Re: use after free in p2p code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07.01.20 09:01, Markus Theil wrote:
> While running the hwsim test suite with address sanitizer and
> undefined behavior sanitizer enabled, I got the following output from
> the p2p code. It seems unrelated to my current work on nl80211 control
> port rx.
>
> I saw it in autogo_pbc and it is reproducible for me, if I run:
>
> ./run-tests.py autogo_2cli autogo_pbc
>
> Markus
>
After further testing, I think I found the issue: my rx control port
patch sets the SOCKET_OWNER to the event socket, which does not get
closed on interface delete. I may need to add a separate socket for
control messages and close this one, when the interface is deleted and
leave the event socket open. I'm working on a updated patch.
> ==53565==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x61b000008688 at pc 0x5651c04b7bed bp 0x7ffdc000f020 sp 0x7ffdc000f010
> READ of size 8 at 0x61b000008688 thread T0
>     #0 0x5651c04b7bec in wpa_driver_nl80211_mlme
> ../src/drivers/driver_nl80211.c:3339
>     #1 0x5651c04bc842 in wpa_driver_nl80211_deauthenticate
> ../src/drivers/driver_nl80211.c:3391
>     #2 0x5651c04bc954 in driver_nl80211_deauthenticate
> ../src/drivers/driver_nl80211.c:8782
>     #3 0x5651c042b6bd in wpa_drv_deauthenticate
> /home/mtheil/Code/hostap/wpa_supplicant/driver_i.h:190
>     #4 0x5651c042b6bd in wpa_supplicant_deauthenticate
> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:3821
>     #5 0x5651bff5a86c in wpas_p2p_group_delete
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:876
>     #6 0x5651bff857a3 in wpas_p2p_disconnect
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:8064
>     #7 0x5651bff85870 in wpas_p2p_disconnect_safely
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:534
>     #8 0x5651bff85a4e in wpas_p2p_group_remove
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:5860
>     #9 0x5651c0344e35 in wpa_supplicant_ctrl_iface_flush
> /home/mtheil/Code/hostap/wpa_supplicant/ctrl_iface.c:8045
>     #10 0x5651c035ce15 in wpa_supplicant_ctrl_iface_process
> /home/mtheil/Code/hostap/wpa_supplicant/ctrl_iface.c:10698
>     #11 0x5651c036a0b0 in wpa_supplicant_ctrl_iface_receive
> /home/mtheil/Code/hostap/wpa_supplicant/ctrl_iface_unix.c:172
>     #12 0x5651bfe3df15 in eloop_sock_table_dispatch
> ../src/utils/eloop.c:600
>     #13 0x5651bfe41054 in eloop_run ../src/utils/eloop.c:1223
>     #14 0x5651c042f1aa in wpa_supplicant_run
> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6890
>     #15 0x5651c048d4ed in main
> /home/mtheil/Code/hostap/wpa_supplicant/main.c:392
>     #16 0x7f09e5538152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
>     #17 0x5651bfdf177d in _start
> (/home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant+0x90677d)
>
> 0x61b000008688 is located 264 bytes inside of 1512-byte region
> [0x61b000008580,0x61b000008b68)
> freed by thread T0 here:
>     #0 0x7f09e669b6b0 in __interceptor_free
> /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
>     #1 0x5651bfe39658 in os_free ../src/utils/os_unix.c:768
>     #2 0x5651c04c08e8 in wpa_driver_nl80211_deinit
> ../src/drivers/driver_nl80211.c:2888
>     #3 0x5651c04c0914 in driver_nl80211_deinit
> ../src/drivers/driver_nl80211.c:8797
>     #4 0x5651c042eaa4 in wpa_drv_deinit
> /home/mtheil/Code/hostap/wpa_supplicant/driver_i.h:30
>     #5 0x5651c042eaa4 in wpa_supplicant_deinit_iface
> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6382
>     #6 0x5651c042cde5 in wpa_supplicant_remove_iface
> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6618
>     #7 0x5651bff5b0b5 in wpas_p2p_group_delete
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:957
>     #8 0x5651bff8260b in wpas_p2p_deauth_notif
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:7557
>     #9 0x5651c04616b2 in wpas_event_disconnect
> /home/mtheil/Code/hostap/wpa_supplicant/events.c:3700
>     #10 0x5651c0465f1a in wpas_event_deauth
> /home/mtheil/Code/hostap/wpa_supplicant/events.c:3801
>     #11 0x5651c0465f1a in wpa_supplicant_event
> /home/mtheil/Code/hostap/wpa_supplicant/events.c:4414
