segfault while connecting to wifi #1
Comments
illiliti
pushed a commit
that referenced
this issue
Aug 2, 2021
ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000512c08 at pc 0x00000041848d bp 0x7ffcdde71870 sp 0x7ffcdde71860
READ of size 8 at 0x000000512c08 thread T0
#0 0x41848c in print_attributes monitor/nlmon.c:6268
#1 0x42ac53 in print_message monitor/nlmon.c:6544
#2 0x438968 in nlmon_message monitor/nlmon.c:6698
#3 0x43d5e4 in nlmon_receive monitor/nlmon.c:7658
#4 0x4b3cd0 in io_callback ell/io.c:120
#5 0x4b085a in l_main_iterate ell/main.c:478
#6 0x4b0ee3 in l_main_run ell/main.c:525
#7 0x4b0ee3 in l_main_run ell/main.c:507
#8 0x4b13ac in l_main_run_with_signal ell/main.c:647
#9 0x4072fe in main monitor/main.c:811
|
Can't reproduce anymore |
ioraff
pushed a commit
to ioraff/eiwd
that referenced
this issue
Feb 25, 2022
Commit 4d2176d ("handshake: Allow event handler to free handshake") introduced a re-entrancy guard so that handshake_state objects that are destroyed as a result of the event do not cause a crash. It rightly used a temporary object to store the passed in handshake. Unfortunately this caused variable shadowing which resulted in crashes fixed by commit d22b174 ("handshake: use _hs directly in handshake_event"). However, since the temporary was no longer used, this fix itself caused a crash: #0 0x00005555f0ba8b3d in eapol_handle_ptk_1_of_4 (sm=sm@entry=0x5555f2b4a920, ek=0x5555f2b62588, ek@entry=0x16, unencrypted=unencrypted@entry=false) at src/eapol.c:1236 1236 handshake_event(sm->handshake, (gdb) bt #0 0x00005555f0ba8b3d in eapol_handle_ptk_1_of_4 (sm=sm@entry=0x5555f2b4a920, ek=0x5555f2b62588, ek@entry=0x16, unencrypted=unencrypted@entry=false) at src/eapol.c:1236 illiliti#1 0x00005555f0bab118 in eapol_key_handle (unencrypted=<optimized out>, frame=<optimized out>, sm=0x5555f2b4a920) at src/eapol.c:2343 illiliti#2 eapol_rx_packet (proto=<optimized out>, from=<optimized out>, frame=<optimized out>, unencrypted=<optimized out>, user_data=0x5555f2b4a920) at src/eapol.c:2665 illiliti#3 0x00005555f0bac497 in __eapol_rx_packet (ifindex=62, src=src@entry=0x5555f2b62574 "x\212 J\207\267", proto=proto@entry=34958, frame=frame@entry=0x5555f2b62588 "\002\003", len=len@entry=121, noencrypt=noencrypt@entry=false) at src/eapol.c:3017 illiliti#4 0x00005555f0b8c617 in netdev_control_port_frame_event (netdev=0x5555f2b64450, msg=0x5555f2b62588) at src/netdev.c:5574 illiliti#5 netdev_unicast_notify (msg=msg@entry=0x5555f2b619a0, user_data=<optimized out>) at src/netdev.c:5613 illiliti#6 0x00007f60084c9a51 in dispatch_unicast_watches (msg=0x5555f2b619a0, id=<optimized out>, genl=0x5555f2b3fc80) at ell/genl.c:954 #7 process_unicast (nlmsg=0x7fff61abeac0, genl=0x5555f2b3fc80) at ell/genl.c:973 #8 received_data (io=<optimized out>, user_data=0x5555f2b3fc80) at ell/genl.c:1098 #9 0x00007f60084c61bd in io_callback (fd=<optimized out>, events=1, user_data=0x5555f2b3fd20) at ell/io.c:120 #10 0x00007f60084c536d in l_main_iterate (timeout=<optimized out>) at ell/main.c:478 #11 0x00007f60084c543e in l_main_run () at ell/main.c:525 #12 l_main_run () at ell/main.c:507 #13 0x00007f60084c5670 in l_main_run_with_signal (callback=callback@entry=0x5555f0b89150 <signal_handler>, user_data=user_data@entry=0x0) at ell/main.c:647 #14 0x00005555f0b886a4 in main (argc=<optimized out>, argv=<optimized out>) at src/main.c:532 This happens when the driver does not support rekeying, which causes iwd to attempt a disconnect and re-connect. The disconnect action is taken during the event callback and destroys the underlying eapol state machine. Since a temporary isn't used, attempting to dereference sm->handshake results in a crash. Fix this by introducing a UNIQUE_ID macro which should prevent shadowing and using a temporary variable as originally intended. Fixes: d22b174 ("handshake: use _hs directly in handshake_event") Fixes: 4d2176d ("handshake: Allow event handler to free handshake") Reported-By: Toke Høiland-Jørgensen <toke@toke.dk> Tested-by: Toke Høiland-Jørgensen <toke@toke.dk>
illiliti
pushed a commit
that referenced
this issue
Sep 11, 2022
Certain module dependencies were missing, which could cause a crash on exit under (very unlikely) circumstances. #0 l_queue_peek_head (queue=<optimized out>) at ../iwd-1.28/ell/queue.c:241 #1 0x0000aaaab752f2a0 in wiphy_radio_work_done (wiphy=0xaaaac3a129a0, id=6) at ../iwd-1.28/src/wiphy.c:2013 #2 0x0000aaaab7523f50 in netdev_connect_free (netdev=netdev@entry=0xaaaac3a13db0) at ../iwd-1.28/src/netdev.c:765 #3 0x0000aaaab7526208 in netdev_free (data=0xaaaac3a13db0) at ../iwd-1.28/src/netdev.c:909 #4 0x0000aaaab75a3924 in l_queue_clear (queue=queue@entry=0xaaaac3a0c800, destroy=destroy@entry=0xaaaab7526190 <netdev_free>) at ../iwd-1.28/ell/queue.c:107 #5 0x0000aaaab75a3974 in l_queue_destroy (queue=0xaaaac3a0c800, destroy=destroy@entry=0xaaaab7526190 <netdev_free>) at ../iwd-1.28/ell/queue.c:82 #6 0x0000aaaab7522050 in netdev_exit () at ../iwd-1.28/src/netdev.c:6653 #7 0x0000aaaab7579bb0 in iwd_modules_exit () at ../iwd-1.28/src/module.c:181 In this particular case, wiphy module was de-initialized prior to the netdev module: Jul 14 18:14:39 localhost iwd[2867]: ../iwd-1.28/src/wiphy.c:wiphy_free() Freeing wiphy phy0[0] Jul 14 18:14:39 localhost iwd[2867]: ../iwd-1.28/src/netdev.c:netdev_free() Freeing netdev wlan0[45]
illiliti
pushed a commit
that referenced
this issue
Jan 28, 2023
Under the following conditions IWD can accidentally trigger a second roam scan while one is already in progress: - A low RSSI condition is met. This starts the roam rearm timer. - A packet loss condition is met, which triggers a roam scan. - The roam rearm timer fires and starts another roam scan while also overwriting the first roam scan ID. - Then, if IWD gets disconnected the overwritten roam scan gets canceled, and the roam state is cleared which NULL's station->connected_network. - The initial roam scan results then come in with the assumption that IWD is still connected which results in a crash trying to reference station->connected_network. This can be fixed by adding a station_cannot_roam check in the rearm timer. If IWD is already doing a roam scan station->preparing_roam should be set which will cause it to return true and stop any further action. Aborting (signal 11) [/usr/libexec/iwd] iwd[426]: ++++++++ backtrace ++++++++ iwd[426]: #0 0x7f858d7b2090 in /lib/x86_64-linux-gnu/libc.so.6 iwd[426]: #1 0x443df7 in network_get_security() at ome/locus/workspace/iwd/src/network.c:287 iwd[426]: #2 0x421fbb in station_roam_scan_notify() at ome/locus/workspace/iwd/src/station.c:2516 iwd[426]: #3 0x43ebc1 in scan_finished() at ome/locus/workspace/iwd/src/scan.c:1861 iwd[426]: #4 0x43ecf2 in get_scan_done() at ome/locus/workspace/iwd/src/scan.c:1891 iwd[426]: #5 0x4cbfe9 in destroy_request() at ome/locus/workspace/iwd/ell/genl.c:676 iwd[426]: #6 0x4cc98b in process_unicast() at ome/locus/workspace/iwd/ell/genl.c:954 iwd[426]: #7 0x4ccd28 in received_data() at ome/locus/workspace/iwd/ell/genl.c:1052 iwd[426]: #8 0x4c79c9 in io_callback() at ome/locus/workspace/iwd/ell/io.c:120 iwd[426]: #9 0x4c62e3 in l_main_iterate() at ome/locus/workspace/iwd/ell/main.c:476 iwd[426]: #10 0x4c6426 in l_main_run() at ome/locus/workspace/iwd/ell/main.c:519 iwd[426]: #11 0x4c6752 in l_main_run_with_signal() at ome/locus/workspace/iwd/ell/main.c:645 iwd[426]: #12 0x405987 in main() at ome/locus/workspace/iwd/src/main.c:600 iwd[426]: #13 0x7f858d793083 in /lib/x86_64-linux-gnu/libc.so.6 iwd[426]: +++++++++++++++++++++++++++
illiliti
pushed a commit
that referenced
this issue
Dec 7, 2023
If the FT-Authenticate frame has been sent then a deauth is received the work item for sending the FT-Associate frame is never canceled. When this runs station->connected_network is NULL which causes a crash: src/station.c:station_try_next_transition() 7, target xx:xx:xx:xx:xx:xx src/wiphy.c:wiphy_radio_work_insert() Inserting work item 5843 src/wiphy.c:wiphy_radio_work_insert() Inserting work item 5844 src/wiphy.c:wiphy_radio_work_done() Work item 5842 done src/wiphy.c:wiphy_radio_work_next() Starting work item 5843 src/netdev.c:netdev_mlme_notify() MLME notification Remain on Channel(55) src/ft.c:ft_send_authenticate() src/netdev.c:netdev_mlme_notify() MLME notification Frame TX Status(60) src/netdev.c:netdev_link_notify() event 16 on ifindex 7 src/netdev.c:netdev_mlme_notify() MLME notification Del Station(20) src/netdev.c:netdev_mlme_notify() MLME notification Deauthenticate(39) src/netdev.c:netdev_deauthenticate_event() src/netdev.c:netdev_mlme_notify() MLME notification Disconnect(48) src/netdev.c:netdev_disconnect_event() Received Deauthentication event, reason: 7, from_ap: true src/station.c:station_disconnect_event() 7 src/station.c:station_disassociated() 7 src/station.c:station_reset_connection_state() 7 src/station.c:station_roam_state_clear() 7 src/netconfig.c:netconfig_event_handler() l_netconfig event 2 src/netconfig-commit.c:netconfig_commit_print_addrs() removing address: yyy.yyy.yyy.yyy src/resolve.c:resolve_systemd_revert() ifindex: 7 [DHCPv4] l_dhcp_client_stop:1264 Entering state: DHCP_STATE_INIT src/station.c:station_enter_state() Old State: connected, new state: disconnected src/station.c:station_enter_state() Old State: disconnected, new state: autoconnect_quick src/wiphy.c:wiphy_radio_work_insert() Inserting work item 5845 src/netdev.c:netdev_mlme_notify() MLME notification Cancel Remain on Channel(56) src/wiphy.c:wiphy_radio_work_done() Work item 5843 done src/wiphy.c:wiphy_radio_work_next() Starting work item 5844 "Program terminated with signal SIGSEGV, Segmentation fault.", "#0 0x0000565359ee3f54 in network_bss_find_by_addr ()", "#0 0x0000565359ee3f54 in network_bss_find_by_addr ()", "#1 0x0000565359ec9d23 in station_ft_work_ready ()", "#2 0x0000565359ec0af0 in wiphy_radio_work_next ()", "#3 0x0000565359f20080 in offchannel_mlme_notify ()", "#4 0x0000565359f4416b in received_data ()", "#5 0x0000565359f40d90 in io_callback ()", "#6 0x0000565359f3ff4d in l_main_iterate ()", "#7 0x0000565359f4001c in l_main_run ()", "#8 0x0000565359f40240 in l_main_run_with_signal ()", "#9 0x0000565359eb3888 in main ()"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Due to unknown circumstances(something related to dhcp/ipv6), eiwd may cause segfault while connecting to wifi.
Further investigation revealed that it was caused by passing NULL to
inet_ntopfunction.[0] The problem is here:
https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/icmp6.c#n291
[1] NULL is set to client->ra by
l_icmp6_client_stop:https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/icmp6.c#n516
[2] Which may be called by
l_dhcp6_client_stop:https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/dhcp6.c#n1854
[3] Which is called by
dhcp6_client_icmp6_event:https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/dhcp6.c#n1479
[4] Which is called via
client->event_handler:https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/icmp6.c#n268
[5]
client->event_handleris set byl_icmp6_client_set_event_handler:https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/dhcp6.c#n1513
[6] The actual problem is here:
https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/dhcp6.c#n1478
If
managedandotheris false,client->rawill be set to NULL and later deferenced byinet_ntop.https://git.kernel.org/pub/scm/libs/ell/ell.git/tree/ell/icmp6.c#n333:
The fix is trivial:
Looks like upstream is affected too? If so, i will try to send patch to mailing list.
The text was updated successfully, but these errors were encountered: