Hi, I encountered the following bug, when fiddling around with DFS in wpa_supplicant mesh mode. In some error cases, the hostapd code used by wpa_supplicant de-initializes the nl80211 driver under Linux without wpa_supplicant noticing it. This leads to use after-free-bugs. I attached the address sanitizer log below. In this case, I have two mesh stations connected to each other on a DFS channel and then trigger the ath10k DFS test. (echo 1 > /sys/kernel/debug/ieee80211/phy0/ath10k/dfs_simulate_radar). Regards, Markus ================================================================= ==426==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000000f0 at pc 0x558fd33cf747 bp 0x7ffcd6288060 sp 0x7ffcd6288050 READ of size 8 at 0x6130000000f0 thread T0 #0 0x558fd33cf746 in nl80211_get_ifindex ../src/drivers/driver_nl80211.c:941 #1 0x558fd33ae447 in wpa_supplicant_event_global /home/mtheil/hostap/wpa_supplicant/events.c:5420 #2 0x558fd340ae34 in wpa_driver_nl80211_event_newlink ../src/drivers/driver_nl80211.c:996 #3 0x558fd340ae34 in wpa_driver_nl80211_event_rtm_newlink ../src/drivers/driver_nl80211.c:1281 #4 0x558fd3433955 in netlink_receive_link ../src/drivers/netlink.c:30 #5 0x558fd3433d4d in netlink_receive ../src/drivers/netlink.c:61 #6 0x558fd2d43281 in eloop_sock_table_dispatch ../src/utils/eloop.c:603 #7 0x558fd2d461d8 in eloop_run ../src/utils/eloop.c:1228 #8 0x558fd336c05f in wpa_supplicant_run /home/mtheil/hostap/wpa_supplicant/wpa_supplicant.c:7043 #9 0x558fd33ceadf in main /home/mtheil/hostap/wpa_supplicant/main.c:392 #10 0x7f9376bf4001 in __libc_start_main (/usr/lib/libc.so.6+0x27001) #11 0x558fd2cf682d in _start (/root/wpa_supp/wpa_supplicant+0x95782d) 0x6130000000f0 is located 176 bytes inside of 336-byte region [0x613000000040,0x613000000190) freed by thread T0 here: #0 0x7f9377d0a0e9 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:123 #1 0x558fd2d3eb1a in os_free ../src/utils/os_unix.c:773 #2 0x558fd3405387 in wpa_driver_nl80211_deinit ../src/drivers/driver_nl80211.c:2980 #3 0x558fd34053b0 in i802_deinit ../src/drivers/driver_nl80211.c:7464 #4 0x558fd30af39e in hostapd_deinit_driver ../src/ap/hostapd.c:2673 #5 0x558fd30c5bcd in hostapd_disable_iface ../src/ap/hostapd.c:2780 #6 0x558fd31a2073 in hostapd_dfs_start_channel_switch ../src/ap/dfs.c:1139 #7 0x558fd31a440b in hostapd_dfs_radar_detected ../src/ap/dfs.c:1181 #8 0x558fd30ad3bf in wpas_ap_event_dfs_radar_detected /home/mtheil/hostap/wpa_supplicant/ap.c:1661 #9 0x558fd33a9b35 in wpa_supplicant_event /home/mtheil/hostap/wpa_supplicant/events.c:4935 #10 0x558fd342884f in nl80211_radar_event ../src/drivers/driver_nl80211_event.c:1667 #11 0x558fd342884f in do_process_drv_event ../src/drivers/driver_nl80211_event.c:2777 #12 0x558fd342884f in process_global_event ../src/drivers/driver_nl80211_event.c:2850 #13 0x7f9377c1c510 in nl_recvmsgs_report (/usr/lib/libnl-3.so.200+0x13510) previously allocated by thread T0 here: #0 0x7f9377d0a459 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x558fd2d3d8d0 in os_malloc ../src/utils/os_unix.c:715 #2 0x558fd2d3ef2c in os_zalloc ../src/utils/os_unix.c:779 #3 0x558fd3406ba5 in wpa_driver_nl80211_drv_init ../src/drivers/driver_nl80211.c:2156 #4 0x558fd3408035 in wpa_driver_nl80211_init ../src/drivers/driver_nl80211.c:2228 #5 0x558fd338040d in wpa_drv_init /home/mtheil/hostap/wpa_supplicant/driver_i.h:19 #6 0x558fd338040d in wpas_init_driver /home/mtheil/hostap/wpa_supplicant/wpa_supplicant.c:6042 #7 0x558fd338040d in wpa_supplicant_init_iface /home/mtheil/hostap/wpa_supplicant/wpa_supplicant.c:6218 #8 0x558fd338040d in wpa_supplicant_add_iface /home/mtheil/hostap/wpa_supplicant/wpa_supplicant.c:6680 #9 0x558fd33cebc8 in main /home/mtheil/hostap/wpa_supplicant/main.c:379 #10 0x7f9376bf4001 in __libc_start_main (/usr/lib/libc.so.6+0x27001) SUMMARY: AddressSanitizer: heap-use-after-free ../src/drivers/driver_nl80211.c:941 in nl80211_get_ifindex Shadow bytes around the buggy address: 0x0c267fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd 0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c267fff8030: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c267fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c267fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==426==ABORTING _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
