PASN: Fix ASAN error in ptksa_cache_add()

==19798==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000663f8 at pc 0x55a2c485a232 bp 0x7ffeb42dcaf0 sp 0x7ffeb42dcae0
READ of size 8 at 0x6110000663f8 thread T0
Connect STA wlan0 to AP
    #0 0x55a2c485a231 in ptksa_cache_add ../src/common/ptksa_cache.c:310
    #1 0x55a2c4398045 in hostapd_store_ptksa ../src/ap/wpa_auth_glue.c:943
    #2 0x55a2c4430980 in wpa_auth_store_ptksa ../src/ap/wpa_auth.c:232
    #3 0x55a2c44578e1 in sm_WPA_PTK_PTKINITDONE_Enter ../src/ap/wpa_auth.c:3650
    #4 0x55a2c44578e1 in sm_WPA_PTK_Step ../src/ap/wpa_auth.c:3798
    #5 0x55a2c44578e1 in wpa_sm_step ../src/ap/wpa_auth.c:4437
    #6 0x55a2c445d99d in wpa_receive ../src/ap/wpa_auth.c:1411
    #7 0x55a2c43e7747 in ieee802_1x_receive ../src/ap/ieee802_1x.c:1118
    #8 0x55a2c43bbf73 in hostapd_event_eapol_rx ../src/ap/drv_callbacks.c:1542
    #9 0x55a2c43bbf73 in wpa_supplicant_event ../src/ap/drv_callbacks.c:1932
    #10 0x55a2c466cb2d in drv_event_eapol_rx ../src/drivers/driver.h:6074
    #11 0x55a2c466cb2d in nl80211_control_port_frame ../src/drivers/driver_nl80211_event.c:2822
    #12 0x55a2c466cb2d in process_bss_event ../src/drivers/driver_nl80211_event.c:3194
    #13 0x7feed9e90b9b in nl_cb_call ./include/netlink-private/netlink.h:145
    #14 0x7feed9e90b9b in recvmsgs ./lib/nl.c:1006
    #15 0x7feed9e90b9b in nl_recvmsgs_report ./lib/nl.c:1057
    #16 0x7feed9e91058 in nl_recvmsgs ./lib/nl.c:1081
    #17 0x55a2c45f2e8c in wpa_driver_nl80211_event_receive ../src/drivers/driver_nl80211.c:1782
    #18 0x55a2c44b9afa in eloop_sock_table_dispatch ../src/utils/eloop.c:603
    #19 0x55a2c44be122 in eloop_run ../src/utils/eloop.c:1228
    #20 0x55a2c43360bf in hostapd_global_run /home/mbr/hostapd/hostapd/main.c:451
    #21 0x55a2c43360bf in main /home/mbr/hostapd/hostapd/main.c:898
    #22 0x7feed8ce20b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #23 0x55a2c432f3fd in _start (/home/mbr/hostapd/hostapd/hostapd+0x9f23fd)

0x6110000663f8 is located 184 bytes inside of 216-byte region [0x611000066340,0x611000066418)
freed by thread T0 here:
    #0 0x7feeda1477cf in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
    #1 0x55a2c44ce56b in os_free ../src/utils/os_unix.c:773
    #2 0x55a2c451a986 in radius_msg_free ../src/radius/radius.c:137
    #3 0x55a2c4527104 in radius_client_msg_free ../src/radius/radius_client.c:261
    #4 0x55a2c452f53c in radius_client_list_add ../src/radius/radius_client.c:715
    #5 0x55a2c452f53c in radius_client_send ../src/radius/radius_client.c:807
    #6 0x55a2c453b24c in accounting_sta_report ../src/ap/accounting.c:352
    #7 0x55a2c453d6e9 in accounting_sta_stop ../src/ap/accounting.c:384
    #8 0x55a2c44190fd in ap_free_sta ../src/ap/sta_info.c:194
    #9 0x55a2c4934530 in handle_deauth ../src/ap/ieee802_11.c:6035
    #10 0x55a2c4934530 in ieee802_11_mgmt ../src/ap/ieee802_11.c:6399
    #11 0x55a2c43bf114 in hostapd_mgmt_rx ../src/ap/drv_callbacks.c:1468
    #12 0x55a2c43bf114 in wpa_supplicant_event ../src/ap/drv_callbacks.c:1912
    #13 0x55a2c465faf7 in mlme_event_mgmt ../src/drivers/driver_nl80211_event.c:823
    #14 0x55a2c4661774 in mlme_event ../src/drivers/driver_nl80211_event.c:1135
    #15 0x55a2c466c43b in process_bss_event ../src/drivers/driver_nl80211_event.c:3177
    #16 0x7feed9e90b9b in nl_cb_call ./include/netlink-private/netlink.h:145
    #17 0x7feed9e90b9b in recvmsgs ./lib/nl.c:1006
    #18 0x7feed9e90b9b in nl_recvmsgs_report ./lib/nl.c:1057

previously allocated by thread T0 here:
    #0 0x7feeda147bc8 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55a2c44cd387 in os_malloc ../src/utils/os_unix.c:715
    #2 0x55a2c44ceb7f in os_zalloc ../src/utils/os_unix.c:779
    #3 0x55a2c451a9f2 in radius_msg_new ../src/radius/radius.c:109
    #4 0x55a2c4539a6e in accounting_msg ../src/ap/accounting.c:46
    #5 0x55a2c453be15 in accounting_report_state ../src/ap/accounting.c:439
    #6 0x55a2c453d91d in accounting_init ../src/ap/accounting.c:534
    #7 0x55a2c4378952 in hostapd_setup_bss ../src/ap/hostapd.c:1333
    #8 0x55a2c4382530 in hostapd_setup_interface_complete_sync ../src/ap/hostapd.c:2094
    #9 0x55a2c4382815 in hostapd_setup_interface_complete ../src/ap/hostapd.c:2229
    #10 0x55a2c4384100 in setup_interface2 ../src/ap/hostapd.c:1726
    #11 0x55a2c4386b58 in setup_interface ../src/ap/hostapd.c:1628
    #12 0x55a2c4386b58 in hostapd_setup_interface ../src/ap/hostapd.c:2318
    #13 0x55a2c4387a57 in hostapd_enable_iface ../src/ap/hostapd.c:2730
    #14 0x55a2c455d723 in hostapd_ctrl_iface_enable /home/mbr/hostapd/hostapd/ctrl_iface.c:1606
    #15 0x55a2c455d723 in hostapd_ctrl_iface_receive_process /home/mbr/hostapd/hostapd/ctrl_iface.c:3607
    #16 0x55a2c456821e in hostapd_ctrl_iface_receive /home/mbr/hostapd/hostapd/ctrl_iface.c:4018
    #17 0x55a2c44b9afa in eloop_sock_table_dispatch ../src/utils/eloop.c:603
    #18 0x55a2c44be122 in eloop_run ../src/utils/eloop.c:1228
    #19 0x55a2c43360bf in hostapd_global_run /home/mbr/hostapd/hostapd/main.c:451
    #20 0x55a2c43360bf in main /home/mbr/hostapd/hostapd/main.c:898
    #21 0x7feed8ce20b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free ../src/common/ptksa_cache.c:310 in ptksa_cache_add
Shadow bytes around the buggy address:
  0x0c2280004c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280004c30: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280004c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2280004c50: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
  0x0c2280004c60: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2280004c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c2280004c80: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280004c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280004ca0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c2280004cb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2280004cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==19798==ABORTING

Fixes: a4e3691616 ("WPA: Add PTKSA cache implementation")
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This commit is contained in:
Michael Braun 2021-04-16 08:13:12 +02:00 committed by Jouni Malinen
parent af89683a43
commit 99c1789ab1

View file

@ -269,7 +269,7 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
u32 life_time, u32 life_time,
const struct wpa_ptk *ptk) const struct wpa_ptk *ptk)
{ {
struct ptksa_cache_entry *entry, *tmp; struct ptksa_cache_entry *entry, *tmp, *tmp2 = NULL;
struct os_reltime now; struct os_reltime now;
if (!ptksa || !ptk || !addr || !life_time || cipher == WPA_CIPHER_NONE) if (!ptksa || !ptk || !addr || !life_time || cipher == WPA_CIPHER_NONE)
@ -296,21 +296,21 @@ struct ptksa_cache_entry * ptksa_cache_add(struct ptksa_cache *ptksa,
entry->expiration = now.sec + life_time; entry->expiration = now.sec + life_time;
dl_list_for_each(tmp, &ptksa->ptksa, struct ptksa_cache_entry, list) { dl_list_for_each(tmp, &ptksa->ptksa, struct ptksa_cache_entry, list) {
if (tmp->expiration > entry->expiration) if (tmp->expiration > entry->expiration) {
tmp2 = tmp;
break; break;
}
} }
/* /*
* If the list was empty add to the head; otherwise if the expiration is * If the expiration is later then all other or the list is empty
* later then all other entries, add it to the end of the list; * entries, add it to the end of the list;
* otherwise add it before the relevant entry. * otherwise add it before the relevant entry.
*/ */
if (!tmp) if (tmp2)
dl_list_add(&ptksa->ptksa, &entry->list); dl_list_add(&tmp2->list, &entry->list);
else if (tmp->expiration < entry->expiration)
dl_list_add(&tmp->list, &entry->list);
else else
dl_list_add_tail(&tmp->list, &entry->list); dl_list_add_tail(&ptksa->ptksa, &entry->list);
ptksa->n_ptksa++; ptksa->n_ptksa++;
wpa_printf(MSG_DEBUG, wpa_printf(MSG_DEBUG,