ? handle_irq_event+0x52/0x80
 ? handle_edge_irq+0xda/0x250
 __irq_exit_rcu+0x75/0xa0
 irq_exit_rcu+0xe/0x20
 common_interrupt+0xa4/0xb0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffffffafc03dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bc3e900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffafc03e10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000004 R14: 0000000000000004 R15: 00000006e8bb7efd
 ? finish_task_switch.isra.0+0x85/0x2a0
 cpuidle_enter+0x2e/0x50
 call_cpuidle+0x23/0x60
 cpuidle_idle_call+0x11d/0x190
 do_idle+0x82/0xf0
 cpu_startup_entry+0x1d/0x20
 rest_init+0xde/0x100
 ? acpi_enable_subsystem+0xe6/0x2a0
 ? static_key_disable+0x1f/0x30
 arch_call_rest_init+0xe/0x30
 start_kernel+0x34f/0x440
 x86_64_start_reservations+0x18/0x30
 x86_64_start_kernel+0xa4/0xe0
 secondary_startup_64_no_verify+0x17e/0x18b
 </TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1917:75
index 2 is out of range for type 'u8 [1]'
CPU: 0 PID: 0 Comm: swapper/0 Tainted: P           OE      6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
 <IRQ>
 dump_stack_lvl+0x48/0x70
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xc6/0x110
 HT_caps_handler+0xec/0x310 [8821ce]
 OnAssocRsp+0x1bb/0x290 [8821ce]
 _mgt_dispatcher+0x70/0xc0 [8821ce]
 mgt_dispatcher+0x15d/0x1c0 [8821ce]
 validate_recv_mgnt_frame+0x8e/0x130 [8821ce]
 validate_recv_frame+0x1a3/0x1f0 [8821ce]
 ? odm_phy_status_query+0x144/0x200 [8821ce]
 recv_func_prehandle+0x2b/0x70 [8821ce]
 recv_func+0x2c/0x100 [8821ce]
 rtw_recv_entry+0x19/0x50 [8821ce]
 pre_recv_entry+0x44/0x80 [8821ce]
 rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
 ? __tasklet_schedule_common+0x47/0xa0
 tasklet_action_common.constprop.0+0xfa/0x1e0
 tasklet_hi_action+0x1f/0x30
 __do_softirq+0xd9/0x349
 ? handle_irq_event+0x52/0x80
 ? handle_edge_irq+0xda/0x250
 __irq_exit_rcu+0x75/0xa0
 irq_exit_rcu+0xe/0x20
 common_interrupt+0xa4/0xb0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffffffafc03dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bc3e900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffafc03e10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000004 R14: 0000000000000004 R15: 00000006e8bb7efd
 ? finish_task_switch.isra.0+0x85/0x2a0
 cpuidle_enter+0x2e/0x50
 call_cpuidle+0x23/0x60
 cpuidle_idle_call+0x11d/0x190
 do_idle+0x82/0xf0
 cpu_startup_entry+0x1d/0x20
 rest_init+0xde/0x100
 ? acpi_enable_subsystem+0xe6/0x2a0
 ? static_key_disable+0x1f/0x30
 arch_call_rest_init+0xe/0x30
 start_kernel+0x34f/0x440
 x86_64_start_reservations+0x18/0x30
 x86_64_start_kernel+0xa4/0xe0
 secondary_startup_64_no_verify+0x17e/0x18b
 </TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1923:76
index 2 is out of range for type 'u8 [1]'
CPU: 0 PID: 0 Comm: swapper/0 Tainted: P           OE      6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
 <IRQ>
 dump_stack_lvl+0x48/0x70
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xc6/0x110
 HT_caps_handler+0x12c/0x310 [8821ce]
 OnAssocRsp+0x1bb/0x290 [8821ce]
 _mgt_dispatcher+0x70/0xc0 [8821ce]
 mgt_dispatcher+0x15d/0x1c0 [8821ce]
 validate_recv_mgnt_frame+0x8e/0x130 [8821ce]
 validate_recv_frame+0x1a3/0x1f0 [8821ce]
 ? odm_phy_status_query+0x144/0x200 [8821ce]
 recv_func_prehandle+0x2b/0x70 [8821ce]
 recv_func+0x2c/0x100 [8821ce]
 rtw_recv_entry+0x19/0x50 [8821ce]
 pre_recv_entry+0x44/0x80 [8821ce]
 rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
 ? __tasklet_schedule_common+0x47/0xa0
 tasklet_action_common.constprop.0+0xfa/0x1e0
 tasklet_hi_action+0x1f/0x30
 __do_softirq+0xd9/0x349
 ? handle_irq_event+0x52/0x80
 ? handle_edge_irq+0xda/0x250
 __irq_exit_rcu+0x75/0xa0
 irq_exit_rcu+0xe/0x20
 common_interrupt+0xa4/0xb0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffffffafc03dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bc3e900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffafc03e10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000004 R14: 0000000000000004 R15: 00000006e8bb7efd
 ? finish_task_switch.isra.0+0x85/0x2a0
 cpuidle_enter+0x2e/0x50
 call_cpuidle+0x23/0x60
 cpuidle_idle_call+0x11d/0x190
 do_idle+0x82/0xf0
 cpu_startup_entry+0x1d/0x20
 rest_init+0xde/0x100
 ? acpi_enable_subsystem+0xe6/0x2a0
 ? static_key_disable+0x1f/0x30
 arch_call_rest_init+0xe/0x30
 start_kernel+0x34f/0x440
 x86_64_start_reservations+0x18/0x30
 x86_64_start_kernel+0xa4/0xe0
 secondary_startup_64_no_verify+0x17e/0x18b
 </TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1926:34
index 2 is out of range for type 'u8 [1]'
CPU: 0 PID: 0 Comm: swapper/0 Tainted: P           OE      6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
 <IRQ>
 dump_stack_lvl+0x48/0x70
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xc6/0x110
 HT_caps_handler+0x146/0x310 [8821ce]
 OnAssocRsp+0x1bb/0x290 [8821ce]
 _mgt_dispatcher+0x70/0xc0 [8821ce]
 mgt_dispatcher+0x15d/0x1c0 [8821ce]
 validate_recv_mgnt_frame+0x8e/0x130 [8821ce]
 validate_recv_frame+0x1a3/0x1f0 [8821ce]
 ? odm_phy_status_query+0x144/0x200 [8821ce]
 recv_func_prehandle+0x2b/0x70 [8821ce]
 recv_func+0x2c/0x100 [8821ce]
 rtw_recv_entry+0x19/0x50 [8821ce]
 pre_recv_entry+0x44/0x80 [8821ce]
 rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
 ? __tasklet_schedule_common+0x47/0xa0
 tasklet_action_common.constprop.0+0xfa/0x1e0
 tasklet_hi_action+0x1f/0x30
 __do_softirq+0xd9/0x349
 ? handle_irq_event+0x52/0x80
 ? handle_edge_irq+0xda/0x250
 __irq_exit_rcu+0x75/0xa0
 irq_exit_rcu+0xe/0x20
 common_interrupt+0xa4/0xb0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffffffafc03dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bc3e900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffafc03e10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000004 R14: 0000000000000004 R15: 00000006e8bb7efd
 ? finish_task_switch.isra.0+0x85/0x2a0
 cpuidle_enter+0x2e/0x50
 call_cpuidle+0x23/0x60
 cpuidle_idle_call+0x11d/0x190
 do_idle+0x82/0xf0
 cpu_startup_entry+0x1d/0x20
 rest_init+0xde/0x100
 ? acpi_enable_subsystem+0xe6/0x2a0
 ? static_key_disable+0x1f/0x30
 arch_call_rest_init+0xe/0x30
 start_kernel+0x34f/0x440
 x86_64_start_reservations+0x18/0x30
 x86_64_start_kernel+0xa4/0xe0
 secondary_startup_64_no_verify+0x17e/0x18b
 </TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/hal/phydm/phydm_math_lib.c:172:26
index 12 is out of range for type 'u16 [12][8]'
CPU: 1 PID: 0 Comm: swapper/1 Tainted: P           OE      6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
 <IRQ>
 dump_stack_lvl+0x48/0x70
 dump_stack+0x10/0x20
 __ubsan_handle_out_of_bounds+0xc6/0x110
 phydm_db_2_linear+0x69/0x80 [8821ce]
 phydm_process_rssi_for_dm_2nd_type+0xce/0x180 [8821ce]
 odm_phy_status_query+0x188/0x200 [8821ce]
 rx_query_phy_status+0x21e/0x3f0 [8821ce]
 pre_recv_entry+0x3c/0x80 [8821ce]
 rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
 ? __tasklet_schedule_common+0x47/0xa0
 tasklet_action_common.constprop.0+0xfa/0x1e0
 tasklet_hi_action+0x1f/0x30
 __do_softirq+0xd9/0x349
 ? handle_irq_event+0x52/0x80
 ? handle_edge_irq+0xda/0x250
 __irq_exit_rcu+0x75/0xa0
 irq_exit_rcu+0xe/0x20
 common_interrupt+0xa4/0xb0
 </IRQ>
 <TASK>
 asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffabf8c00efe18 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bcbe900 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffabf8c00efe68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000007 R14: 0000000000000007 R15: 0000016c1ae9216c
 ? cpuidle_enter_state+0xca/0x720
 ? tick_nohz_stop_tick+0xa0/0x210
 cpuidle_enter+0x2e/0x50
 call_cpuidle+0x23/0x60
 cpuidle_idle_call+0x11d/0x190
 do_idle+0x82/0xf0
 cpu_startup_entry+0x1d/0x20
 start_secondary+0x129/0x160
 secondary_startup_64_no_verify+0x17e/0x18b
 </TASK>
================================================================================

[dubhater]

The name _NDIS_802_11_VARIABLE_IEs already tells you it's supposed to be a variable length array, not size 1. Make it u8 data[]; and the warning probably goes away. The struct is here:

rtl8821ce/include/wlan_bssdef.h

Lines 95 to 99 in 66983b6

	typedef struct _NDIS_802_11_VARIABLE_IEs {
	UCHAR ElementID;
	UCHAR Length;
	UCHAR data[1];
	} NDIS_802_11_VARIABLE_IEs, *PNDIS_802_11_VARIABLE_IEs;

For the other thing, the newer version of the driver has a check which prevents the out-of-bounds value:
https://github.com/lwfinger/rtw88/blob/ca9f4e199efbf8c377e8a1769ba5b05b23f92c82/alt_rtl8821ce/hal/phydm/phydm_math_lib.c#L205-L214

[KernelGhost]

Thought it might be worthwhile sharing my experience here as well. The following warnings are printed to the screen by plymouth during system boot. There are no issues with internet access once the system finishes booting.

UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1912:48
index 1 is out of range for type 'u8 [1]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1917:75
index 2 is out of range for type 'u8 [1]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1923:76
index 2 is out of range for type 'u8 [1]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1926:34
index 2 is out of range for type 'u8 [1]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/os_dep/linux/ioctl_cfg80211.c:1589:110
index 16 is out of range for type 'u8 [*]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/os_dep/linux/ioctl_cfg80211.c:1590:110
index 24 is out of range for type 'u8 [*]'

• OS: Fedora Linux (Version 40)
• Linux Kernel: 6.9.7-200.fc40.x86_64

[dubhater]

@KernelGhost Have you tried rtw88 recently? It may be working okay now.

[KernelGhost]

@dubhater When I initially set up my system, I used the rtw88_8821ce driver that came bundled with the Linux kernel. Unfortunately, the performance was poor, with very slow connection speeds and frequent random disconnections from wireless access points. Due to these issues, I blacklisted the RTW88 driver and installed the RTL8821ce driver instead. Since making the switch, I have noticed a significant improvement in both performance and stability.

[dubhater]

But when was that? Some fixes for RTL8821CE went into kernel 6.9.

[KernelGhost]

Some fixes for RTL8821CE went into kernel 6.9.

Did you mean to say fixes to RTW88 were included in kernel version 6.9?

But when was that?

The last time I tried rtw88_8821ce was on a kernel between 6.5 and 6.8 (inclusive), though I can't recall the exact version.

Since networking is currently operational and stable using RTL8821ce, I am willing to tolerate the warnings for now. I might trial rtw88_8821ce again in the future if necessary.

[dubhater]

Yes, I meant fixes to rtw88.