UBSAN: array-index-out-of-bounds in rtl8188eus/core/rtw_wlan_util.c when loading rtl8818eu wifi usb adaptor #300
Description
When executing fuzzing test for loading rtl8818eu, I found four array-index-out-of-bounds bugs reported by UBSAN in dmesg logs:
[ 333.949883] ================================================================================
[ 333.949938] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8188eus/core/rtw_wlan_util.c:1817:48
[ 333.949955] index 1 is out of range for type 'u8 [1]'
[ 333.949968] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G OE 6.6.58 #1
[ 333.949981] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[ 333.949988] Call Trace:
[ 333.949994] <IRQ>
[ 333.950002] dump_stack_lvl+0x48/0x70
[ 333.950027] dump_stack+0x10/0x20
[ 333.950039] __ubsan_handle_out_of_bounds+0xa2/0x100
[ 333.950053] ? read_profile+0x321/0x660
[ 333.950066] HT_caps_handler+0x1d1/0x850 [8188eu]
[ 333.950439] ? __pfx_HT_caps_handler+0x10/0x10 [8188eu]
[ 333.950771] OnAssocRsp+0x513/0x5e0 [8188eu]
[ 333.951089] _mgt_dispatcher+0x11b/0x1a0 [8188eu]
[ 333.951388] ? __pfx__mgt_dispatcher+0x10/0x10 [8188eu]
[ 333.951674] ? _raw_spin_lock_bh+0x86/0xf0
[ 333.951691] mgt_dispatcher+0x3a7/0x4a0 [8188eu]
[ 333.951985] ? rtw_get_stainfo+0x30c/0x360 [8188eu]
[ 333.952357] ? __pfx_mgt_dispatcher+0x10/0x10 [8188eu]
[ 333.952654] ? recvframe_chk_defrag+0x15c/0x280 [8188eu]
[ 333.953011] validate_recv_mgnt_frame+0x178/0x4b0 [8188eu]
[ 333.953350] validate_recv_frame+0x548/0x670 [8188eu]
[ 333.953682] ? __pfx_validate_recv_frame+0x10/0x10 [8188eu]
[ 333.954006] ? rx_query_phy_status+0x926/0x990 [8188eu]
[ 333.954338] recv_func_prehandle+0x85/0xe0 [8188eu]
[ 333.954658] recv_func+0x56/0x340 [8188eu]
[ 333.954973] rtw_recv_entry+0x3b/0x140 [8188eu]
[ 333.955143] pre_recv_entry+0x7f/0x150 [8188eu]
[ 333.955202] recvbuf2recvframe+0x5b2/0x710 [8188eu]
[ 333.955269] usb_recv_tasklet+0x12b/0x230 [8188eu]
[ 333.955347] tasklet_action_common.constprop.0+0x275/0x670
[ 333.955351] tasklet_action+0x22/0x30
[ 333.955353] handle_softirqs+0x192/0x5d0
[ 333.955356] __irq_exit_rcu+0x15c/0x1b0
[ 333.955359] irq_exit_rcu+0xe/0x20
[ 333.955361] common_interrupt+0xa4/0xb0
[ 333.955363] </IRQ>
[ 333.955364] <TASK>
[ 333.955365] asm_common_interrupt+0x27/0x40
[ 333.955367] RIP: 0010:cpuidle_enter_state+0x1df/0x520
[ 333.955370] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f
[ 333.955372] RSP: 0018:ffff888100dd7d30 EFLAGS: 00000246
[ 333.955375] RAX: 0000000000000000 RBX: ffff88885c34ffe0 RCX: 0000000000000000
[ 333.955376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 333.955378] RBP: ffff888100dd7d80 R08: 0000000000000000 R09: 0000000000000000
[ 333.955379] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb50627c0
[ 333.955380] R13: 0000000000000004 R14: 0000000000000004 R15: 0000004dc0f4894b
[ 333.955382] ? __pfx_menu_select+0x10/0x10
[ 333.955386] cpuidle_enter+0x4f/0xb0
[ 333.955388] call_cpuidle+0x47/0xd0
[ 333.955391] do_idle+0x372/0x460
[ 333.955394] ? __pfx_do_idle+0x10/0x10
[ 333.955397] cpu_startup_entry+0x58/0x70
[ 333.955399] start_secondary+0x220/0x2b0
[ 333.955402] ? __pfx_start_secondary+0x10/0x10
[ 333.955404] secondary_startup_64_no_verify+0x18f/0x19b
[ 333.955408] </TASK>
[ 333.955410] ================================================================================
[ 333.955412] ================================================================================
[ 333.955413] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8188eus/core/rtw_wlan_util.c:1822:75
[ 333.955416] index 2 is out of range for type 'u8 [1]'
[ 333.955418] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G OE 6.6.58 #1
[ 333.955420] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[ 333.955421] Call Trace:
[ 333.955422] <IRQ>
[ 333.955423] dump_stack_lvl+0x48/0x70
[ 333.955425] dump_stack+0x10/0x20
[ 333.955427] __ubsan_handle_out_of_bounds+0xa2/0x100
[ 333.955429] ? read_profile+0x322/0x660
[ 333.955431] HT_caps_handler+0x2e2/0x850 [8188eu]
[ 333.955496] ? __pfx_HT_caps_handler+0x10/0x10 [8188eu]
[ 333.955557] OnAssocRsp+0x513/0x5e0 [8188eu]
[ 333.955618] _mgt_dispatcher+0x11b/0x1a0 [8188eu]
[ 333.955675] ? __pfx__mgt_dispatcher+0x10/0x10 [8188eu]
[ 333.955728] ? _raw_spin_lock_bh+0x86/0xf0
[ 333.955731] mgt_dispatcher+0x3a7/0x4a0 [8188eu]
[ 333.955783] ? rtw_get_stainfo+0x30c/0x360 [8188eu]
[ 333.955848] ? __pfx_mgt_dispatcher+0x10/0x10 [8188eu]
[ 333.955903] ? recvframe_chk_defrag+0x15c/0x280 [8188eu]
[ 333.955967] validate_recv_mgnt_frame+0x178/0x4b0 [8188eu]
[ 333.956028] validate_recv_frame+0x548/0x670 [8188eu]
[ 333.956087] ? __pfx_validate_recv_frame+0x10/0x10 [8188eu]
[ 333.956144] ? rx_query_phy_status+0x926/0x990 [8188eu]
[ 333.956203] recv_func_prehandle+0x85/0xe0 [8188eu]
[ 333.956260] recv_func+0x56/0x340 [8188eu]
[ 333.956318] rtw_recv_entry+0x3b/0x140 [8188eu]
[ 333.956374] pre_recv_entry+0x7f/0x150 [8188eu]
[ 333.956431] recvbuf2recvframe+0x5b2/0x710 [8188eu]
[ 333.956496] usb_recv_tasklet+0x12b/0x230 [8188eu]
[ 333.956572] tasklet_action_common.constprop.0+0x275/0x670
[ 333.956576] tasklet_action+0x22/0x30
[ 333.956578] handle_softirqs+0x192/0x5d0
[ 333.956581] __irq_exit_rcu+0x15c/0x1b0
[ 333.956583] irq_exit_rcu+0xe/0x20
[ 333.956585] common_interrupt+0xa4/0xb0
[ 333.956587] </IRQ>
[ 333.956588] <TASK>
[ 333.956589] asm_common_interrupt+0x27/0x40
[ 333.956591] RIP: 0010:cpuidle_enter_state+0x1df/0x520
[ 333.956593] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f
[ 333.956594] RSP: 0018:ffff888100dd7d30 EFLAGS: 00000246
[ 333.956596] RAX: 0000000000000000 RBX: ffff88885c34ffe0 RCX: 0000000000000000
[ 333.956597] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 333.956598] RBP: ffff888100dd7d80 R08: 0000000000000000 R09: 0000000000000000
[ 333.956600] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb50627c0
[ 333.956601] R13: 0000000000000004 R14: 0000000000000004 R15: 0000004dc0f4894b
[ 333.956603] ? __pfx_menu_select+0x10/0x10
[ 333.956606] cpuidle_enter+0x4f/0xb0
[ 333.956608] call_cpuidle+0x47/0xd0
[ 333.956610] do_idle+0x372/0x460
[ 333.956613] ? __pfx_do_idle+0x10/0x10
[ 333.956616] cpu_startup_entry+0x58/0x70
[ 333.956618] start_secondary+0x220/0x2b0
[ 333.956620] ? __pfx_start_secondary+0x10/0x10
[ 333.956622] secondary_startup_64_no_verify+0x18f/0x19b
[ 333.956626] </TASK>
[ 333.956627] ================================================================================
[ 333.956629] ================================================================================
[ 333.956630] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8188eus/core/rtw_wlan_util.c:1828:76
[ 333.956632] index 2 is out of range for type 'u8 [1]'
[ 333.956634] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G OE 6.6.58 #1
[ 333.956636] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[ 333.956637] Call Trace:
[ 333.956638] <IRQ>
[ 333.956639] dump_stack_lvl+0x48/0x70
[ 333.956641] dump_stack+0x10/0x20
[ 333.956643] __ubsan_handle_out_of_bounds+0xa2/0x100
[ 333.956645] ? read_profile+0x322/0x660
[ 333.956647] HT_caps_handler+0x35e/0x850 [8188eu]
[ 333.956712] ? __pfx_HT_caps_handler+0x10/0x10 [8188eu]
[ 333.956775] OnAssocRsp+0x513/0x5e0 [8188eu]
[ 333.956834] _mgt_dispatcher+0x11b/0x1a0 [8188eu]
[ 333.956891] ? __pfx__mgt_dispatcher+0x10/0x10 [8188eu]
[ 333.956943] ? _raw_spin_lock_bh+0x86/0xf0
[ 333.956946] mgt_dispatcher+0x3a7/0x4a0 [8188eu]
[ 333.956998] ? rtw_get_stainfo+0x30c/0x360 [8188eu]
[ 333.957064] ? __pfx_mgt_dispatcher+0x10/0x10 [8188eu]
[ 333.957117] ? recvframe_chk_defrag+0x15c/0x280 [8188eu]
[ 333.957182] validate_recv_mgnt_frame+0x178/0x4b0 [8188eu]
[ 333.957242] validate_recv_frame+0x548/0x670 [8188eu]
[ 333.957299] ? __pfx_validate_recv_frame+0x10/0x10 [8188eu]
[ 333.957356] ? rx_query_phy_status+0x926/0x990 [8188eu]
[ 333.957414] recv_func_prehandle+0x85/0xe0 [8188eu]
[ 333.957470] recv_func+0x56/0x340 [8188eu]
[ 333.957525] rtw_recv_entry+0x3b/0x140 [8188eu]
[ 333.957580] pre_recv_entry+0x7f/0x150 [8188eu]
[ 333.957635] recvbuf2recvframe+0x5b2/0x710 [8188eu]
[ 333.957701] usb_recv_tasklet+0x12b/0x230 [8188eu]
[ 333.957777] tasklet_action_common.constprop.0+0x275/0x670
[ 333.957780] tasklet_action+0x22/0x30
[ 333.957782] handle_softirqs+0x192/0x5d0
[ 333.957785] __irq_exit_rcu+0x15c/0x1b0
[ 333.957787] irq_exit_rcu+0xe/0x20
[ 333.957790] common_interrupt+0xa4/0xb0
[ 333.957791] </IRQ>
[ 333.957792] <TASK>
[ 333.957793] asm_common_interrupt+0x27/0x40
[ 333.957795] RIP: 0010:cpuidle_enter_state+0x1df/0x520
[ 333.957796] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f
[ 333.957798] RSP: 0018:ffff888100dd7d30 EFLAGS: 00000246
[ 333.957800] RAX: 0000000000000000 RBX: ffff88885c34ffe0 RCX: 0000000000000000
[ 333.957801] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 333.957802] RBP: ffff888100dd7d80 R08: 0000000000000000 R09: 0000000000000000
[ 333.957803] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb50627c0
[ 333.957804] R13: 0000000000000004 R14: 0000000000000004 R15: 0000004dc0f4894b
[ 333.957807] ? __pfx_menu_select+0x10/0x10
[ 333.957809] cpuidle_enter+0x4f/0xb0
[ 333.957811] call_cpuidle+0x47/0xd0
[ 333.957814] do_idle+0x372/0x460
[ 333.957816] ? __pfx_do_idle+0x10/0x10
[ 333.957819] cpu_startup_entry+0x58/0x70
[ 333.957822] start_secondary+0x220/0x2b0
[ 333.957824] ? __pfx_start_secondary+0x10/0x10
[ 333.957826] secondary_startup_64_no_verify+0x18f/0x19b
[ 333.957829] </TASK>
[ 333.957831] ================================================================================
[ 333.957832] ================================================================================
[ 333.957834] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTool/driver/rtl8188eus/core/rtw_wlan_util.c:1831:34
[ 333.957836] index 2 is out of range for type 'u8 [1]'
[ 333.957838] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G OE 6.6.58 #1
[ 333.957839] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[ 333.957840] Call Trace:
[ 333.957841] <IRQ>
[ 333.957842] dump_stack_lvl+0x48/0x70
[ 333.957844] dump_stack+0x10/0x20
[ 333.957846] __ubsan_handle_out_of_bounds+0xa2/0x100
[ 333.957848] ? read_profile+0x322/0x660
[ 333.957850] HT_caps_handler+0x378/0x850 [8188eu]
[ 333.957915] ? __pfx_HT_caps_handler+0x10/0x10 [8188eu]
[ 333.957978] OnAssocRsp+0x513/0x5e0 [8188eu]
[ 333.958039] _mgt_dispatcher+0x11b/0x1a0 [8188eu]
[ 333.958095] ? __pfx__mgt_dispatcher+0x10/0x10 [8188eu]
[ 333.958146] ? _raw_spin_lock_bh+0x86/0xf0
[ 333.958149] mgt_dispatcher+0x3a7/0x4a0 [8188eu]
[ 333.958201] ? rtw_get_stainfo+0x30c/0x360 [8188eu]
[ 333.958268] ? __pfx_mgt_dispatcher+0x10/0x10 [8188eu]
[ 333.958321] ? recvframe_chk_defrag+0x15c/0x280 [8188eu]
[ 333.958387] validate_recv_mgnt_frame+0x178/0x4b0 [8188eu]
[ 333.958448] validate_recv_frame+0x548/0x670 [8188eu]
[ 333.958509] ? __pfx_validate_recv_frame+0x10/0x10 [8188eu]
[ 333.958568] ? rx_query_phy_status+0x926/0x990 [8188eu]
[ 333.958627] recv_func_prehandle+0x85/0xe0 [8188eu]
[ 333.958686] recv_func+0x56/0x340 [8188eu]
[ 333.958744] rtw_recv_entry+0x3b/0x140 [8188eu]
[ 333.958801] pre_recv_entry+0x7f/0x150 [8188eu]
[ 333.958859] recvbuf2recvframe+0x5b2/0x710 [8188eu]
[ 333.958924] usb_recv_tasklet+0x12b/0x230 [8188eu]
[ 333.958999] tasklet_action_common.constprop.0+0x275/0x670
[ 333.959002] tasklet_action+0x22/0x30
[ 333.959004] handle_softirqs+0x192/0x5d0
[ 333.959007] __irq_exit_rcu+0x15c/0x1b0
[ 333.959010] irq_exit_rcu+0xe/0x20
[ 333.959012] common_interrupt+0xa4/0xb0
[ 333.959014] </IRQ>
[ 333.959014] <TASK>
[ 333.959016] asm_common_interrupt+0x27/0x40
[ 333.959017] RIP: 0010:cpuidle_enter_state+0x1df/0x520
[ 333.959019] Code: 01 73 dd 48 83 c4 28 44 89 f0 5b 41 5c 41 5d 41 5e 41 5f 5d 31 d2 31 c9 31 f6 31 ff 45 31 c0 c3 cc cc cc cc fb 0f 1f 44 00 00 <45> 85 f6 0f 89 06 ff ff ff 48 c7 43 18 00 00 00 00 49 83 fd 09 0f
[ 333.959020] RSP: 0018:ffff888100dd7d30 EFLAGS: 00000246
[ 333.959022] RAX: 0000000000000000 RBX: ffff88885c34ffe0 RCX: 0000000000000000
[ 333.959023] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 333.959024] RBP: ffff888100dd7d80 R08: 0000000000000000 R09: 0000000000000000
[ 333.959026] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffb50627c0
[ 333.959027] R13: 0000000000000004 R14: 0000000000000004 R15: 0000004dc0f4894b
[ 333.959029] ? __pfx_menu_select+0x10/0x10
[ 333.959032] cpuidle_enter+0x4f/0xb0
[ 333.959034] call_cpuidle+0x47/0xd0
[ 333.959036] do_idle+0x372/0x460
[ 333.959039] ? __pfx_do_idle+0x10/0x10
[ 333.959042] cpu_startup_entry+0x58/0x70
[ 333.959044] start_secondary+0x220/0x2b0
[ 333.959046] ? __pfx_start_secondary+0x10/0x10
[ 333.959048] secondary_startup_64_no_verify+0x18f/0x19b
[ 333.959051] </TASK>
[ 333.959053] ================================================================================