>     #12 0x5651c04dace8 in mlme_event_deauth_disassoc
> ../src/drivers/driver_nl80211_event.c:842
>     #13 0x5651c04dbbef in mlme_event
> ../src/drivers/driver_nl80211_event.c:941
>     #14 0x5651c04dd6ab in do_process_drv_event
> ../src/drivers/driver_nl80211_event.c:2562
>     #15 0x5651c04dd6ab in process_global_event
> ../src/drivers/driver_nl80211_event.c:2724
>     #16 0x7f09e6550510 in nl_recvmsgs_report
> (/usr/lib/libnl-3.so.200+0x13510)
>
> previously allocated by thread T0 here:
>     #0 0x7f09e669baca in __interceptor_malloc
> /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:144
>     #1 0x5651bfe383d1 in os_malloc ../src/utils/os_unix.c:710
>     #2 0x5651bfe39a6b in os_zalloc ../src/utils/os_unix.c:774
>     #3 0x5651c04c2095 in wpa_driver_nl80211_drv_init
> ../src/drivers/driver_nl80211.c:2041
>     #4 0x5651c04c364c in wpa_driver_nl80211_init
> ../src/drivers/driver_nl80211.c:2130
>     #5 0x5651c0442668 in wpa_drv_init
> /home/mtheil/Code/hostap/wpa_supplicant/driver_i.h:19
>     #6 0x5651c0442668 in wpas_init_driver
> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:5889
>     #7 0x5651c0442668 in wpa_supplicant_init_iface
> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6065
>     #8 0x5651c0442668 in wpa_supplicant_add_iface
> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6527
>     #9 0x5651bff627d1 in wpas_p2p_init_group_interface
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:2249
>     #10 0x5651bff6300b in wpas_p2p_get_group_iface
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:6419
>     #11 0x5651bff635d8 in wpas_p2p_join_start
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:5348
>     #12 0x5651bff64533 in wpas_prov_disc_resp
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:2793
>     #13 0x5651c00055d1 in p2p_process_prov_disc_resp
> ../src/p2p/p2p_pd.c:1583
>     #14 0x5651bffc6c8b in p2p_rx_p2p_action ../src/p2p/p2p.c:1883
>     #15 0x5651bffc6c8b in p2p_rx_action_public ../src/p2p/p2p.c:1918
>     #16 0x5651bffc6c8b in p2p_rx_action ../src/p2p/p2p.c:1941
>     #17 0x5651bff80425 in wpas_p2p_rx_action
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:7142
>     #18 0x5651c0453646 in wpas_event_rx_mgmt_action
> /home/mtheil/Code/hostap/wpa_supplicant/events.c:4026
>     #19 0x5651c046b512 in wpa_supplicant_event
> /home/mtheil/Code/hostap/wpa_supplicant/events.c:4749
>     #20 0x5651c04d6bc4 in mlme_event_mgmt
> ../src/drivers/driver_nl80211_event.c:677
>     #21 0x5651c04dbc47 in mlme_event
> ../src/drivers/driver_nl80211_event.c:949
>     #22 0x5651c04e48ef in process_bss_event
> ../src/drivers/driver_nl80211_event.c:2754
>     #23 0x7f09e6550510 in nl_recvmsgs_report
> (/usr/lib/libnl-3.so.200+0x13510)
>
> SUMMARY: AddressSanitizer: heap-use-after-free
> ../src/drivers/driver_nl80211.c:3339 in wpa_driver_nl80211_mlme
> Shadow bytes around the buggy address:
>   0x0c367fff9080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c367fff9090: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
>   0x0c367fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c367fff90b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c367fff90c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c367fff90d0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c367fff90e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c367fff90f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c367fff9100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c367fff9110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c367fff9120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
>   Shadow gap:              cc
> ==53565==ABORTING
>
>
> _______________________________________________
> Hostap mailing list
> Hostap@xxxxxxxxxxxxxxxxxxx
> http://lists.infradead.org/mailman/listinfo/hostap

-- 
Markus Theil

Technische Universität Ilmenau, Fachgebiet Telematik/Rechnernetze
Postfach 100565
98684 Ilmenau, Germany

Phone: +49 3677 69-4582
Email: markus[dot]theil[at]tu-ilmenau[dot]de
Web: http://www.tu-ilmenau.de/telematik


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux