Re: use after free in p2p code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jan 07, 2020 at 09:01:57AM +0100, Markus Theil wrote:
> While running the hwsim test suite with address sanitizer and undefined
> behavior sanitizer enabled, I got the following output from the p2p code. It
> seems unrelated to my current work on nl80211 control port rx.
> 
> I saw it in autogo_pbc and it is reproducible for me, if I run:
> 
> ./run-tests.py autogo_2cli autogo_pbc

Can you reproduce this with unmodified hostap.git snapshot? Which
compiler version and which sanitizer parameters are you using with the
compiler and linker? Could you please also send me wpa_supplicant debug
log from such a case?

I was unable to reproduce this at least with minimal
-fsanitize=address,undefined check using that test case sequence.

> ==53565==ERROR: AddressSanitizer: heap-use-after-free on address
>     #0 0x5651c04b7bec in wpa_driver_nl80211_mlme
> ../src/drivers/driver_nl80211.c:3339

This is the struct wpa_driver_nl80211_data instance for the group
interface.

> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:3821
>     #5 0x5651bff5a86c in wpas_p2p_group_delete

And this code path should not be hit if the interface had already been
removed.

>     #9 0x5651c0344e35 in wpa_supplicant_ctrl_iface_flush
> /home/mtheil/Code/hostap/wpa_supplicant/ctrl_iface.c:8045

This is from the FLUSH command that is issued at the end of each test
case.

> freed by thread T0 here:
>     #2 0x5651c04c08e8 in wpa_driver_nl80211_deinit
> ../src/drivers/driver_nl80211.c:2888

> /home/mtheil/Code/hostap/wpa_supplicant/wpa_supplicant.c:6618
>     #7 0x5651bff5b0b5 in wpas_p2p_group_delete
> /home/mtheil/Code/hostap/wpa_supplicant/p2p_supplicant.c:957
>     #8 0x5651bff8260b in wpas_p2p_deauth_notif

And this is where the group interface was first removed based on
disconnection notification from the GO.

In other words, that wpas_p2p_group_delete() operation from FLUSH should
not really have happened after this..

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux