Hello, I found a bug after using the WiFi fuzzer Owfuzz on the TL-WN722N Wireless WiFi USB adapter which has a default driver in the Ubuntu kernel called r8188eu.
The stack trace from the crash is posted at the end of the email.
The bug itself was caused by 2 different WiFi frames, by first sending a deauthentication frame and at the same time sending a much larger frame. After doing some debugging the cause of the lockup of the CPU was that while the rtw_get_sec_ie attempts to read the beacon frame sent by the router/AP, the size of the beacon is changed since it is a reference and not a copy. By having a "rogue" beacon frame being very large which isn't normal and not considered in the design, the computer was stuck in an endless CPU lockup.
Function in question: https://github.com/torvalds/linux/blob/master/drivers/staging/r8188eu/core/rtw_ieee80211.c##L468
WPA2 option was used. Otherwise, the driver would not enter the function which caused the issue.
"in_ie[cnt + 1] + 2" is the value which in the result of the two frames being sent, was much larger than originally observed during debugging of the function.
On a side note, a similar bug/crash was also found in the standalone driver for rtl8188eu chipset adapters in the same function: https://github.com/lwfinger/rtl8188eu/blob/master/core/rtw_ieee80211.c##L658
Stack trace from syslog before computer was unusable:
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.743832] watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [wpa_supplicant:847]
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.743849] Modules linked in: btrfs blake2b_generic xor zstd_compress raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c cpuid nfnetlink_queue nfnetlink_log nfnetlink bluetooth ecdh_generic ecc uas usb_storage nls_iso8859_1 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio uvcvideo videobuf2_vmalloc x86_pkg_temp_thermal videobuf2_memops snd_hda_codec_hdmi snd_hda_intel r8188eu(C) videobuf2_v4l2 intel_powerclamp coretemp kvm_intel kvm snd_intel_dspcfg snd_intel_sdw_acpi lib80211 crct10dif_pclmul ghash_clmulni_intel videobuf2_common videodev mc snd_hda_codec snd_hda_core cfg80211 snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event intel_rapl_msr ak8975 aesni_intel mei_hdcp snd_rawmidi joydev input_leds serio_raw i915 snd_seq crypto_simd cryptd drm_kms_helper rapl snd_seq_device snd_timer intel_cstate cec at24 hid_multitouch inv_mpu6050_i2c inv_mpu6050 efi_pstore snd asus_nb_wmi acpi_als i2c_mux rc_core industrialio_triggered_buffer kfifo_buf mei_me mei industrialio
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.743992] i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt soundcore processor_thermal_device processor_thermal_rfim processor_thermal_mbox processor_thermal_rapl intel_rapl_common soc_button_array int340x_thermal_zone intel_soc_dts_iosf mac_hid int3400_thermal acpi_thermal_rel dell_smo8800 asus_wireless sch_fq_codel ipmi_devintf ipmi_msghandler msr parport_pc ppdev lp parport drm ip_tables x_tables autofs4 hid_generic usbhid hid mfd_aaeon asus_wmi sparse_keymap crc32_pclmul i2c_i801 ahci lpc_ich psmouse libahci xhci_pci i2c_smbus xhci_pci_renesas wmi video pinctrl_lynxpoint
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744071] CPU: 2 PID: 847 Comm: wpa_supplicant Tainted: G C 5.13.0-40-generic #45~20.04.1-Ubuntu
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744078] Hardware name: ASUSTeK COMPUTER INC. TP300LA/TP300LA, BIOS TP300LA.202 05/14/2014
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744081] RIP: 0010:rtw_get_sec_ie+0x1e1/0x270 [r8188eu]
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744126] Code: e7 f8 49 89 02 89 d0 49 8b 4c 04 f8 49 89 4c 02 f8 4c 89 d1 48 29 f9 48 29 ce 01 d1 c1 e9 03 f3 48 a5 45 31 e4 45 31 c0 eb 19 <0f> b6 03 41 83 c4 08 45 0f b6 c4 89 c2 83 c0 02 41 39 c0 0f 8d f2
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744131] RSP: 0018:ffffb18540953918 EFLAGS: 00000297
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744137] RAX: 0000000000000101 RBX: ffffb18541d80cdb RCX: 0000000000000000
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744140] RDX: 00000000000000ff RSI: ffffb18541d80dd9 RDI: ffffb18540953c30
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744144] RBP: ffffb18540953978 R08: 00000000000000c0 R09: ffffb185409539ce
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744147] R10: ffffb18540953b31 R11: ffffb18540953a32 R12: 000000000f99e7c0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744151] R13: ffffb18541d80cbc R14: 0000000000000020 R15: 000000000000011f
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744154] FS: 00007f461d865140(0000) GS:ffff948a96f00000(0000) knlGS:0000000000000000
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744159] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744163] CR2: 00007fb8c636f028 CR3: 000000010c6e4003 CR4: 00000000001706e0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744167] Call Trace:
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744170] <TASK>
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744173] ? scnprintf+0x4d/0x90
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744187] translate_scan+0x43d/0xa90 [r8188eu]
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744236] ? poll_select_finish+0x220/0x220
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744248] ? copyout+0x20/0x30
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744256] ? _copy_to_iter+0xb3/0x7b0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744269] rtw_wx_get_scan+0xef/0x170 [r8188eu]
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744314] ioctl_standard_iw_point+0xf8/0x3a0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744322] ? translate_scan+0xa90/0xa90 [r8188eu]
