rtl8821ce
rtl8821ce copied to clipboard
Published
20 hours ago •
tomaspinho
tomaspinho
UBSAN: array-index-out-of-bounds for rtw_wlan_util.c and phydm_math_lib.c
-
UBSAN: array-index-out-of-bounds in core/rtw_wlan_util.c:1912:48 -
UBSAN: array-index-out-of-bounds in core/rtw_wlan_util.c:1917:75 -
UBSAN: array-index-out-of-bounds in core/rtw_wlan_util.c:1923:76 -
UBSAN: array-index-out-of-bounds in core/rtw_wlan_util.c:1926:34
pIE->Length is probably initialized to something incorrect. I can't find the original struct PNDIS_802_11_VARIABLE_IEs declaration anywhere, however I found these which seem to match:
typedef struct _NDIS_802_11_VARIABLE_IEs {
UCHAR ElementID;
UCHAR Length;
UCHAR data[1];
} NDIS_802_11_VARIABLE_IEs, *PNDIS_802_11_VARIABLE_IEs;
data is a single-element UCHAR array, so the whole for (i = 0; i < (pIE->Length); i++) doesn't make much of a sense unless it's a hack for a variable-length array with array-like declaration instead of UCHAR* data. If it's the latter, only bad fixes come to my mind:
-
sizeof (pIE->data) / sizeof (*(pIE->data))eventually breaking due to the nature ofmalloc() -
calloc()+NULLrequiring the driver allocating memory (doesn't seem to be the case?)
and something probably easier to solve:
is probably missing a row here or the input is garbage value.
Logs:
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1912:48
index 1 is out of range for type 'u8 [1]'
CPU: 0 PID: 0 Comm: swapper/0 Tainted: P OE 6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
<IRQ>
dump_stack_lvl+0x48/0x70
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xc6/0x110
HT_caps_handler+0xc8/0x310 [8821ce]
OnAssocRsp+0x1bb/0x290 [8821ce]
_mgt_dispatcher+0x70/0xc0 [8821ce]
mgt_dispatcher+0x15d/0x1c0 [8821ce]
validate_recv_mgnt_frame+0x8e/0x130 [8821ce]
validate_recv_frame+0x1a3/0x1f0 [8821ce]
? odm_phy_status_query+0x144/0x200 [8821ce]
recv_func_prehandle+0x2b/0x70 [8821ce]
recv_func+0x2c/0x100 [8821ce]
rtw_recv_entry+0x19/0x50 [8821ce]
pre_recv_entry+0x44/0x80 [8821ce]
rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
? __tasklet_schedule_common+0x47/0xa0
tasklet_action_common.constprop.0+0xfa/0x1e0
tasklet_hi_action+0x1f/0x30
__do_softirq+0xd9/0x349
? handle_irq_event+0x52/0x80
? handle_edge_irq+0xda/0x250
__irq_exit_rcu+0x75/0xa0
irq_exit_rcu+0xe/0x20
common_interrupt+0xa4/0xb0
</IRQ>
<TASK>
asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffffffafc03dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bc3e900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffafc03e10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000004 R14: 0000000000000004 R15: 00000006e8bb7efd
? finish_task_switch.isra.0+0x85/0x2a0
cpuidle_enter+0x2e/0x50
call_cpuidle+0x23/0x60
cpuidle_idle_call+0x11d/0x190
do_idle+0x82/0xf0
cpu_startup_entry+0x1d/0x20
rest_init+0xde/0x100
? acpi_enable_subsystem+0xe6/0x2a0
? static_key_disable+0x1f/0x30
arch_call_rest_init+0xe/0x30
start_kernel+0x34f/0x440
x86_64_start_reservations+0x18/0x30
x86_64_start_kernel+0xa4/0xe0
secondary_startup_64_no_verify+0x17e/0x18b
</TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1917:75
index 2 is out of range for type 'u8 [1]'
CPU: 0 PID: 0 Comm: swapper/0 Tainted: P OE 6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
<IRQ>
dump_stack_lvl+0x48/0x70
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xc6/0x110
HT_caps_handler+0xec/0x310 [8821ce]
OnAssocRsp+0x1bb/0x290 [8821ce]
_mgt_dispatcher+0x70/0xc0 [8821ce]
mgt_dispatcher+0x15d/0x1c0 [8821ce]
validate_recv_mgnt_frame+0x8e/0x130 [8821ce]
validate_recv_frame+0x1a3/0x1f0 [8821ce]
? odm_phy_status_query+0x144/0x200 [8821ce]
recv_func_prehandle+0x2b/0x70 [8821ce]
recv_func+0x2c/0x100 [8821ce]
rtw_recv_entry+0x19/0x50 [8821ce]
pre_recv_entry+0x44/0x80 [8821ce]
rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
? __tasklet_schedule_common+0x47/0xa0
tasklet_action_common.constprop.0+0xfa/0x1e0
tasklet_hi_action+0x1f/0x30
__do_softirq+0xd9/0x349
? handle_irq_event+0x52/0x80
? handle_edge_irq+0xda/0x250
__irq_exit_rcu+0x75/0xa0
irq_exit_rcu+0xe/0x20
common_interrupt+0xa4/0xb0
</IRQ>
<TASK>
asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffffffafc03dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bc3e900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffafc03e10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000004 R14: 0000000000000004 R15: 00000006e8bb7efd
? finish_task_switch.isra.0+0x85/0x2a0
cpuidle_enter+0x2e/0x50
call_cpuidle+0x23/0x60
cpuidle_idle_call+0x11d/0x190
do_idle+0x82/0xf0
cpu_startup_entry+0x1d/0x20
rest_init+0xde/0x100
? acpi_enable_subsystem+0xe6/0x2a0
? static_key_disable+0x1f/0x30
arch_call_rest_init+0xe/0x30
start_kernel+0x34f/0x440
x86_64_start_reservations+0x18/0x30
x86_64_start_kernel+0xa4/0xe0
secondary_startup_64_no_verify+0x17e/0x18b
</TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1923:76
index 2 is out of range for type 'u8 [1]'
CPU: 0 PID: 0 Comm: swapper/0 Tainted: P OE 6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
<IRQ>
dump_stack_lvl+0x48/0x70
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xc6/0x110
HT_caps_handler+0x12c/0x310 [8821ce]
OnAssocRsp+0x1bb/0x290 [8821ce]
_mgt_dispatcher+0x70/0xc0 [8821ce]
mgt_dispatcher+0x15d/0x1c0 [8821ce]
validate_recv_mgnt_frame+0x8e/0x130 [8821ce]
validate_recv_frame+0x1a3/0x1f0 [8821ce]
? odm_phy_status_query+0x144/0x200 [8821ce]
recv_func_prehandle+0x2b/0x70 [8821ce]
recv_func+0x2c/0x100 [8821ce]
rtw_recv_entry+0x19/0x50 [8821ce]
pre_recv_entry+0x44/0x80 [8821ce]
rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
? __tasklet_schedule_common+0x47/0xa0
tasklet_action_common.constprop.0+0xfa/0x1e0
tasklet_hi_action+0x1f/0x30
__do_softirq+0xd9/0x349
? handle_irq_event+0x52/0x80
? handle_edge_irq+0xda/0x250
__irq_exit_rcu+0x75/0xa0
irq_exit_rcu+0xe/0x20
common_interrupt+0xa4/0xb0
</IRQ>
<TASK>
asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffffffafc03dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bc3e900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffafc03e10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000004 R14: 0000000000000004 R15: 00000006e8bb7efd
? finish_task_switch.isra.0+0x85/0x2a0
cpuidle_enter+0x2e/0x50
call_cpuidle+0x23/0x60
cpuidle_idle_call+0x11d/0x190
do_idle+0x82/0xf0
cpu_startup_entry+0x1d/0x20
rest_init+0xde/0x100
? acpi_enable_subsystem+0xe6/0x2a0
? static_key_disable+0x1f/0x30
arch_call_rest_init+0xe/0x30
start_kernel+0x34f/0x440
x86_64_start_reservations+0x18/0x30
x86_64_start_kernel+0xa4/0xe0
secondary_startup_64_no_verify+0x17e/0x18b
</TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1926:34
index 2 is out of range for type 'u8 [1]'
CPU: 0 PID: 0 Comm: swapper/0 Tainted: P OE 6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
<IRQ>
dump_stack_lvl+0x48/0x70
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xc6/0x110
HT_caps_handler+0x146/0x310 [8821ce]
OnAssocRsp+0x1bb/0x290 [8821ce]
_mgt_dispatcher+0x70/0xc0 [8821ce]
mgt_dispatcher+0x15d/0x1c0 [8821ce]
validate_recv_mgnt_frame+0x8e/0x130 [8821ce]
validate_recv_frame+0x1a3/0x1f0 [8821ce]
? odm_phy_status_query+0x144/0x200 [8821ce]
recv_func_prehandle+0x2b/0x70 [8821ce]
recv_func+0x2c/0x100 [8821ce]
rtw_recv_entry+0x19/0x50 [8821ce]
pre_recv_entry+0x44/0x80 [8821ce]
rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
? __tasklet_schedule_common+0x47/0xa0
tasklet_action_common.constprop.0+0xfa/0x1e0
tasklet_hi_action+0x1f/0x30
__do_softirq+0xd9/0x349
? handle_irq_event+0x52/0x80
? handle_edge_irq+0xda/0x250
__irq_exit_rcu+0x75/0xa0
irq_exit_rcu+0xe/0x20
common_interrupt+0xa4/0xb0
</IRQ>
<TASK>
asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffffffafc03dc0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bc3e900 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffffffafc03e10 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000004 R14: 0000000000000004 R15: 00000006e8bb7efd
? finish_task_switch.isra.0+0x85/0x2a0
cpuidle_enter+0x2e/0x50
call_cpuidle+0x23/0x60
cpuidle_idle_call+0x11d/0x190
do_idle+0x82/0xf0
cpu_startup_entry+0x1d/0x20
rest_init+0xde/0x100
? acpi_enable_subsystem+0xe6/0x2a0
? static_key_disable+0x1f/0x30
arch_call_rest_init+0xe/0x30
start_kernel+0x34f/0x440
x86_64_start_reservations+0x18/0x30
x86_64_start_kernel+0xa4/0xe0
secondary_startup_64_no_verify+0x17e/0x18b
</TASK>
================================================================================
================================================================================
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/hal/phydm/phydm_math_lib.c:172:26
index 12 is out of range for type 'u16 [12][8]'
CPU: 1 PID: 0 Comm: swapper/1 Tainted: P OE 6.5.0-15-generic #15~22.04.1-Ubuntu
Hardware name: ASUSTeK COMPUTER INC. VivoBook_ASUSLaptop E210MAB_E210MA/E210MAB, BIOS E210MAB.300 08/18/2021
Call Trace:
<IRQ>
dump_stack_lvl+0x48/0x70
dump_stack+0x10/0x20
__ubsan_handle_out_of_bounds+0xc6/0x110
phydm_db_2_linear+0x69/0x80 [8821ce]
phydm_process_rssi_for_dm_2nd_type+0xce/0x180 [8821ce]
odm_phy_status_query+0x188/0x200 [8821ce]
rx_query_phy_status+0x21e/0x3f0 [8821ce]
pre_recv_entry+0x3c/0x80 [8821ce]
rtl8821ce_recv_tasklet+0x56c/0x5e0 [8821ce]
? __tasklet_schedule_common+0x47/0xa0
tasklet_action_common.constprop.0+0xfa/0x1e0
tasklet_hi_action+0x1f/0x30
__do_softirq+0xd9/0x349
? handle_irq_event+0x52/0x80
? handle_edge_irq+0xda/0x250
__irq_exit_rcu+0x75/0xa0
irq_exit_rcu+0xe/0x20
common_interrupt+0xa4/0xb0
</IRQ>
<TASK>
asm_common_interrupt+0x27/0x40
RIP: 0010:cpuidle_enter_state+0xda/0x720
Code: 55 06 ff e8 a8 f5 ff ff 8b 53 04 49 89 c7 0f 1f 44 00 00 31 ff e8 46 01 05 ff 80 7d d0 00 0f 85 61 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 f7 01 00 00 4d 63 ee 49 83 fd 09 0f 87 19 05 00 00
RSP: 0018:ffffabf8c00efe18 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffff9a737bcbe900 RCX: 0000000000000000
RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffabf8c00efe68 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffafed1b80
R13: 0000000000000007 R14: 0000000000000007 R15: 0000016c1ae9216c
? cpuidle_enter_state+0xca/0x720
? tick_nohz_stop_tick+0xa0/0x210
cpuidle_enter+0x2e/0x50
call_cpuidle+0x23/0x60
cpuidle_idle_call+0x11d/0x190
do_idle+0x82/0xf0
cpu_startup_entry+0x1d/0x20
start_secondary+0x129/0x160
secondary_startup_64_no_verify+0x17e/0x18b
</TASK>
================================================================================
The name _NDIS_802_11_VARIABLE_IEs already tells you it's supposed to be a variable length array, not size 1. Make it u8 data[]; and the warning probably goes away. The struct is here: https://github.com/tomaspinho/rtl8821ce/blob/66983b69120a13699acf40a12979317f29012111/include/wlan_bssdef.h#L95-L99
For the other thing, the newer version of the driver has a check which prevents the out-of-bounds value: https://github.com/lwfinger/rtw88/blob/ca9f4e199efbf8c377e8a1769ba5b05b23f92c82/alt_rtl8821ce/hal/phydm/phydm_math_lib.c#L205-L214
Thought it might be worthwhile sharing my experience here as well. The following warnings are printed to the screen by plymouth during system boot. There are no issues with internet access once the system finishes booting.
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1912:48
index 1 is out of range for type 'u8 [1]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1917:75
index 2 is out of range for type 'u8 [1]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1923:76
index 2 is out of range for type 'u8 [1]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/core/rtw_wlan_util.c:1926:34
index 2 is out of range for type 'u8 [1]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/os_dep/linux/ioctl_cfg80211.c:1589:110
index 16 is out of range for type 'u8 [*]'
UBSAN: array-index-out-of-bounds in /var/lib/dkms/rtl8821ce/v5.5.2_34066.20200325/build/os_dep/linux/ioctl_cfg80211.c:1590:110
index 24 is out of range for type 'u8 [*]'
- OS: Fedora Linux (Version 40)
- Linux Kernel: 6.9.7-200.fc40.x86_64
@dubhater When I initially set up my system, I used the rtw88_8821ce driver that came bundled with the Linux kernel. Unfortunately, the performance was poor, with very slow connection speeds and frequent random disconnections from wireless access points. Due to these issues, I blacklisted the RTW88 driver and installed the RTL8821ce driver instead. Since making the switch, I have noticed a significant improvement in both performance and stability.
Some fixes for RTL8821CE went into kernel 6.9.
Did you mean to say fixes to RTW88 were included in kernel version 6.9?
But when was that?
The last time I tried rtw88_8821ce was on a kernel between 6.5 and 6.8 (inclusive), though I can't recall the exact version.
Since networking is currently operational and stable using RTL8821ce, I am willing to tolerate the warnings for now. I might trial rtw88_8821ce again in the future if necessary.