use after free in p2p code

Markus Theil <markus.theil@xxxxxxxxxxxxx> · Tue, 7 Jan 2020 09:01:57 +0100

While running the hwsim test suite with address sanitizer and undefined 
behavior sanitizer enabled, I got the following output from the p2p 
code. It seems unrelated to my current work on nl80211 control port rx.

I saw it in autogo_pbc and it is reproducible for me, if I run:

./run-tests.py autogo_2cli autogo_pbc

Markus

==53565==ERROR: AddressSanitizer: heap-use-after-free on address 
0x61b000008688 at pc 0x5651c04b7bed bp 0x7ffdc000f020 sp 0x7ffdc000f010
READ of size 8 at 0x61b000008688 thread T0
    #0 0x5651c04b7bec in wpa_driver_nl80211_mlme 
../src/drivers/driver_nl80211.c:3339
    #1 0x5651c04bc842 in wpa_driver_nl80211_deauthenticate 
../src/drivers/driver_nl80211.c:3391
    #2 0x5651c04bc954 in driver_nl80211_deauthenticate 
../src/drivers/driver_nl80211.c:8782
    #3 0x5651c042b6bd in wpa_drv_deauthenticate 
/home/mtheil/Code/hostap/wpa_supplicant/driver_i.h:190
    #4 0x5651c042b6bd in wpa_supplicant_deauthenticate 
/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:3821
    #5 0x5651bff5a86c in wpas_p2p_group_delete 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:876
    #6 0x5651bff857a3 in wpas_p2p_disconnect 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:8064
    #7 0x5651bff85870 in wpas_p2p_disconnect_safely 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:534
    #8 0x5651bff85a4e in wpas_p2p_group_remove 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:5860
    #9 0x5651c0344e35 in wpa_supplicant_ctrl_iface_flush 
/home/mtheil/Code/hostap/wpa_supplicant/ctrl_iface.c:8045
    #10 0x5651c035ce15 in wpa_supplicant_ctrl_iface_process 
/home/mtheil/Code/hostap/wpa_supplicant/ctrl_iface.c:10698
    #11 0x5651c036a0b0 in wpa_supplicant_ctrl_iface_receive 
/home/mtheil/Code/hostap/wpa_supplicant/ctrl_iface_unix.c:172
    #12 0x5651bfe3df15 in eloop_sock_table_dispatch 
../src/utils/eloop.c:600
    #13 0x5651bfe41054 in eloop_run ../src/utils/eloop.c:1223
    #14 0x5651c042f1aa in wpa_supplicant_run 
/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6890
    #15 0x5651c048d4ed in main 
/home/mtheil/Code/hostap/wpa_supplicant/main.c:392
    #16 0x7f09e5538152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
    #17 0x5651bfdf177d in _start 
(/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant+0x90677d)

0x61b000008688 is located 264 bytes inside of 1512-byte region 
[0x61b000008580,0x61b000008b68)
freed by thread T0 here:
    #0 0x7f09e669b6b0 in __interceptor_free 
/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x5651bfe39658 in os_free ../src/utils/os_unix.c:768
    #2 0x5651c04c08e8 in wpa_driver_nl80211_deinit 
../src/drivers/driver_nl80211.c:2888
    #3 0x5651c04c0914 in driver_nl80211_deinit 
../src/drivers/driver_nl80211.c:8797
    #4 0x5651c042eaa4 in wpa_drv_deinit 
/home/mtheil/Code/hostap/wpa_supplicant/driver_i.h:30
    #5 0x5651c042eaa4 in wpa_supplicant_deinit_iface 
/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6382
    #6 0x5651c042cde5 in wpa_supplicant_remove_iface 
/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6618
    #7 0x5651bff5b0b5 in wpas_p2p_group_delete 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:957
    #8 0x5651bff8260b in wpas_p2p_deauth_notif 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:7557
    #9 0x5651c04616b2 in wpas_event_disconnect 
/home/mtheil/Code/hostap/wpa_supplicant/events.c:3700
    #10 0x5651c0465f1a in wpas_event_deauth 
/home/mtheil/Code/hostap/wpa_supplicant/events.c:3801
    #11 0x5651c0465f1a in wpa_supplicant_event 
/home/mtheil/Code/hostap/wpa_supplicant/events.c:4414
    #12 0x5651c04dace8 in mlme_event_deauth_disassoc 
../src/drivers/driver_nl80211_event.c:842
    #13 0x5651c04dbbef in mlme_event 
../src/drivers/driver_nl80211_event.c:941
    #14 0x5651c04dd6ab in do_process_drv_event 
../src/drivers/driver_nl80211_event.c:2562
    #15 0x5651c04dd6ab in process_global_event 
../src/drivers/driver_nl80211_event.c:2724
    #16 0x7f09e6550510 in nl_recvmsgs_report 
(/usr/lib/libnl-3.so.200+0x13510)

previously allocated by thread T0 here:
    #0 0x7f09e669baca in __interceptor_malloc 
/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5651bfe383d1 in os_malloc ../src/utils/os_unix.c:710
    #2 0x5651bfe39a6b in os_zalloc ../src/utils/os_unix.c:774
    #3 0x5651c04c2095 in wpa_driver_nl80211_drv_init 
../src/drivers/driver_nl80211.c:2041
    #4 0x5651c04c364c in wpa_driver_nl80211_init 
../src/drivers/driver_nl80211.c:2130
    #5 0x5651c0442668 in wpa_drv_init 
/home/mtheil/Code/hostap/wpa_supplicant/driver_i.h:19
    #6 0x5651c0442668 in wpas_init_driver 
/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:5889
    #7 0x5651c0442668 in wpa_supplicant_init_iface 
/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6065
    #8 0x5651c0442668 in wpa_supplicant_add_iface 
/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6527
    #9 0x5651bff627d1 in wpas_p2p_init_group_interface 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:2249
    #10 0x5651bff6300b in wpas_p2p_get_group_iface 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:6419
    #11 0x5651bff635d8 in wpas_p2p_join_start 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:5348
    #12 0x5651bff64533 in wpas_prov_disc_resp 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:2793
    #13 0x5651c00055d1 in p2p_process_prov_disc_resp 
../src/p2p/p2p_pd.c:1583
    #14 0x5651bffc6c8b in p2p_rx_p2p_action ../src/p2p/p2p.c:1883
    #15 0x5651bffc6c8b in p2p_rx_action_public ../src/p2p/p2p.c:1918
    #16 0x5651bffc6c8b in p2p_rx_action ../src/p2p/p2p.c:1941
    #17 0x5651bff80425 in wpas_p2p_rx_action 
/home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:7142
    #18 0x5651c0453646 in wpas_event_rx_mgmt_action 
/home/mtheil/Code/hostap/wpa_supplicant/events.c:4026
    #19 0x5651c046b512 in wpa_supplicant_event 
/home/mtheil/Code/hostap/wpa_supplicant/events.c:4749
    #20 0x5651c04d6bc4 in mlme_event_mgmt 
../src/drivers/driver_nl80211_event.c:677
    #21 0x5651c04dbc47 in mlme_event 
../src/drivers/driver_nl80211_event.c:949
    #22 0x5651c04e48ef in process_bss_event 
../src/drivers/driver_nl80211_event.c:2754
    #23 0x7f09e6550510 in nl_recvmsgs_report 
(/usr/lib/libnl-3.so.200+0x13510)

SUMMARY: AddressSanitizer: heap-use-after-free 
../src/drivers/driver_nl80211.c:3339 in wpa_driver_nl80211_mlme
Shadow bytes around the buggy address:
  0x0c367fff9080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff9090: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c367fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c367fff90b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff90c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c367fff90d0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff90e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff90f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff9100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff9110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c367fff9120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==53565==ABORTING

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap