Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UBSAN: array-index-out-of-bounds #96

Open
hkskoglund opened this issue Aug 16, 2024 · 0 comments
Open

UBSAN: array-index-out-of-bounds #96

hkskoglund opened this issue Aug 16, 2024 · 0 comments

Comments

@hkskoglund
Copy link

Hi!

I am using a usb wifi TP-link TX20UH to connect to a gopro 6. It has worked flawlessly for several months. But I have now noticed random disconnects (wpa_supplicant[2632]: wlp0s20f0u1: CTRL-EVENT-DISCONNECTED bssid=06:41:69:8c:58:a3 reason=0). I don't known if this is related to the array-index-out-of-bounds issues.

from journalctl -b -1 i see two UBSAN: array-index-out-of-bounds with latest commit 865ab0f

rtl8852au/os_dep/linux/ioctl_cfg80211.c

Line 1836 in 865ab0f

_rtw_memcpy(padapter->securitypriv.dot118021XGrptxmickey[param->u.crypt.idx].skey, &(param->u.crypt.key[16]), 8);

aug. 16 07:26:29 sol wpa_supplicant[1424]: wlp0s20f0u1: Trying to associate with 06:41:69:8c:58:a3 (SSID='GP26341904' freq=2412 MHz)
aug. 16 07:26:29 sol NetworkManager[1355]: [1723785989.5995] device (wlp0s20f0u1): supplicant interface state: disconnected -> associating
aug. 16 07:26:29 sol NetworkManager[1355]: [1723785989.5995] device (p2p-dev-wlp0s20f0u1): supplicant management interface state: disconnected -> a>
aug. 16 07:26:29 sol wpa_supplicant[1424]: wlp0s20f0u1: Associated with 06:41:69:8c:58:a3
aug. 16 07:26:29 sol wpa_supplicant[1424]: wlp0s20f0u1: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
aug. 16 07:26:29 sol NetworkManager[1355]: [1723785989.9703] device (wlp0s20f0u1): supplicant interface state: associating -> associated
aug. 16 07:26:29 sol NetworkManager[1355]: [1723785989.9705] device (p2p-dev-wlp0s20f0u1): supplicant management interface state: associating -> as>
aug. 16 07:26:30 sol NetworkManager[1355]: [1723785990.7867] device (wlp0s20f0u1): supplicant interface state: associated -> 4way_handshake
aug. 16 07:26:30 sol NetworkManager[1355]: [1723785990.7869] device (p2p-dev-wlp0s20f0u1): supplicant management interface state: associated -> 4wa>
aug. 16 07:26:30 sol kernel: ------------[ cut here ]------------
aug. 16 07:26:30 sol kernel: UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8852au/1.15.0.1/build/os_dep/linux/ioctl_cfg80211.c:1836:110
aug. 16 07:26:30 sol kernel: index 16 is out of range for type 'u8 []'
aug. 16 07:26:30 sol kernel: CPU: 3 PID: 1424 Comm: wpa_supplicant Tainted: G O 6.10.4-200.fc40.x86_64 #1
aug. 16 07:26:30 sol kernel: Hardware name: Dell Inc. Latitude E5470/0J9K9V, BIOS 1.34.3 11/20/2022
aug. 16 07:26:30 sol kernel: Call Trace:
aug. 16 07:26:30 sol kernel:
aug. 16 07:26:30 sol kernel: dump_stack_lvl+0x5d/0x80
aug. 16 07:26:30 sol kernel: ubsan_epilogue+0x5/0x30
aug. 16 07:26:30 sol kernel: __ubsan_handle_out_of_bounds.cold+0x46/0x4b
aug. 16 07:26:30 sol kernel: rtw_cfg80211_set_encryption+0x27b/0xa80 [8852au]
aug. 16 07:26:30 sol kernel: cfg80211_rtw_add_key+0x446/0xf30 [8852au]
aug. 16 07:26:30 sol kernel: nl80211_new_key+0x165/0x380 [cfg80211]
aug. 16 07:26:30 sol kernel: genl_family_rcv_msg_doit+0xef/0x150
aug. 16 07:26:30 sol kernel: genl_rcv_msg+0x1b7/0x2c0
aug. 16 07:26:30 sol kernel: ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211]
aug. 16 07:26:30 sol kernel: ? __pfx_nl80211_new_key+0x10/0x10 [cfg80211]
aug. 16 07:26:30 sol kernel: ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211]
aug. 16 07:26:30 sol kernel: ? __pfx_genl_rcv_msg+0x10/0x10
aug. 16 07:26:30 sol kernel: netlink_rcv_skb+0x50/0x100
aug. 16 07:26:30 sol kernel: genl_rcv+0x28/0x40
aug. 16 07:26:30 sol kernel: netlink_unicast+0x240/0x370
aug. 16 07:26:30 sol kernel: netlink_sendmsg+0x21b/0x470
aug. 16 07:26:30 sol kernel: ____sys_sendmsg+0x396/0x3d0
aug. 16 07:26:30 sol kernel: ___sys_sendmsg+0x9a/0xe0
aug. 16 07:26:30 sol kernel: ? do_syscall_64+0x8e/0x160
aug. 16 07:26:30 sol kernel: __sys_sendmsg+0xcc/0x100
aug. 16 07:26:30 sol kernel: do_syscall_64+0x82/0x160
aug. 16 07:26:30 sol kernel: ? dev_get_by_name_rcu+0x67/0x80
aug. 16 07:26:30 sol kernel: ? __check_object_size+0x58/0x230
aug. 16 07:26:30 sol kernel: ? _copy_to_user+0x24/0x40
aug. 16 07:26:30 sol kernel: ? put_user_ifreq+0x49/0x60
aug. 16 07:26:30 sol kernel: ? sock_do_ioctl+0x107/0x130
aug. 16 07:26:30 sol kernel: ? syscall_exit_to_user_mode+0x72/0x220
aug. 16 07:26:30 sol kernel: ? do_syscall_64+0x8e/0x160
aug. 16 07:26:30 sol kernel: ? __irq_exit_rcu+0x4a/0xb0
aug. 16 07:26:30 sol kernel: entry_SYSCALL_64_after_hwframe+0x76/0x7e
aug. 16 07:26:30 sol kernel: RIP: 0033:0x7fbf5af2ca14
aug. 16 07:26:30 sol kernel: Code: 15 09 94 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d 35 16 0d 00 00 74 13 b8 2e 00 00 00 >
aug. 16 07:26:30 sol kernel: RSP: 002b:00007ffd1c9257b8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
aug. 16 07:26:30 sol kernel: RAX: ffffffffffffffda RBX: 000055d02c121920 RCX: 00007fbf5af2ca14
aug. 16 07:26:30 sol kernel: RDX: 0000000000000000 RSI: 00007ffd1c9257f0 RDI: 0000000000000006
aug. 16 07:26:30 sol kernel: RBP: 00007ffd1c9257e0 R08: 0000000000000004 R09: 0000000000000001
aug. 16 07:26:30 sol kernel: R10: 00007ffd1c9258fc R11: 0000000000000202 R12: 000055d02c1c9c10
aug. 16 07:26:30 sol kernel: R13: 000055d02c121830 R14: 00007ffd1c9257f0 R15: 0000000000000000
aug. 16 07:26:30 sol kernel:
aug. 16 07:26:30 sol kernel: ---[ end trace ]---
aug. 16 07:26:30 sol kernel: ------------[ cut here ]------------
aug. 16 07:26:30 sol kernel: UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8852au/1.15.0.1/build/os_dep/linux/ioctl_cfg80211.c:1837:110
aug. 16 07:26:30 sol kernel: index 24 is out of range for type 'u8 []'
aug. 16 07:26:30 sol kernel: CPU: 3 PID: 1424 Comm: wpa_supplicant Tainted: G O 6.10.4-200.fc40.x86_64 #1
aug. 16 07:26:30 sol kernel: Hardware name: Dell Inc. Latitude E5470/0J9K9V, BIOS 1.34.3 11/20/2022
aug. 16 07:26:30 sol kernel: Call Trace:
aug. 16 07:26:30 sol kernel:
aug. 16 07:26:30 sol kernel: dump_stack_lvl+0x5d/0x80
aug. 16 07:26:30 sol kernel: ubsan_epilogue+0x5/0x30
aug. 16 07:26:30 sol kernel: __ubsan_handle_out_of_bounds.cold+0x46/0x4b
aug. 16 07:26:30 sol kernel: rtw_cfg80211_set_encryption+0x2c0/0xa80 [8852au]
aug. 16 07:26:30 sol kernel: cfg80211_rtw_add_key+0x446/0xf30 [8852au]
aug. 16 07:26:30 sol kernel: nl80211_new_key+0x165/0x380 [cfg80211]
aug. 16 07:26:30 sol kernel: genl_family_rcv_msg_doit+0xef/0x150
aug. 16 07:26:30 sol kernel: genl_rcv_msg+0x1b7/0x2c0
aug. 16 07:26:30 sol kernel: ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211]
aug. 16 07:26:30 sol kernel: ? __pfx_nl80211_new_key+0x10/0x10 [cfg80211]
aug. 16 07:26:30 sol kernel: ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211]
aug. 16 07:26:30 sol kernel: ? __pfx_genl_rcv_msg+0x10/0x10
aug. 16 07:26:30 sol kernel: netlink_rcv_skb+0x50/0x100
aug. 16 07:26:30 sol kernel: genl_rcv+0x28/0x40
aug. 16 07:26:30 sol kernel: netlink_unicast+0x240/0x370
aug. 16 07:26:30 sol kernel: netlink_sendmsg+0x21b/0x470
aug. 16 07:26:30 sol kernel: ____sys_sendmsg+0x396/0x3d0
aug. 16 07:26:30 sol kernel: ___sys_sendmsg+0x9a/0xe0
aug. 16 07:26:30 sol kernel: ? do_syscall_64+0x8e/0x160
aug. 16 07:26:30 sol kernel: __sys_sendmsg+0xcc/0x100
aug. 16 07:26:30 sol kernel: do_syscall_64+0x82/0x160
aug. 16 07:26:30 sol kernel: ? dev_get_by_name_rcu+0x67/0x80
aug. 16 07:26:30 sol kernel: ? __check_object_size+0x58/0x230
aug. 16 07:26:30 sol kernel: ? _copy_to_user+0x24/0x40
aug. 16 07:26:30 sol kernel: ? put_user_ifreq+0x49/0x60
aug. 16 07:26:30 sol kernel: ? sock_do_ioctl+0x107/0x130
aug. 16 07:26:30 sol kernel: ? syscall_exit_to_user_mode+0x72/0x220
aug. 16 07:26:30 sol kernel: ? do_syscall_64+0x8e/0x160
aug. 16 07:26:30 sol kernel: ? __irq_exit_rcu+0x4a/0xb0
aug. 16 07:26:30 sol kernel: entry_SYSCALL_64_after_hwframe+0x76/0x7e
aug. 16 07:26:30 sol kernel: RIP: 0033:0x7fbf5af2ca14
aug. 16 07:26:30 sol kernel: Code: 15 09 94 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bf 0f 1f 44 00 00 f3 0f 1e fa 80 3d 35 16 0d 00 00 74 13 b8 2e 00 00 00 >
aug. 16 07:26:30 sol kernel: RSP: 002b:00007ffd1c9257b8 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
aug. 16 07:26:30 sol kernel: RAX: ffffffffffffffda RBX: 000055d02c121920 RCX: 00007fbf5af2ca14
aug. 16 07:26:30 sol kernel: RDX: 0000000000000000 RSI: 00007ffd1c9257f0 RDI: 0000000000000006
aug. 16 07:26:30 sol kernel: RBP: 00007ffd1c9257e0 R08: 0000000000000004 R09: 0000000000000001
aug. 16 07:26:30 sol kernel: R10: 00007ffd1c9258fc R11: 0000000000000202 R12: 000055d02c1c9c10
aug. 16 07:26:30 sol kernel: R13: 000055d02c121830 R14: 00007ffd1c9257f0 R15: 0000000000000000
aug. 16 07:26:30 sol kernel:
aug. 16 07:26:30 sol kernel: ---[ end trace ]---
aug. 16 07:26:30 sol wpa_supplicant[1424]: wlp0s20f0u1: WPA: Key negotiation completed with 06:41:69:8c:58:a3 [PTK=CCMP GTK=CCMP]
aug. 16 07:26:30 sol NetworkManager[1355]: [1723785990.8506] device (wlp0s20f0u1): supplicant interface state: 4way_handshake -> completed
aug. 16 07:26:30 sol wpa_supplicant[1424]: wlp0s20f0u1: CTRL-EVENT-CONNECTED - Connection to 06:41:69:8c:58:a3 completed [id=0 id_str=]
aug. 16 07:26:30 sol NetworkManager[1355]: [1723785990.8507] device (wlp0s20f0u1): Activation: (wifi) Stage 2 of 5 (Device Configure) successful.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hkskoglund