From: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
To: Daniel Axtens <dja@axtens.net>
Cc: development@efficientek.com, Daniel Kiper <dkiper@net-space.pl>,
Gao Xiang <hsiangkao@linux.alibaba.com>,
grub-devel@gnu.org
Subject: Re: [PATCH v7 1/2] fs/erofs: Add support for EROFS
Date: Wed, 24 Apr 2024 00:38:55 +0800 [thread overview]
Message-ID: <967a6a15-8dae-4e3d-9299-841278bbfff9@sjtu.edu.cn> (raw)
In-Reply-To: <9710D082-C425-4A0D-B528-A5AA4A677629@axtens.net>
Thanks! I will deal with it ASAP.
Yifan Zhao
On 2024/4/23 23:08, Daniel Axtens wrote:
> Hi,
>
>> EROFS [1] is a lightweight read-only filesystem designed for performance
>> which has already been shipped in most Linux distributions as well as widely
>> used in several scenarios, such as Android system partitions, container
>> images, and rootfs for embedded devices.
>>
>> This patch brings EROFS uncompressed support. Now, it's possible to boot
>> directly through GRUB with an EROFS rootfs.
>
> I ran a fuzzer with ASAN against the your EROFS driver.
>
> I found a couple of over-reads, but they only crash when ASAN is enabled.
>
> =================================================================
> ==509871==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000078 at pc 0x55d0e2d31f13 bp 0x7ffdc4e46530 sp 0x7ffdc4e46528
> READ of size 2 at 0x602000000078 thread T0
> #0 0x55d0e2d31f12 in erofs_iterate_dir grub/grub-core/fs/erofs.c:560:17
> #1 0x55d0e2d2ed7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
> #2 0x55d0e2d446dd in grub_fs_probe grub/grub-core/kern/fs.c:73:6
> #3 0x55d0e2d384a6 in LLVMFuzzerTestOneInput grub/grub-core/tests/fuzz/fsXX.c:82:7
> #4 0x55d0e2d78918 in ExecuteFilesOnyByOne AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
> #5 0x55d0e2d786b8 in LLVMFuzzerRunDriver AFLplusplus64/utils/aflpp_driver/aflpp_driver.c
> #6 0x55d0e2d7826d in main AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:320:10
> #7 0x7fe4a8ab0249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
> #8 0x7fe4a8ab0304 in __libc_start_main csu/../csu/libc-start.c:360:3
> #9 0x55d0e2c705d0 in _start (grub-fuzz-fs-erofs.san+0x355d0) (BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
>
> 0x602000000078 is located 7 bytes to the right of 1-byte region [0x602000000070,0x602000000071)
> allocated by thread T0 here:
> #0 0x55d0e2cf341e in __interceptor_malloc (grub-fuzz-fs-erofs.san+0xb841e) (BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
> #1 0x55d0e2d3f7ec in grub_malloc grub/grub-core/kern/emu/mm.c:42:9
> #2 0x55d0e2d31a3d in erofs_iterate_dir grub/grub-core/fs/erofs.c:543:9
> #3 0x55d0e2d2ed7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
> #4 0x55d0e2d446dd in grub_fs_probe grub/grub-core/kern/fs.c:73:6
> #5 0x55d0e2d384a6 in LLVMFuzzerTestOneInput grub/grub-core/tests/fuzz/fsXX.c:82:7
> #6 0x55d0e2d78918 in ExecuteFilesOnyByOne AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow grub/grub-core/fs/erofs.c:560:17 in erofs_iterate_dir
> Shadow bytes around the buggy address:
> 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c047fff8000: fa fa 00 00 fa fa 00 01 fa fa fd fa fa fa 01[fa]
> 0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==509871==ABORTING
>
> =================================================================
> ==540775==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000003900 at pc 0x5640afb44ae4 bp 0x7ffc0a8a9d10 sp 0x7ffc0a8a9d08
> READ of size 1 at 0x621000003900 thread T0
> #0 0x5640afb44ae3 in grub_strnlen grub/grub-core/kern/misc.c:605:10
> #1 0x5640afb15389 in erofs_iterate_dir grub/grub-core/fs/erofs.c:600:19
> #2 0x5640afb12d7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
> #3 0x5640afb1c54b in LLVMFuzzerTestOneInput grub/grub-core/tests/fuzz/fsXX.c:87:3
> #4 0x5640afb5c918 in ExecuteFilesOnyByOne AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
> #5 0x5640afb5c6b8 in LLVMFuzzerRunDriver AFLplusplus64/utils/aflpp_driver/aflpp_driver.c
> #6 0x5640afb5c26d in main AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:320:10
> #7 0x7fa856fda249 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
> #8 0x7fa856fda304 in __libc_start_main csu/../csu/libc-start.c:360:3
> #9 0x5640afa545d0 in _start (grub-fuzz-fs-erofs.san+0x355d0) (BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
>
> 0x621000003900 is located 0 bytes to the right of 4096-byte region [0x621000002900,0x621000003900)
> allocated by thread T0 here:
> #0 0x5640afad741e in __interceptor_malloc (grub-fuzz-fs-erofs.san+0xb841e) (BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
> #1 0x5640afb237ec in grub_malloc grub/grub-core/kern/emu/mm.c:42:9
> #2 0x5640afb15a3d in erofs_iterate_dir grub/grub-core/fs/erofs.c:543:9
> #3 0x5640afb12d7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
> #4 0x5640afb1c54b in LLVMFuzzerTestOneInput grub/grub-core/tests/fuzz/fsXX.c:87:3
> #5 0x5640afb5c918 in ExecuteFilesOnyByOne AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow grub/grub-core/kern/misc.c:605:10 in grub_strnlen
> Shadow bytes around the buggy address:
> 0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb
> ==540775==ABORTING
>
>
> I’ve attached the files that can reproduce these crashes if grub-fstest is built with ASAN and run like this:
>
> ./grub-fstest crasher.erofs ls ‘(loop0)/'
>
> Kind regards,
> Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2024-04-23 16:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-22 4:22 [PATCH v7 0/2] Introduce EROFS support Yifan Zhao
2024-04-22 4:22 ` [PATCH v7 1/2] fs/erofs: Add support for EROFS Yifan Zhao
2024-04-23 15:08 ` Daniel Axtens
2024-04-23 16:38 ` Yifan Zhao [this message]
2024-04-22 4:22 ` [PATCH v7 2/2] fs/erofs: Add tests for EROFS in grub-fs-tester Yifan Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=967a6a15-8dae-4e3d-9299-841278bbfff9@sjtu.edu.cn \
--to=zhaoyifan@sjtu.edu.cn \
--cc=development@efficientek.com \
--cc=dja@axtens.net \
--cc=dkiper@net-space.pl \
--cc=grub-devel@gnu.org \
--cc=hsiangkao@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).