rtl8188eus
rtl8188eus copied to clipboard
Published
20 hours ago •
aircrack-ng
aircrack-ng
array-index-out-of-bounds in /var/lib/dkms/8188eu/5.3.9/build/core/rtw_wlan_util.c:1831:34 … when enabling hotspot … causes programs to hang and prevent shutdown.
With recent versions of the kernel (6.5.0-25 on Mint), enabling the hotspot with this driver causes the following kernel errors:
[10082.036833] usb 3-2.1: new high-speed USB device number 7 using xhci_hcd
[10082.139282] usb 3-2.1: New USB device found, idVendor=2357, idProduct=010c, bcdDevice= 0.00
[10082.139292] usb 3-2.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[10082.139296] usb 3-2.1: Product: 802.11n NIC
[10082.139299] usb 3-2.1: Manufacturer: Realtek
[10082.139302] usb 3-2.1: SerialNumber: 00E04C0001
[10082.318154] bFWReady == _FALSE call reset 8051...
[10082.377323] usbcore: registered new interface driver 8188eu
[10082.388310] 8188eu 3-2.1:1.0 wlan-stick: renamed from wlan0
[10082.926914] ==> rtl8188e_iol_efuse_patch
[10125.354855] ================================================================================
[10125.354862] UBSAN: array-index-out-of-bounds in /var/lib/dkms/8188eu/5.3.9/build/core/rtw_wlan_util.c:1817:48
[10125.354866] index 1 is out of range for type 'u8 [1]'
[10125.354869] CPU: 2 PID: 842 Comm: wpa_supplicant Tainted: G OE 6.5.0-25-generic #25~22.04.1-Ubuntu
[10125.354873] Hardware name: Micro-Star International Co., Ltd. MS-7A38/B350M PRO-VDH (MS-7A38), BIOS A.L4 05/17/2023
[10125.354875] Call Trace:
[10125.354877] <TASK>
[10125.354880] dump_stack_lvl+0x48/0x70
[10125.354890] dump_stack+0x10/0x20
[10125.354894] __ubsan_handle_out_of_bounds+0xc6/0x110
[10125.354900] HT_caps_handler+0xc8/0x310 [8188eu]
[10125.354992] rtw_check_beacon_data+0xabc/0xb60 [8188eu]
[10125.355090] rtw_add_beacon+0x149/0x280 [8188eu]
[10125.355194] cfg80211_rtw_start_ap+0x47/0xe0 [8188eu]
[10125.355298] nl80211_start_ap+0x857/0xaf0 [cfg80211]
[10125.355372] ? rtnl_unlock+0xe/0x20
[10125.355377] ? nl80211_pre_doit+0x225/0x2d0 [cfg80211]
[10125.355446] genl_family_rcv_msg_doit.isra.0+0xe8/0x150
[10125.355452] genl_family_rcv_msg+0x180/0x250
[10125.355455] ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211]
[10125.355523] ? __pfx_nl80211_start_ap+0x10/0x10 [cfg80211]
[10125.355592] ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211]
[10125.355660] genl_rcv_msg+0x4c/0xb0
[10125.355663] ? __pfx_genl_rcv_msg+0x10/0x10
[10125.355666] netlink_rcv_skb+0x5d/0x110
[10125.355671] genl_rcv+0x28/0x50
[10125.355673] netlink_unicast+0x1b3/0x2a0
[10125.355676] netlink_sendmsg+0x25e/0x4e0
[10125.355680] ____sys_sendmsg+0x3ef/0x420
[10125.355684] ___sys_sendmsg+0x9a/0xf0
[10125.355692] __sys_sendmsg+0x89/0xf0
[10125.355697] __x64_sys_sendmsg+0x1d/0x30
[10125.355700] do_syscall_64+0x5b/0x90
[10125.355704] ? exit_to_user_mode_prepare+0x30/0xb0
[10125.355707] ? syscall_exit_to_user_mode+0x37/0x60
[10125.355712] ? do_syscall_64+0x67/0x90
[10125.355714] ? do_syscall_64+0x67/0x90
[10125.355717] ? do_syscall_64+0x67/0x90
[10125.355720] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[10125.355725] RIP: 0033:0x79cf16f27967
[10125.355750] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[10125.355752] RSP: 002b:00007ffd19ccb188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[10125.355756] RAX: ffffffffffffffda RBX: 00006342ca624aa0 RCX: 000079cf16f27967
[10125.355758] RDX: 0000000000000000 RSI: 00007ffd19ccb1c0 RDI: 0000000000000006
[10125.355760] RBP: 00006342ca624d80 R08: 0000000000000004 R09: 00006342ca72cfd0
[10125.355761] R10: 00007ffd19ccb2a0 R11: 0000000000000246 R12: 00006342ca74c9d0
[10125.355763] R13: 00007ffd19ccb1c0 R14: 0000000000000000 R15: 0000000000000000
[10125.355767] </TASK>
[10125.355768] ================================================================================
[10125.355770] ================================================================================
[10125.355772] UBSAN: array-index-out-of-bounds in /var/lib/dkms/8188eu/5.3.9/build/core/rtw_wlan_util.c:1822:75
[10125.355775] index 2 is out of range for type 'u8 [1]'
[10125.355777] CPU: 2 PID: 842 Comm: wpa_supplicant Tainted: G OE 6.5.0-25-generic #25~22.04.1-Ubuntu
[10125.355780] Hardware name: Micro-Star International Co., Ltd. MS-7A38/B350M PRO-VDH (MS-7A38), BIOS A.L4 05/17/2023
[10125.355782] Call Trace:
[10125.355783] <TASK>
[10125.355784] dump_stack_lvl+0x48/0x70
[10125.355788] dump_stack+0x10/0x20
[10125.355791] __ubsan_handle_out_of_bounds+0xc6/0x110
[10125.355796] HT_caps_handler+0xec/0x310 [8188eu]
[10125.355885] rtw_check_beacon_data+0xabc/0xb60 [8188eu]
[10125.355983] rtw_add_beacon+0x149/0x280 [8188eu]
[10125.356087] cfg80211_rtw_start_ap+0x47/0xe0 [8188eu]
[10125.356176] nl80211_start_ap+0x857/0xaf0 [cfg80211]
[10125.356236] ? rtnl_unlock+0xe/0x20
[10125.356240] ? nl80211_pre_doit+0x225/0x2d0 [cfg80211]
[10125.356296] genl_family_rcv_msg_doit.isra.0+0xe8/0x150
[10125.356300] genl_family_rcv_msg+0x180/0x250
[10125.356303] ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211]
[10125.356359] ? __pfx_nl80211_start_ap+0x10/0x10 [cfg80211]
[10125.356417] ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211]
[10125.356473] genl_rcv_msg+0x4c/0xb0
[10125.356476] ? __pfx_genl_rcv_msg+0x10/0x10
[10125.356478] netlink_rcv_skb+0x5d/0x110
[10125.356482] genl_rcv+0x28/0x50
[10125.356484] netlink_unicast+0x1b3/0x2a0
[10125.356486] netlink_sendmsg+0x25e/0x4e0
[10125.356489] ____sys_sendmsg+0x3ef/0x420
[10125.356493] ___sys_sendmsg+0x9a/0xf0
[10125.356499] __sys_sendmsg+0x89/0xf0
[10125.356503] __x64_sys_sendmsg+0x1d/0x30
[10125.356506] do_syscall_64+0x5b/0x90
[10125.356509] ? exit_to_user_mode_prepare+0x30/0xb0
[10125.356512] ? syscall_exit_to_user_mode+0x37/0x60
[10125.356515] ? do_syscall_64+0x67/0x90
[10125.356517] ? do_syscall_64+0x67/0x90
[10125.356520] ? do_syscall_64+0x67/0x90
[10125.356522] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[10125.356525] RIP: 0033:0x79cf16f27967
[10125.356534] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[10125.356536] RSP: 002b:00007ffd19ccb188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[10125.356539] RAX: ffffffffffffffda RBX: 00006342ca624aa0 RCX: 000079cf16f27967
[10125.356540] RDX: 0000000000000000 RSI: 00007ffd19ccb1c0 RDI: 0000000000000006
[10125.356541] RBP: 00006342ca624d80 R08: 0000000000000004 R09: 00006342ca72cfd0
[10125.356542] R10: 00007ffd19ccb2a0 R11: 0000000000000246 R12: 00006342ca74c9d0
[10125.356544] R13: 00007ffd19ccb1c0 R14: 0000000000000000 R15: 0000000000000000
[10125.356547] </TASK>
[10125.356548] ================================================================================
[10125.356549] ================================================================================
[10125.356550] UBSAN: array-index-out-of-bounds in /var/lib/dkms/8188eu/5.3.9/build/core/rtw_wlan_util.c:1828:76
[10125.356553] index 2 is out of range for type 'u8 [1]'
[10125.356554] CPU: 2 PID: 842 Comm: wpa_supplicant Tainted: G OE 6.5.0-25-generic #25~22.04.1-Ubuntu
[10125.356556] Hardware name: Micro-Star International Co., Ltd. MS-7A38/B350M PRO-VDH (MS-7A38), BIOS A.L4 05/17/2023
[10125.356558] Call Trace:
[10125.356558] <TASK>
[10125.356559] dump_stack_lvl+0x48/0x70
[10125.356563] dump_stack+0x10/0x20
[10125.356565] __ubsan_handle_out_of_bounds+0xc6/0x110
[10125.356569] HT_caps_handler+0x12c/0x310 [8188eu]
[10125.356643] rtw_check_beacon_data+0xabc/0xb60 [8188eu]
[10125.356724] rtw_add_beacon+0x149/0x280 [8188eu]
[10125.356811] cfg80211_rtw_start_ap+0x47/0xe0 [8188eu]
[10125.356897] nl80211_start_ap+0x857/0xaf0 [cfg80211]
[10125.356956] ? rtnl_unlock+0xe/0x20
[10125.356959] ? nl80211_pre_doit+0x225/0x2d0 [cfg80211]
[10125.357015] genl_family_rcv_msg_doit.isra.0+0xe8/0x150
[10125.357020] genl_family_rcv_msg+0x180/0x250
[10125.357022] ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211]
[10125.357078] ? __pfx_nl80211_start_ap+0x10/0x10 [cfg80211]
[10125.357136] ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211]
[10125.357192] genl_rcv_msg+0x4c/0xb0
[10125.357195] ? __pfx_genl_rcv_msg+0x10/0x10
[10125.357197] netlink_rcv_skb+0x5d/0x110
[10125.357201] genl_rcv+0x28/0x50
[10125.357203] netlink_unicast+0x1b3/0x2a0
[10125.357205] netlink_sendmsg+0x25e/0x4e0
[10125.357208] ____sys_sendmsg+0x3ef/0x420
[10125.357211] ___sys_sendmsg+0x9a/0xf0
[10125.357218] __sys_sendmsg+0x89/0xf0
[10125.357222] __x64_sys_sendmsg+0x1d/0x30
[10125.357225] do_syscall_64+0x5b/0x90
[10125.357228] ? exit_to_user_mode_prepare+0x30/0xb0
[10125.357230] ? syscall_exit_to_user_mode+0x37/0x60
[10125.357233] ? do_syscall_64+0x67/0x90
[10125.357236] ? do_syscall_64+0x67/0x90
[10125.357238] ? do_syscall_64+0x67/0x90
[10125.357241] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[10125.357244] RIP: 0033:0x79cf16f27967
[10125.357252] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[10125.357253] RSP: 002b:00007ffd19ccb188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[10125.357256] RAX: ffffffffffffffda RBX: 00006342ca624aa0 RCX: 000079cf16f27967
[10125.357257] RDX: 0000000000000000 RSI: 00007ffd19ccb1c0 RDI: 0000000000000006
[10125.357258] RBP: 00006342ca624d80 R08: 0000000000000004 R09: 00006342ca72cfd0
[10125.357259] R10: 00007ffd19ccb2a0 R11: 0000000000000246 R12: 00006342ca74c9d0
[10125.357261] R13: 00007ffd19ccb1c0 R14: 0000000000000000 R15: 0000000000000000
[10125.357264] </TASK>
[10125.357282] ================================================================================
[10125.357284] ================================================================================
[10125.357285] UBSAN: array-index-out-of-bounds in /var/lib/dkms/8188eu/5.3.9/build/core/rtw_wlan_util.c:1831:34
[10125.357287] index 2 is out of range for type 'u8 [1]'
[10125.357289] CPU: 2 PID: 842 Comm: wpa_supplicant Tainted: G OE 6.5.0-25-generic #25~22.04.1-Ubuntu
[10125.357291] Hardware name: Micro-Star International Co., Ltd. MS-7A38/B350M PRO-VDH (MS-7A38), BIOS A.L4 05/17/2023
[10125.357292] Call Trace:
[10125.357293] <TASK>
[10125.357294] dump_stack_lvl+0x48/0x70
[10125.357298] dump_stack+0x10/0x20
[10125.357300] __ubsan_handle_out_of_bounds+0xc6/0x110
[10125.357305] HT_caps_handler+0x146/0x310 [8188eu]
[10125.357379] rtw_check_beacon_data+0xabc/0xb60 [8188eu]
[10125.357460] rtw_add_beacon+0x149/0x280 [8188eu]
[10125.357547] cfg80211_rtw_start_ap+0x47/0xe0 [8188eu]
[10125.357633] nl80211_start_ap+0x857/0xaf0 [cfg80211]
[10125.357695] ? rtnl_unlock+0xe/0x20
[10125.357699] ? nl80211_pre_doit+0x225/0x2d0 [cfg80211]
[10125.357755] genl_family_rcv_msg_doit.isra.0+0xe8/0x150
[10125.357760] genl_family_rcv_msg+0x180/0x250
[10125.357763] ? __pfx_nl80211_pre_doit+0x10/0x10 [cfg80211]
[10125.357819] ? __pfx_nl80211_start_ap+0x10/0x10 [cfg80211]
[10125.357877] ? __pfx_nl80211_post_doit+0x10/0x10 [cfg80211]
[10125.357933] genl_rcv_msg+0x4c/0xb0
[10125.357936] ? __pfx_genl_rcv_msg+0x10/0x10
[10125.357938] netlink_rcv_skb+0x5d/0x110
[10125.357942] genl_rcv+0x28/0x50
[10125.357944] netlink_unicast+0x1b3/0x2a0
[10125.357947] netlink_sendmsg+0x25e/0x4e0
[10125.357950] ____sys_sendmsg+0x3ef/0x420
[10125.357954] ___sys_sendmsg+0x9a/0xf0
[10125.357960] __sys_sendmsg+0x89/0xf0
[10125.357964] __x64_sys_sendmsg+0x1d/0x30
[10125.357967] do_syscall_64+0x5b/0x90
[10125.357971] ? exit_to_user_mode_prepare+0x30/0xb0
[10125.357973] ? syscall_exit_to_user_mode+0x37/0x60
[10125.357977] ? do_syscall_64+0x67/0x90
[10125.357979] ? do_syscall_64+0x67/0x90
[10125.357982] ? do_syscall_64+0x67/0x90
[10125.357984] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[10125.357988] RIP: 0033:0x79cf16f27967
[10125.358005] Code: 0f 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b9 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[10125.358007] RSP: 002b:00007ffd19ccb188 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
[10125.358009] RAX: ffffffffffffffda RBX: 00006342ca624aa0 RCX: 000079cf16f27967
[10125.358010] RDX: 0000000000000000 RSI: 00007ffd19ccb1c0 RDI: 0000000000000006
[10125.358011] RBP: 00006342ca624d80 R08: 0000000000000004 R09: 00006342ca72cfd0
[10125.358013] R10: 00007ffd19ccb2a0 R11: 0000000000000246 R12: 00006342ca74c9d0
[10125.358014] R13: 00007ffd19ccb1c0 R14: 0000000000000000 R15: 0000000000000000
[10125.358017] </TASK>
[10125.358018] ================================================================================
(It looks like repeated, but they all happen right away, so I thought it’s better to include them all.)
This then sometimes (the more likely the longer you use it) leads to NetworkManager using 100% CPU (on a single core), as well as all programs that use networking to completely hang, to a point where even SIGKILLing them won’t work. This prevents logging in or opening a shell to fix anything, as well as shutting down. (Alt-SysRq-REISUB works, but on Mint isn’t enabled by default.) (Hibernation also seems to be affected somehow, as it won’t wake up but boot instead. I could not find out why yet, as I had to disable the driver, as the PC is needed for work.)
It also happens with the fork by gglluukk which is a few commits ahead.
If you need any further info to reproduce it, or need me to do some diagnostics with access to the actual hardware, feel free to ask. I’m a programmer too.
@navid-zamani i can't reproduce this error, but i extended array to hopefully prevent this error from happening. try to renew https://github.com/gglluukk/rtl8188eus
Thank you, but the error still happened.
I narrowed down the value, and the smallest one that works is … 26.
So this is the patch that makes it work:
diff --git a/include/wlan_bssdef.h b/include/wlan_bssdef.h
index d547b65..101fcfc 100644
--- a/include/wlan_bssdef.h
+++ b/include/wlan_bssdef.h
@@ -95,7 +95,7 @@ typedef struct _NDIS_802_11_FIXED_IEs {
typedef struct _NDIS_802_11_VARIABLE_IEs {
UCHAR ElementID;
UCHAR Length;
- UCHAR data[8];
+ UCHAR data[26];
} NDIS_802_11_VARIABLE_IEs, *PNDIS_802_11_VARIABLE_IEs;
@@ -343,7 +343,7 @@ typedef struct _NDIS_802_11_FIXED_IEs {
typedef struct _NDIS_802_11_VARIABLE_IEs {
UCHAR ElementID;
UCHAR Length;
- UCHAR data[8];
+ UCHAR data[26];
} NDIS_802_11_VARIABLE_IEs, *PNDIS_802_11_VARIABLE_IEs;
I am really curious what this is for, …
(and if it’s a bug that it needs to be that big here.)
in this case i set data array length to:
UCHAR data[255];
since 255 -- maximum value of (pIE->Length):
https://github.com/gglluukk/rtl8188eus/blob/v5.3.9/core/rtw_wlan_util.c#L1813
yep, under kernel you can do that, but in ANSI C you can't:
lab ~ # cat a.c
#include <stdio.h>
#define UCHAR unsigned char
int main() {
UCHAR data1[255];
UCHAR data2[];
printf("%lu %lu\n", sizeof(data1), sizeof(data2));
}
lab ~ # cc -o a a.c
a.c: In function ‘main’:
a.c:7:11: error: array size missing in ‘data2’
7 | UCHAR data2[];
| ^~~~~
lab ~ #
in case of data1[255] i know what sizeof is, but what is sizeof(data2[])?
i was incorrect since data[] is "flexible array member" and not stand-alone variable, correct example:
#include <stdio.h>
#define UCHAR unsigned char
typedef struct _check1 {
UCHAR ElementID;
UCHAR Length;
UCHAR data[255];
} check1;
typedef struct _check2 {
UCHAR ElementID;
UCHAR Length;
UCHAR data[];
} check2;
int main() {
check1 c1;
check2 c2;
printf("%lu %lu\n", sizeof(c1), sizeof(c2));
}
so using data[] might be better here hopefully to further correct memory allocations