Hi,
Jannik Glückert <[email protected]> reported on Bugzilla array index
out-of-bounds catched by ubsan along with full kernel trace dump (see
https://bugzilla.kernel.org/show_bug.cgi?id=218810):
> I am seeing multiple array-index-out-of-bounds related to `ieee80211_channel[]` iteration.
>
> This is with a Mediatek MT7921 chipset.
> I have only tested with kernel 6.8.9, but I don't see any channel index related fixes in master.
>
> This was discovered as part of Gentoo Hardened enabling CONFIG_UBSAN_ARRAY_BOUNDS
>
>
> [ 106.194465] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/wireless/nl80211.c:9203:29
> [ 106.195063] index 42 is out of range for type 'struct ieee80211_channel *[]'
> [ 106.195599] CPU: 11 PID: 4166 Comm: wpa_supplicant Not tainted 6.8.9-gentoo-dist-hardened #1
> [ 106.196038] Hardware name: ASUS System Product Name/TUF GAMING B650M-PLUS WIFI, BIOS 2214 01/02/2024
> [ 106.196485] Call Trace:
> [ 106.196913] <TASK>
> [ 106.197439] dump_stack_lvl+0x71/0x90
> [ 106.197899] __ubsan_handle_out_of_bounds+0xed/0x160
> [ 106.198420] nl80211_exit+0x7c3f/0x21f70 [cfg80211]
> [ 106.198917] genl_family_rcv_msg_doit+0xea/0x150
> [ 106.198922] genl_rcv_msg+0x234/0x260
> [ 106.198923] ? nl80211_exit+0x40/0x21f70 [cfg80211]
> [ 106.198930] ? nl80211_exit+0x7290/0x21f70 [cfg80211]
> [ 106.200847] ? nl80211_exit+0x290/0x21f70 [cfg80211]
> [ 106.200854] ? __cfi_genl_rcv_msg+0x10/0x10
> [ 106.200856] netlink_rcv_skb+0xff/0x140
> [ 106.200859] genl_rcv+0x28/0x40
> [ 106.200860] netlink_unicast+0x265/0x390
> [ 106.200862] netlink_sendmsg+0x381/0x440
> [ 106.200865] __sock_sendmsg+0x94/0xb0
> [ 106.200868] ____sys_sendmsg+0x1c3/0x250
> [ 106.200871] ___sys_sendmsg+0x293/0x2d0
> [ 106.200873] ? do_sock_setsockopt+0xf5/0x190
> [ 106.200879] __se_sys_sendmsg+0x102/0x140
> [ 106.200882] do_syscall_64+0x8e/0x170
> [ 106.200884] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.200886] ? do_syscall_64+0x9a/0x170
> [ 106.200889] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.200890] ? do_user_addr_fault+0x506/0x6b0
> [ 106.200892] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.200893] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.200895] entry_SYSCALL_64_after_hwframe+0x78/0x80
> [ 106.200896] RIP: 0033:0x7fe10ad2fde4
> [ 106.200911] Code: 89 02 b8 ff ff ff ff eb af 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 85 e5 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 53 48 83 ec 20 89 54 24 1c 48
> [ 106.200912] RSP: 002b:00007ffe72950598 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
> [ 106.200913] RAX: ffffffffffffffda RBX: 000055e0ceb8d180 RCX: 00007fe10ad2fde4
> [ 106.200914] RDX: 0000000000000000 RSI: 00007ffe729505f8 RDI: 0000000000000005
> [ 106.200915] RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001
> [ 106.200915] R10: 00007ffe72950688 R11: 0000000000000202 R12: 000055e0ceb8d090
> [ 106.200916] R13: 0000000000000000 R14: 000055e0ceb8d180 R15: 00007ffe729505f8
> [ 106.200918] </TASK>
>
>
> [ 106.200924] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/wireless/nl80211.c:9252:5
> [ 106.200926] index 0 is out of range for type 'struct ieee80211_channel *[]'
> [ 106.200926] CPU: 11 PID: 4166 Comm: wpa_supplicant Not tainted 6.8.9-gentoo-dist-hardened #1
> [ 106.200928] Hardware name: ASUS System Product Name/TUF GAMING B650M-PLUS WIFI, BIOS 2214 01/02/2024
> [ 106.200928] Call Trace:
> [ 106.200929] <TASK>
> [ 106.200930] dump_stack_lvl+0x71/0x90
> [ 106.200932] __ubsan_handle_out_of_bounds+0xed/0x160
> [ 106.200936] nl80211_exit+0x7643/0x21f70 [cfg80211]
> [ 106.200947] genl_family_rcv_msg_doit+0xea/0x150
> [ 106.200950] genl_rcv_msg+0x234/0x260
> [ 106.200952] ? nl80211_exit+0x40/0x21f70 [cfg80211]
> [ 106.200960] ? nl80211_exit+0x7290/0x21f70 [cfg80211]
> [ 106.200966] ? nl80211_exit+0x290/0x21f70 [cfg80211]
> [ 106.200976] ? __cfi_genl_rcv_msg+0x10/0x10
> [ 106.200978] netlink_rcv_skb+0xff/0x140
> [ 106.200981] genl_rcv+0x28/0x40
> [ 106.200982] netlink_unicast+0x265/0x390
> [ 106.200985] netlink_sendmsg+0x381/0x440
> [ 106.200988] __sock_sendmsg+0x94/0xb0
> [ 106.200990] ____sys_sendmsg+0x1c3/0x250
> [ 106.200993] ___sys_sendmsg+0x293/0x2d0
> [ 106.200994] ? do_sock_setsockopt+0xf5/0x190
> [ 106.201000] __se_sys_sendmsg+0x102/0x140
> [ 106.201003] do_syscall_64+0x8e/0x170
> [ 106.201004] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201006] ? do_syscall_64+0x9a/0x170
> [ 106.201010] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201011] ? do_user_addr_fault+0x506/0x6b0
> [ 106.201014] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201015] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201017] entry_SYSCALL_64_after_hwframe+0x78/0x80
> [ 106.201018] RIP: 0033:0x7fe10ad2fde4
> [ 106.201021] Code: 89 02 b8 ff ff ff ff eb af 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 85 e5 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 53 48 83 ec 20 89 54 24 1c 48
> [ 106.201022] RSP: 002b:00007ffe72950598 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
> [ 106.201023] RAX: ffffffffffffffda RBX: 000055e0ceb8d180 RCX: 00007fe10ad2fde4
> [ 106.201024] RDX: 0000000000000000 RSI: 00007ffe729505f8 RDI: 0000000000000005
> [ 106.201025] RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001
> [ 106.201026] R10: 00007ffe72950688 R11: 0000000000000202 R12: 000055e0ceb8d090
> [ 106.201026] R13: 0000000000000000 R14: 000055e0ceb8d180 R15: 00007ffe729505f8
> [ 106.201029] </TASK>
>
>
> [ 106.201036] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/mac80211/scan.c:364:4
> [ 106.201037] index 0 is out of range for type 'struct ieee80211_channel *[]'
> [ 106.201038] CPU: 11 PID: 4166 Comm: wpa_supplicant Not tainted 6.8.9-gentoo-dist-hardened #1
> [ 106.201039] Hardware name: ASUS System Product Name/TUF GAMING B650M-PLUS WIFI, BIOS 2214 01/02/2024
> [ 106.201040] Call Trace:
> [ 106.201040] <TASK>
> [ 106.201041] dump_stack_lvl+0x71/0x90
> [ 106.201043] __ubsan_handle_out_of_bounds+0xed/0x160
> [ 106.201046] ieee80211_sched_scan_stopped+0x42a/0x720 [mac80211]
> [ 106.201062] ? vprintk_emit+0x2b4/0x340
> [ 106.201064] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201065] ? __kmalloc+0x1e8/0x430
> [ 106.201068] __ieee80211_start_scan+0x4fa/0xb90 [mac80211]
> [ 106.201081] cfg80211_scan+0x22d/0x1270 [cfg80211]
> [ 106.201091] nl80211_exit+0x7bde/0x21f70 [cfg80211]
> [ 106.201101] genl_family_rcv_msg_doit+0xea/0x150
> [ 106.201105] genl_rcv_msg+0x234/0x260
> [ 106.201106] ? nl80211_exit+0x40/0x21f70 [cfg80211]
> [ 106.201112] ? nl80211_exit+0x7290/0x21f70 [cfg80211]
> [ 106.201118] ? nl80211_exit+0x290/0x21f70 [cfg80211]
> [ 106.201124] ? __cfi_genl_rcv_msg+0x10/0x10
> [ 106.201125] netlink_rcv_skb+0xff/0x140
> [ 106.201128] genl_rcv+0x28/0x40
> [ 106.201129] netlink_unicast+0x265/0x390
> [ 106.201131] netlink_sendmsg+0x381/0x440
> [ 106.201133] __sock_sendmsg+0x94/0xb0
> [ 106.201134] ____sys_sendmsg+0x1c3/0x250
> [ 106.201136] ___sys_sendmsg+0x293/0x2d0
> [ 106.201137] ? do_sock_setsockopt+0xf5/0x190
> [ 106.201142] __se_sys_sendmsg+0x102/0x140
> [ 106.201145] do_syscall_64+0x8e/0x170
> [ 106.201147] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201148] ? do_syscall_64+0x9a/0x170
> [ 106.201152] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201153] ? do_user_addr_fault+0x506/0x6b0
> [ 106.201155] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201157] ? srso_alias_return_thunk+0x5/0xfbef5
> [ 106.201159] entry_SYSCALL_64_after_hwframe+0x78/0x80
> [ 106.201160] RIP: 0033:0x7fe10ad2fde4
> [ 106.201162] Code: 89 02 b8 ff ff ff ff eb af 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 80 3d 85 e5 0c 00 00 74 13 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 53 48 83 ec 20 89 54 24 1c 48
> [ 106.201163] RSP: 002b:00007ffe72950598 EFLAGS: 00000202 ORIG_RAX: 000000000000002e
> [ 106.201165] RAX: ffffffffffffffda RBX: 000055e0ceb8d180 RCX: 00007fe10ad2fde4
> [ 106.201165] RDX: 0000000000000000 RSI: 00007ffe729505f8 RDI: 0000000000000005
> [ 106.201166] RBP: 0000000000000000 R08: 0000000000000004 R09: 0000000000000001
> [ 106.201167] R10: 00007ffe72950688 R11: 0000000000000202 R12: 000055e0ceb8d090
> [ 106.201168] R13: 0000000000000000 R14: 000055e0ceb8d180 R15: 00007ffe729505f8
> [ 106.201170] </TASK>
Thanks.
--
An old man doll... just what I always wanted! - Clara
On Thu, 2024-05-09 at 07:07 +0700, Bagas Sanjaya wrote:
> Hi,
>
> Jannik Glückert <[email protected]> reported on Bugzilla array index
> out-of-bounds catched by ubsan along with full kernel trace dump (see
> https://bugzilla.kernel.org/show_bug.cgi?id=218810):
>
> > I am seeing multiple array-index-out-of-bounds related to `ieee80211_channel[]` iteration.
> >
> > This is with a Mediatek MT7921 chipset.
> > I have only tested with kernel 6.8.9, but I don't see any channel index related fixes in master.
> >
> > This was discovered as part of Gentoo Hardened enabling CONFIG_UBSAN_ARRAY_BOUNDS
> >
> >
> > [ 106.194465] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/wireless/nl80211.c:9203:29
> > [ 106.195063] index 42 is out of range for type 'struct ieee80211_channel *[]'
> > [ 106.200924] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/wireless/nl80211.c:9252:5
> > [ 106.200926] index 0 is out of range for type 'struct ieee80211_channel *[]'
At least one of these should be fixed by
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git/commit/?id=838c7b8f1f278404d9d684c34a8cb26dc41aaaa1
> > [ 106.201036] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/mac80211/scan.c:364:4
> > [ 106.201037] index 0 is out of range for type 'struct ieee80211_channel *[]'
No idea about that one. Send patches.
(Seriously. If you're running with bleeding edge toolchains that pretty
much nobody has yet, send patches.)
johannes
On 5/9/24 15:48, Johannes Berg wrote:
> On Thu, 2024-05-09 at 07:07 +0700, Bagas Sanjaya wrote:
>>> [ 106.201036] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/mac80211/scan.c:364:4
>>> [ 106.201037] index 0 is out of range for type 'struct ieee80211_channel *[]'
>
> No idea about that one. Send patches.
>
> (Seriously. If you're running with bleeding edge toolchains that pretty
> much nobody has yet, send patches.)
>
I'm not expert in networking (let alone wireless), so I ask BZ reporter.
FYI, when I asked the reporter to reproduce this bug on vanilla (kernel.org)
kernel, he said that he was already running that [1] despite that his
kernel is actually patched, distribution kernel [2] (the patches itself
are in [3]).
Thanks.
[1]: https://bugzilla.kernel.org/show_bug.cgi?id=218810#c2
[2]: https://gitweb.gentoo.org/repo/sync/gentoo.git/tree/sys-kernel/gentoo-kernel/gentoo-kernel-6.8.9.ebuild
[3]: https://gitweb.gentoo.org/proj/linux-patches.git/tree/?h=6.8-12
--
An old man doll... just what I always wanted! - Clara
Am Do., 9. Mai 2024 um 10:48 Uhr schrieb Johannes Berg
<[email protected]>:
> > > [ 106.194465] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/wireless/nl80211.c:9203:29
> > > [ 106.195063] index 42 is out of range for type 'struct ieee80211_channel *[]'
>
> > > [ 106.200924] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/wireless/nl80211.c:9252:5
> > > [ 106.200926] index 0 is out of range for type 'struct ieee80211_channel *[]'
>
> At least one of these should be fixed by
> https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git/commit/?id=838c7b8f1f278404d9d684c34a8cb26dc41aaaa1
I can confirm that this fixes both, thanks.
I only looked through torvalds/linux.git, hence I missed this patch. Sorry.
> > > [ 106.201036] UBSAN: array-index-out-of-bounds in /var/tmp/portage/sys-kernel/gentoo-kernel-6.8.9/work/linux-6.8/net/mac80211/scan.c:364:4
> > > [ 106.201037] index 0 is out of range for type 'struct ieee80211_channel *[]'
>
> No idea about that one. Send patches.
Sadly unaffected.
> (Seriously. If you're running with bleeding edge toolchains that pretty
> much nobody has yet, send patches.)
I'm not sure what to make of this - this bug has been around ever
since the code was added, modern toolchains just happen to be one way
to expose it.
Alas, distro people are not kernel devs, so best I can do is report this :(
Cheers
Jannik
On Thu, 2024-05-09 at 12:49 +0200, Jannik Glückert wrote:
>
> > (Seriously. If you're running with bleeding edge toolchains that pretty
> > much nobody has yet, send patches.)
>
> I'm not sure what to make of this - this bug has been around ever
> since the code was added, modern toolchains just happen to be one way
> to expose it.
No, that's incorrect. This is perfectly valid code:
struct x {
int n;
int a[] /* __counted_by(n) */;
};
x = alloc(sizeof(*x) + sizeof(int) * 2);
x->a[0] = 10;
x->a[1] = 20;
x->n = 2;
However, the uncommenting of the __counted_by() annotation will lead to
a complaint.
johannes