search

aircrack-ng / rtl8812au

RTL8812AU/21AU and RTL8814AU driver with monitor mode and frame injection
GNU General Public License v2.0
3.58k stars 783 forks source link

[Bug] "array-index-out-of-bounds in rtl8812au/core/rtw_wlan_util.c" when reloading 88XXau #1199

Open sardChen opened 4 weeks ago

sardChen commented 4 weeks ago

When executing fuzzing test for and reload rtl8812au, I found three array-index-out-of-bounds bugs in dmesg logs:

[ 684.674062] usb 1-11.4: USB disconnect, device number 8 [ 686.127497] usb 1-11.4: new high-speed USB device number 9 using xhci_hcd [ 686.204600] usb 1-11.4: New USB device found, idVendor=0bda, idProduct=8812, bcdDevice= 0.00 [ 686.204623] usb 1-11.4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 686.204634] usb 1-11.4: Product: 802.11n NIC [ 686.204642] usb 1-11.4: Manufacturer: Realtek [ 686.204649] usb 1-11.4: SerialNumber: 123456 [ 686.250241] 88XXau: loading out-of-tree module taints kernel. [ 686.250299] 88XXau: module verification failed: signature and/or required key missing - tainting kernel [ 686.494483] usb 1-11.4: 88XXau 00:c0:ca:b4:93:54 hw_info[d7] [ 686.499443] usbcore: registered new interface driver rtl88XXau [ 686.549446] rtl88XXau 1-11.4:1.0 wlx00c0cab49354: renamed from wlan0 [ 691.487880] ================================================================================ [ 691.487911] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8812au/core/rtw_wlan_util.c:1905:48 [ 691.487960] index 1 is out of range for type 'u8 [1]' [ 691.487973] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G OE 6.6.58 #1 [ 691.487987] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022 [ 691.487995] Call Trace: [ 691.488001] [ 691.488008] dump_stack_lvl+0x48/0x70 [ 691.488033] dump_stack+0x10/0x20 [ 691.488046] ubsan_handle_out_of_bounds+0xa2/0x100 [ 691.488059] ? read_profile+0x321/0x660 [ 691.488072] HT_caps_handler+0x1d1/0xa90 [88XXau] [ 691.488541] ? __pfx_HT_caps_handler+0x10/0x10 [88XXau] [ 691.488946] ? asan_memcpy+0x4e/0x80 [ 691.488971] OnAssocRsp+0x577/0x650 [88XXau] [ 691.489283] DoReserved+0x14b/0x1d0 [88XXau] [ 691.489574] ? DoReserved+0x30/0x1d0 [88XXau] [ 691.489855] ? _raw_spin_lock_bh+0x86/0xf0 [ 691.489873] mgt_dispatcher+0x39f/0x4b0 [88XXau] [ 691.490157] ? rtw_get_stainfo+0x30c/0x360 [88XXau] [ 691.490538] ? pfx_mgt_dispatcher+0x10/0x10 [88XXau] [ 691.490824] ? recvframe_chk_defrag+0x15c/0x280 [88XXau] [ 691.491185] validate_recv_mgnt_frame+0x9a4/0xd50 [88XXau] [ 691.491530] ? GetHalDefVar8812A+0xcf9/0xd00 [88XXau] [ 691.491963] ? GetHalDefVar8812AUsb+0xe/0x110 [88XXau] [ 691.492368] validate_recv_frame+0x548/0x670 [88XXau] [ 691.492722] ? __pfx_validate_recv_frame+0x10/0x10 [88XXau] [ 691.493055] ? rx_query_phy_status+0x92b/0x9a0 [88XXau] [ 691.493384] recv_func_prehandle+0x85/0xe0 [88XXau] [ 691.493707] recv_func+0x56/0x340 [88XXau] [ 691.494026] rtw_recv_entry+0x3b/0x140 [88XXau] [ 691.494337] pre_recv_entry+0xf0/0x230 [88XXau] [ 691.494650] recvbuf2recvframe+0x20e/0x590 [88XXau] [ 691.495070] usb_recv_tasklet+0x12b/0x230 [88XXau] [ 691.495517] tasklet_action_common.constprop.0+0x275/0x670 [ 691.495536] tasklet_action+0x22/0x30 [ 691.495549] handle_softirqs+0x192/0x5d0 [ 691.495565] irq_exit_rcu+0x15c/0x1b0 [ 691.495578] irq_exit_rcu+0xe/0x20 [ 691.495591] common_interrupt+0xa4/0xb0 [ 691.495602] [ 691.495607] [ 691.495613] asm_common_interrupt+0x27/0x40 [ 691.495623] RIP: 0010:cpuidle_enter_state+0x1df/0x520 [ 691.495634] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f [ 691.495645] RSP: 0018:ffff888100d6fd30 EFLAGS: 00000246 [ 691.495660] RAX: 0000000000000000 RBX: ffff88885c24ffe0 RCX: 0000000000000000 [ 691.495669] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 691.495676] RBP: ffff888100d6fd80 R08: 0000000000000000 R09: 0000000000000000 [ 691.495682] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa5a627c0 [ 691.495689] R13: 0000000000000004 R14: 0000000000000004 R15: 000000a0ffe2bf2d [ 691.495705] cpuidle_enter+0x4f/0xb0 [ 691.495719] call_cpuidle+0x47/0xd0 [ 691.495732] do_idle+0x372/0x460 [ 691.495747] ? pfx_do_idle+0x10/0x10 [ 691.495764] cpu_startup_entry+0x58/0x70 [ 691.495778] start_secondary+0x220/0x2b0 [ 691.495789] ? __pfx_start_secondary+0x10/0x10 [ 691.495802] secondary_startup_64_no_verify+0x18f/0x19b [ 691.495820] [ 691.495866] ================================================================================ [ 691.495879] ================================================================================ [ 691.495887] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8812au/core/rtw_wlan_util.c:1910:75 [ 691.495902] index 2 is out of range for type 'u8 [1]' [ 691.495913] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G OE 6.6.58 #1 [ 691.495925] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022 [ 691.495931] Call Trace: [ 691.495936] [ 691.495941] dump_stack_lvl+0x48/0x70 [ 691.495956] dump_stack+0x10/0x20 [ 691.495967] ubsan_handle_out_of_bounds+0xa2/0x100 [ 691.495978] ? read_profile+0x322/0x660 [ 691.495989] HT_caps_handler+0x2e2/0xa90 [88XXau] [ 691.496347] ? pfx_HT_caps_handler+0x10/0x10 [88XXau] [ 691.496827] ? asan_memcpy+0x4e/0x80 [ 691.496851] OnAssocRsp+0x577/0x650 [88XXau] [ 691.497216] DoReserved+0x14b/0x1d0 [88XXau] [ 691.497504] ? DoReserved+0x30/0x1d0 [88XXau] [ 691.497786] ? _raw_spin_lock_bh+0x86/0xf0 [ 691.497802] mgt_dispatcher+0x39f/0x4b0 [88XXau] [ 691.498088] ? rtw_get_stainfo+0x30c/0x360 [88XXau] [ 691.498447] ? pfx_mgt_dispatcher+0x10/0x10 [88XXau] [ 691.498733] ? recvframe_chk_defrag+0x15c/0x280 [88XXau] [ 691.499082] validate_recv_mgnt_frame+0x9a4/0xd50 [88XXau] [ 691.499380] ? GetHalDefVar8812A+0xcf9/0xd00 [88XXau] [ 691.499768] ? GetHalDefVar8812AUsb+0xe/0x110 [88XXau] [ 691.500121] validate_recv_frame+0x548/0x670 [88XXau] [ 691.500420] ? pfx_validate_recv_frame+0x10/0x10 [88XXau] [ 691.500698] ? rx_query_phy_status+0x92b/0x9a0 [88XXau] [ 691.500957] recv_func_prehandle+0x85/0xe0 [88XXau] [ 691.501203] recv_func+0x56/0x340 [88XXau] [ 691.501439] rtw_recv_entry+0x3b/0x140 [88XXau] [ 691.501676] pre_recv_entry+0xf0/0x230 [88XXau] [ 691.501892] recvbuf2recvframe+0x20e/0x590 [88XXau] [ 691.502186] usb_recv_tasklet+0x12b/0x230 [88XXau] [ 691.502479] tasklet_action_common.constprop.0+0x275/0x670 [ 691.502491] tasklet_action+0x22/0x30 [ 691.502499] handle_softirqs+0x192/0x5d0 [ 691.502509] irq_exit_rcu+0x15c/0x1b0 [ 691.502517] irq_exit_rcu+0xe/0x20 [ 691.502525] common_interrupt+0xa4/0xb0 [ 691.502531] [ 691.502534] [ 691.502537] asm_common_interrupt+0x27/0x40 [ 691.502543] RIP: 0010:cpuidle_enter_state+0x1df/0x520 [ 691.502550] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f [ 691.502556] RSP: 0018:ffff888100d6fd30 EFLAGS: 00000246 [ 691.502563] RAX: 0000000000000000 RBX: ffff88885c24ffe0 RCX: 0000000000000000 [ 691.502567] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 691.502571] RBP: ffff888100d6fd80 R08: 0000000000000000 R09: 0000000000000000 [ 691.502575] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa5a627c0 [ 691.502579] R13: 0000000000000004 R14: 0000000000000004 R15: 000000a0ffe2bf2d [ 691.502588] cpuidle_enter+0x4f/0xb0 [ 691.502597] call_cpuidle+0x47/0xd0 [ 691.502605] do_idle+0x372/0x460 [ 691.502614] ? pfx_do_idle+0x10/0x10 [ 691.502624] cpu_startup_entry+0x58/0x70 [ 691.502632] start_secondary+0x220/0x2b0 [ 691.502639] ? pfx_start_secondary+0x10/0x10 [ 691.502647] secondary_startup_64_no_verify+0x18f/0x19b [ 691.502658] [ 691.502664] ================================================================================ [ 691.502671] ================================================================================ [ 691.502675] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8812au/core/rtw_wlan_util.c:1916:76 [ 691.502685] index 2 is out of range for type 'u8 [1]' [ 691.502693] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G OE 6.6.58 #1 [ 691.502699] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022 [ 691.502703] Call Trace: [ 691.502706] [ 691.502710] dump_stack_lvl+0x48/0x70 [ 691.502718] dump_stack+0x10/0x20 [ 691.502726] __ubsan_handle_out_of_bounds+0xa2/0x100 [ 691.502732] ? read_profile+0x322/0x660 [ 691.502739] HT_caps_handler+0x35e/0xa90 [88XXau] [ 691.502996] ? pfx_HT_caps_handler+0x10/0x10 [88XXau] [ 691.503258] ? asan_memcpy+0x4e/0x80 [ 691.503267] OnAssocRsp+0x577/0x650 [88XXau] [ 691.503443] DoReserved+0x14b/0x1d0 [88XXau] [ 691.503596] ? DoReserved+0x30/0x1d0 [88XXau] [ 691.503745] ? _raw_spin_lock_bh+0x86/0xf0 [ 691.503754] mgt_dispatcher+0x39f/0x4b0 [88XXau] [ 691.503906] ? rtw_get_stainfo+0x30c/0x360 [88XXau] [ 691.504092] ? pfx_mgt_dispatcher+0x10/0x10 [88XXau] [ 691.504237] ? recvframe_chk_defrag+0x15c/0x280 [88XXau] [ 691.504420] validate_recv_mgnt_frame+0x9a4/0xd50 [88XXau] [ 691.504583] ? GetHalDefVar8812A+0xcf9/0xd00 [88XXau] [ 691.504788] ? GetHalDefVar8812AUsb+0xe/0x110 [88XXau] [ 691.504968] validate_recv_frame+0x548/0x670 [88XXau] [ 691.505141] ? pfx_validate_recv_frame+0x10/0x10 [88XXau] [ 691.505292] ? rx_query_phy_status+0x92b/0x9a0 [88XXau] [ 691.505437] recv_func_prehandle+0x85/0xe0 [88XXau] [ 691.505579] recv_func+0x56/0x340 [88XXau] [ 691.505717] rtw_recv_entry+0x3b/0x140 [88XXau] [ 691.505846] pre_recv_entry+0xf0/0x230 [88XXau] [ 691.505973] recvbuf2recvframe+0x20e/0x590 [88XXau] [ 691.506134] usb_recv_tasklet+0x12b/0x230 [88XXau] [ 691.506302] tasklet_action_common.constprop.0+0x275/0x670 [ 691.506308] tasklet_action+0x22/0x30 [ 691.506313] handle_softirqs+0x192/0x5d0 [ 691.506319] irq_exit_rcu+0x15c/0x1b0 [ 691.506324] irq_exit_rcu+0xe/0x20 [ 691.506328] common_interrupt+0xa4/0xb0 [ 691.506332] [ 691.506333] [ 691.506336] asm_common_interrupt+0x27/0x40 [ 691.506339] RIP: 0010:cpuidle_enter_state+0x1df/0x520 [ 691.506342] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f [ 691.506346] RSP: 0018:ffff888100d6fd30 EFLAGS: 00000246 [ 691.506349] RAX: 0000000000000000 RBX: ffff88885c24ffe0 RCX: 0000000000000000 [ 691.506352] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 691.506354] RBP: ffff888100d6fd80 R08: 0000000000000000 R09: 0000000000000000 [ 691.506357] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa5a627c0 [ 691.506359] R13: 0000000000000004 R14: 0000000000000004 R15: 000000a0ffe2bf2d [ 691.506364] cpuidle_enter+0x4f/0xb0 [ 691.506369] call_cpuidle+0x47/0xd0 [ 691.506374] do_idle+0x372/0x460 [ 691.506379] ? pfx_do_idle+0x10/0x10 [ 691.506385] cpu_startup_entry+0x58/0x70 [ 691.506390] start_secondary+0x220/0x2b0 [ 691.506394] ? pfx_start_secondary+0x10/0x10 [ 691.506398] secondary_startup_64_no_verify+0x18f/0x19b [ 691.506405] [ 691.506408] ================================================================================ [ 699.920793] ================================================================================ [ 699.920836] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8812au/core/rtw_wlan_util.c:1919:34 [ 699.920853] index 2 is out of range for type 'u8 [1]' [ 699.920866] CPU: 4 PID: 0 Comm: swapper/4 Tainted: G OE 6.6.58 #1 [ 699.920880] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022 [ 699.920888] Call Trace: [ 699.920893] [ 699.920902] dump_stack_lvl+0x48/0x70 [ 699.920926] dump_stack+0x10/0x20 [ 699.920938] ubsan_handle_out_of_bounds+0xa2/0x100 [ 699.920952] ? read_profile+0x322/0x660 [ 699.920965] HT_caps_handler+0x378/0xa90 [88XXau] [ 699.921339] ? pfx_HT_caps_handler+0x10/0x10 [88XXau] [ 699.921671] OnAssocRsp+0x577/0x650 [88XXau] [ 699.921984] DoReserved+0x14b/0x1d0 [88XXau] [ 699.922274] ? DoReserved+0x30/0x1d0 [88XXau] [ 699.922556] ? _raw_spin_lock_bh+0x86/0xf0 [ 699.922573] mgt_dispatcher+0x39f/0x4b0 [88XXau] [ 699.922857] ? rtw_get_stainfo+0x30c/0x360 [88XXau] [ 699.923226] ? pfx_mgt_dispatcher+0x10/0x10 [88XXau] [ 699.923513] ? recvframe_chk_defrag+0x15c/0x280 [88XXau] [ 699.923878] validate_recv_mgnt_frame+0x9a4/0xd50 [88XXau] [ 699.924217] ? GetHalDefVar8812A+0xcf9/0xd00 [88XXau] [ 699.924656] ? GetHalDefVar8812AUsb+0xe/0x110 [88XXau] [ 699.925060] validate_recv_frame+0x548/0x670 [88XXau] [ 699.925441] ? pfx_validate_recv_frame+0x10/0x10 [88XXau] [ 699.925788] ? rx_query_phy_status+0x92b/0x9a0 [88XXau] [ 699.925861] recv_func_prehandle+0x85/0xe0 [88XXau] [ 699.925921] recv_func+0x56/0x340 [88XXau] [ 699.925981] rtw_recv_entry+0x3b/0x140 [88XXau] [ 699.926040] pre_recv_entry+0xf0/0x230 [88XXau] [ 699.926099] recvbuf2recvframe+0x20e/0x590 [88XXau] [ 699.926176] usb_recv_tasklet+0x12b/0x230 [88XXau] [ 699.926256] tasklet_action_common.constprop.0+0x275/0x670 [ 699.926260] tasklet_action+0x22/0x30 [ 699.926262] handle_softirqs+0x192/0x5d0 [ 699.926265] irq_exit_rcu+0x15c/0x1b0 [ 699.926268] irq_exit_rcu+0xe/0x20 [ 699.926270] common_interrupt+0xa4/0xb0 [ 699.926272] [ 699.926273] [ 699.926274] asm_common_interrupt+0x27/0x40 [ 699.926276] RIP: 0010:cpuidle_enter_state+0x1df/0x520 [ 699.926279] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f [ 699.926281] RSP: 0018:ffff888100d6fd30 EFLAGS: 00000246 [ 699.926283] RAX: 0000000000000000 RBX: ffff88885c24ffe0 RCX: 0000000000000000 [ 699.926285] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 699.926287] RBP: ffff888100d6fd80 R08: 0000000000000000 R09: 0000000000000000 [ 699.926288] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa5a627c0 [ 699.926289] R13: 0000000000000004 R14: 0000000000000004 R15: 000000a2f685635a [ 699.926291] ? __pfx_menu_select+0x10/0x10 [ 699.926295] cpuidle_enter+0x4f/0xb0 [ 699.926297] call_cpuidle+0x47/0xd0 [ 699.926300] do_idle+0x372/0x460 [ 699.926303] ? pfx_do_idle+0x10/0x10 [ 699.926306] cpu_startup_entry+0x58/0x70 [ 699.926308] start_secondary+0x220/0x2b0 [ 699.926311] ? __pfx_start_secondary+0x10/0x10 [ 699.926313] secondary_startup_64_no_verify+0x18f/0x19b [ 699.926317] [ 699.926319] ================================================================================

IamCOD3X commented 3 weeks ago

Do share the driver informaiton like which branch you are using so that someone can take a look on the code.