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744364] ? __mod_memcg_lruvec_state+0x22/0xe0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744371] ? unix_ioctl+0x9c/0x180
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744378] ioctl_standard_call+0x8b/0x100
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744383] ? netdev_name_node_lookup+0x69/0x80
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744392] ? iw_handler_get_private+0x60/0x60
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744398] ? ioctl_standard_iw_point+0x3a0/0x3a0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744404] wireless_process_ioctl+0x133/0x190
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744409] wext_handle_ioctl+0x9e/0x100
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744416] sock_ioctl+0x212/0x330
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744426] ? syscall_exit_to_user_mode+0x27/0x50
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744435] __x64_sys_ioctl+0x91/0xc0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744444] do_syscall_64+0x61/0xb0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744449] ? do_syscall_64+0x6e/0xb0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744453] ? syscall_exit_to_user_mode+0x27/0x50
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744460] ? __x64_sys_select+0x25/0x30
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744468] ? do_syscall_64+0x6e/0xb0
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744472] ? sysvec_apic_timer_interrupt+0x4e/0x90
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744478] ? asm_sysvec_apic_timer_interrupt+0xa/0x20
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744488] entry_SYSCALL_64_after_hwframe+0x44/0xae
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744496] RIP: 0033:0x7f461dbe53db
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744501] Code: 0f 1e fa 48 8b 05 b5 7a 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 7a 0d 00 f7 d8 64 89 01 48
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744506] RSP: 002b:00007fff39df6988 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744512] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f461dbe53db
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744516] RDX: 00007fff39df69e0 RSI: 0000000000008b19 RDI: 0000000000000009
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744519] RBP: 000055aa8f20d0c0 R08: 000055aa8f20d0c0 R09: 000055aa8f220c00
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744522] R10: 000055aa8f1cf010 R11: 0000000000000246 R12: 0000000000001000
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744525] R13: 00007fff39df69e0 R14: 000055aa8f2249a0 R15: 0000000000000010
Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744532] </TASK>
On 7/13/22 06:09, Johan Henning wrote:
> Hello, I found a bug after using the WiFi fuzzer Owfuzz on the TL-WN722N Wireless WiFi USB adapter which has a default driver in the Ubuntu kernel called r8188eu.
>
> The stack trace from the crash is posted at the end of the email.
>
> The bug itself was caused by 2 different WiFi frames, by first sending a deauthentication frame and at the same time sending a much larger frame. After doing some debugging the cause of the lockup of the CPU was that while the rtw_get_sec_ie attempts to read the beacon frame sent by the router/AP, the size of the beacon is changed since it is a reference and not a copy. By having a "rogue" beacon frame being very large which isn't normal and not considered in the design, the computer was stuck in an endless CPU lockup.
>
> Function in question: https://github.com/torvalds/linux/blob/master/drivers/staging/r8188eu/core/rtw_ieee80211.c##L468
>
> WPA2 option was used. Otherwise, the driver would not enter the function which caused the issue.
>
> "in_ie[cnt + 1] + 2" is the value which in the result of the two frames being sent, was much larger than originally observed during debugging of the function.
>
> On a side note, a similar bug/crash was also found in the standalone driver for rtl8188eu chipset adapters in the same function: https://github.com/lwfinger/rtl8188eu/blob/master/core/rtw_ieee80211.c##L658
>
> Stack trace from syslog before computer was unusable:
>
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.743832] watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [wpa_supplicant:847]
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.743849] Modules linked in: btrfs blake2b_generic xor zstd_compress raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs libcrc32c cpuid nfnetlink_queue nfnetlink_log nfnetlink bluetooth ecdh_generic ecc uas usb_storage nls_iso8859_1 snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio uvcvideo videobuf2_vmalloc x86_pkg_temp_thermal videobuf2_memops snd_hda_codec_hdmi snd_hda_intel r8188eu(C) videobuf2_v4l2 intel_powerclamp coretemp kvm_intel kvm snd_intel_dspcfg snd_intel_sdw_acpi lib80211 crct10dif_pclmul ghash_clmulni_intel videobuf2_common videodev mc snd_hda_codec snd_hda_core cfg80211 snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event intel_rapl_msr ak8975 aesni_intel mei_hdcp snd_rawmidi joydev input_leds serio_raw i915 snd_seq crypto_simd cryptd drm_kms_helper rapl snd_seq_device snd_timer intel_cstate cec at24 hid_multitouch inv_mpu6050_i2c inv_mpu6050 efi_pstore snd asus_nb_wmi acpi_als i2c_mux rc_core industrialio_triggered_buffer kfifo_buf mei_me mei industrialio
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.743992] i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt soundcore processor_thermal_device processor_thermal_rfim processor_thermal_mbox processor_thermal_rapl intel_rapl_common soc_button_array int340x_thermal_zone intel_soc_dts_iosf mac_hid int3400_thermal acpi_thermal_rel dell_smo8800 asus_wireless sch_fq_codel ipmi_devintf ipmi_msghandler msr parport_pc ppdev lp parport drm ip_tables x_tables autofs4 hid_generic usbhid hid mfd_aaeon asus_wmi sparse_keymap crc32_pclmul i2c_i801 ahci lpc_ich psmouse libahci xhci_pci i2c_smbus xhci_pci_renesas wmi video pinctrl_lynxpoint
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744071] CPU: 2 PID: 847 Comm: wpa_supplicant Tainted: G C 5.13.0-40-generic #45~20.04.1-Ubuntu
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744078] Hardware name: ASUSTeK COMPUTER INC. TP300LA/TP300LA, BIOS TP300LA.202 05/14/2014
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744081] RIP: 0010:rtw_get_sec_ie+0x1e1/0x270 [r8188eu]
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744126] Code: e7 f8 49 89 02 89 d0 49 8b 4c 04 f8 49 89 4c 02 f8 4c 89 d1 48 29 f9 48 29 ce 01 d1 c1 e9 03 f3 48 a5 45 31 e4 45 31 c0 eb 19 <0f> b6 03 41 83 c4 08 45 0f b6 c4 89 c2 83 c0 02 41 39 c0 0f 8d f2
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744131] RSP: 0018:ffffb18540953918 EFLAGS: 00000297
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744137] RAX: 0000000000000101 RBX: ffffb18541d80cdb RCX: 0000000000000000
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744140] RDX: 00000000000000ff RSI: ffffb18541d80dd9 RDI: ffffb18540953c30
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744144] RBP: ffffb18540953978 R08: 00000000000000c0 R09: ffffb185409539ce
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744147] R10: ffffb18540953b31 R11: ffffb18540953a32 R12: 000000000f99e7c0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744151] R13: ffffb18541d80cbc R14: 0000000000000020 R15: 000000000000011f
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744154] FS: 00007f461d865140(0000) GS:ffff948a96f00000(0000) knlGS:0000000000000000
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744159] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744163] CR2: 00007fb8c636f028 CR3: 000000010c6e4003 CR4: 00000000001706e0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744167] Call Trace:
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744170] <TASK>
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744173] ? scnprintf+0x4d/0x90
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744187] translate_scan+0x43d/0xa90 [r8188eu]
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744236] ? poll_select_finish+0x220/0x220
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744248] ? copyout+0x20/0x30
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744256] ? _copy_to_iter+0xb3/0x7b0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744269] rtw_wx_get_scan+0xef/0x170 [r8188eu]
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744314] ioctl_standard_iw_point+0xf8/0x3a0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744322] ? translate_scan+0xa90/0xa90 [r8188eu]
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744364] ? __mod_memcg_lruvec_state+0x22/0xe0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744371] ? unix_ioctl+0x9c/0x180
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744378] ioctl_standard_call+0x8b/0x100
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744383] ? netdev_name_node_lookup+0x69/0x80
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744392] ? iw_handler_get_private+0x60/0x60
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744398] ? ioctl_standard_iw_point+0x3a0/0x3a0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744404] wireless_process_ioctl+0x133/0x190
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744409] wext_handle_ioctl+0x9e/0x100
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744416] sock_ioctl+0x212/0x330
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744426] ? syscall_exit_to_user_mode+0x27/0x50
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744435] __x64_sys_ioctl+0x91/0xc0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744444] do_syscall_64+0x61/0xb0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744449] ? do_syscall_64+0x6e/0xb0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744453] ? syscall_exit_to_user_mode+0x27/0x50
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744460] ? __x64_sys_select+0x25/0x30
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744468] ? do_syscall_64+0x6e/0xb0
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744472] ? sysvec_apic_timer_interrupt+0x4e/0x90
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744478] ? asm_sysvec_apic_timer_interrupt+0xa/0x20
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744488] entry_SYSCALL_64_after_hwframe+0x44/0xae
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744496] RIP: 0033:0x7f461dbe53db
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744501] Code: 0f 1e fa 48 8b 05 b5 7a 0d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 85 7a 0d 00 f7 d8 64 89 01 48
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744506] RSP: 002b:00007fff39df6988 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744512] RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 00007f461dbe53db
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744516] RDX: 00007fff39df69e0 RSI: 0000000000008b19 RDI: 0000000000000009
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744519] RBP: 000055aa8f20d0c0 R08: 000055aa8f20d0c0 R09: 000055aa8f220c00
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744522] R10: 000055aa8f1cf010 R11: 0000000000000246 R12: 0000000000001000
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744525] R13: 00007fff39df69e0 R14: 000055aa8f2249a0 R15: 0000000000000010
> Jun 8 14:54:17 subuntu-TP300LA kernel: [93710.744532] </TASK>
Johan,
I just pushed a trial fix to the master branch of the GitHub repo you reference.
Please try the new code, and report back.
Thanks,
Larry