On 6/10/20 12:22 PM, Markus Theil wrote:
> Hi,
>
> I encountered the following bug, when fiddling around with DFS in
> wpa_supplicant mesh mode.
>
> In some error cases, the hostapd code used by wpa_supplicant
> de-initializes the nl80211 driver under
> Linux without wpa_supplicant noticing it. This leads to use
> after-free-bugs. I attached the address sanitizer
> log below. In this case, I have two mesh stations connected to each
> other on a DFS channel and then trigger
> the ath10k DFS test. (echo 1 >
> /sys/kernel/debug/ieee80211/phy0/ath10k/dfs_simulate_radar).
>
I re-ran my test with a clean checkout of upstream code
(621745917f66932210e878dc674635800e47d680) in AP mode.
The wpa_supplicant config was:
country=DE
network={
ssid="test"
mode=2
key_mgmt=WPA-PSK
psk="test1234"
frequency=5500
}
As of dfs.c 1045+
/*
* Allow selection of DFS channel in ETSI to comply with
* uniform spreading.
*/
if (iface->dfs_domain == HOSTAPD_DFS_REGION_ETSI)
skip_radar = 0;
Radar channels are also choosen in ETSI region on a radar event.
Mostly after 1 or 2 triggers a DFS channel, which needs CAC was choosen
as target for the channel switch and a similar address sanitizer output
happens
in AP mode.
In this case, channel 136 got choosen as target for channel switch,
below are some
lines of the log:
Selected channel 5680 (136)
DFS: got random channel 5680 (136)
DFS will switch to a new channel 136
wlp4s0: DFS-NEW-CHANNEL freq=5680 chan=136 sec_chan=0
WPS: Building WPS IE for (Re)Association Response
WPS: * Version (hardcoded 0x10)
WPS: * Response Type (3)
WPS: * Version2 (0x20)
WPS: Building WPS IE for (Re)Association Response
WPS: * Version (hardcoded 0x10)
WPS: * Response Type (3)
WPS: * Version2 (0x20)
nl80211: Channel switch request (cs_count=5 block_tx=1 freq=5680
width=20 cf1=5680 cf2=0)
* freq=5680
* he_enabled=0
* vht_enabled=0
* ht_enabled=1
* sec_channel_offset=0
* channel_type=1
nl80211: switch_channel failed err=-22 (Invalid argument)
DFS failed to schedule CSA (-22) - trying fallback
wlp4s0: AP-DISABLED
...
nl80211: Set mode ifindex 7 iftype 2 (STATION)
nl80211: Teardown AP(wlp4s0) - device_ap_sme=0 use_monitor=0
nl80211: Unsubscribe mgmt frames handle 0x8888e8e8888887a9 (AP teardown)
hostapd_deinit_driver:bss[0]->drv_priv=0x6130000000f0
hostapd_cleanup_iface_partial(0x61e000004930)
Interface wlp4s0 disabled
wlp4s0: interface state ENABLED->DISABLED
Enable interface wlp4s0
RTM_NEWLINK: ifi_index=7 ifname=wlp4s0 operstate=2 linkmode=1
ifi_family=0 ifi_flags=0x1003 ([UP])
Then after interface re-enable the crash happens, as the nl80211 driver
handle as wpa_supplicant knows
it, was freed on interface disable by hostapd code, without
wpa_supplicant noticing.
Below I attached the ASAN output.
=================================================================
==433==ERROR: AddressSanitizer: heap-use-after-free on address
0x6130000000f0 at pc 0x5611ac6ce214 bp 0x7ffd84e187e0 sp 0x7ffd84e187d0
READ of size 8 at 0x6130000000f0 thread T0
#0 0x5611ac6ce213 in nl80211_get_ifindex
../src/drivers/driver_nl80211.c:941
#1 0x5611ac6acf2c in wpa_supplicant_event_global
/home/mtheil/hostap/wpa_supplicant/events.c:5420
#2 0x5611ac7098dd in wpa_driver_nl80211_event_newlink
../src/drivers/driver_nl80211.c:996
#3 0x5611ac7098dd in wpa_driver_nl80211_event_rtm_newlink
../src/drivers/driver_nl80211.c:1281
#4 0x5611ac732376 in netlink_receive_link ../src/drivers/netlink.c:30
#5 0x5611ac73276e in netlink_receive ../src/drivers/netlink.c:61
#6 0x5611ac042281 in eloop_sock_table_dispatch ../src/utils/eloop.c:603
#7 0x5611ac0451d8 in eloop_run ../src/utils/eloop.c:1228
#8 0x5611ac66ab44 in wpa_supplicant_run
/home/mtheil/hostap/wpa_supplicant/wpa_supplicant.c:7043
#9 0x5611ac6cd5c4 in main /home/mtheil/hostap/wpa_supplicant/main.c:392
#10 0x7f75c52bb001 in __libc_start_main (/usr/lib/libc.so.6+0x27001)
#11 0x5611abff582d in _start (/root/wpa_supp/wpa_supplicant+0x95882d)
0x6130000000f0 is located 176 bytes inside of 336-byte region
[0x613000000040,0x613000000190)
freed by thread T0 here:
#0 0x7f75c63d10e9 in __interceptor_free
/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x5611ac03db1a in os_free ../src/utils/os_unix.c:773
#2 0x5611ac703e30 in wpa_driver_nl80211_deinit
../src/drivers/driver_nl80211.c:2980
#3 0x5611ac703e59 in i802_deinit ../src/drivers/driver_nl80211.c:7464
#4 0x5611ac3ae889 in hostapd_deinit_driver ../src/ap/hostapd.c:2673
#5 0x5611ac3c507a in hostapd_disable_iface ../src/ap/hostapd.c:2780
#6 0x5611ac4a0bc2 in hostapd_dfs_start_channel_switch
../src/ap/dfs.c:1139
#7 0x5611ac4a2f5a in hostapd_dfs_radar_detected ../src/ap/dfs.c:1181
#8 0x5611ac3ac8aa in wpas_ap_event_dfs_radar_detected
/home/mtheil/hostap/wpa_supplicant/ap.c:1661
#9 0x5611ac6a861a in wpa_supplicant_event
/home/mtheil/hostap/wpa_supplicant/events.c:4935
#10 0x5611ac7272ae in nl80211_radar_event
../src/drivers/driver_nl80211_event.c:1667
#11 0x5611ac7272ae in do_process_drv_event
../src/drivers/driver_nl80211_event.c:2777
#12 0x5611ac7272ae in process_global_event
../src/drivers/driver_nl80211_event.c:2850
#13 0x7f75c62e3510 in nl_recvmsgs_report
(/usr/lib/libnl-3.so.200+0x13510)
previously allocated by thread T0 here:
#0 0x7f75c63d1459 in __interceptor_malloc
/build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x5611ac03c8d0 in os_malloc ../src/utils/os_unix.c:715
#2 0x5611ac03df2c in os_zalloc ../src/utils/os_unix.c:779
#3 0x5611ac70564e in wpa_driver_nl80211_drv_init
../src/drivers/driver_nl80211.c:2156
#4 0x5611ac706ade in wpa_driver_nl80211_init
../src/drivers/driver_nl80211.c:2228
#5 0x5611ac67eef2 in wpa_drv_init
/home/mtheil/hostap/wpa_supplicant/driver_i.h:19
#6 0x5611ac67eef2 in wpas_init_driver
/home/mtheil/hostap/wpa_supplicant/wpa_supplicant.c:6042
#7 0x5611ac67eef2 in wpa_supplicant_init_iface
/home/mtheil/hostap/wpa_supplicant/wpa_supplicant.c:6218
#8 0x5611ac67eef2 in wpa_supplicant_add_iface
/home/mtheil/hostap/wpa_supplicant/wpa_supplicant.c:6680
#9 0x5611ac6cd6ad in main /home/mtheil/hostap/wpa_supplicant/main.c:379
#10 0x7f75c52bb001 in __libc_start_main (/usr/lib/libc.so.6+0x27001)
SUMMARY: AddressSanitizer: heap-use-after-free
../src/drivers/driver_nl80211.c:941 in nl80211_get_ifindex
Shadow bytes around the buggy address:
0x0c267fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c267fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c267fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c267fff8030: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==433==ABORTING
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
