grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v7 1/2] fs/erofs: Add support for EROFS

From: Daniel Axtens
Subject: Re: [PATCH v7 1/2] fs/erofs: Add support for EROFS
Date: Wed, 24 Apr 2024 01:08:46 +1000 
Hi,

> EROFS [1] is a lightweight read-only filesystem designed for performance
> which has already been shipped in most Linux distributions as well as widely
> used in several scenarios, such as Android system partitions, container
> images, and rootfs for embedded devices.
> 
> This patch brings EROFS uncompressed support. Now, it's possible to boot
> directly through GRUB with an EROFS rootfs.


I ran a fuzzer with ASAN against the your EROFS driver.

I found a couple of over-reads, but they only crash when ASAN is enabled.

=================================================================
==509871==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x602000000078 at pc 0x55d0e2d31f13 bp 0x7ffdc4e46530 sp 0x7ffdc4e46528
READ of size 2 at 0x602000000078 thread T0
    #0 0x55d0e2d31f12 in erofs_iterate_dir grub/grub-core/fs/erofs.c:560:17
    #1 0x55d0e2d2ed7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
    #2 0x55d0e2d446dd in grub_fs_probe grub/grub-core/kern/fs.c:73:6
    #3 0x55d0e2d384a6 in LLVMFuzzerTestOneInput 
grub/grub-core/tests/fuzz/fsXX.c:82:7
    #4 0x55d0e2d78918 in ExecuteFilesOnyByOne 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
    #5 0x55d0e2d786b8 in LLVMFuzzerRunDriver 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c
    #6 0x55d0e2d7826d in main 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:320:10
    #7 0x7fe4a8ab0249 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x7fe4a8ab0304 in __libc_start_main csu/../csu/libc-start.c:360:3
    #9 0x55d0e2c705d0 in _start (grub-fuzz-fs-erofs.san+0x355d0) (BuildId: 
4b530d3fec7f4416282e140912b5f92c1e66bc26)

0x602000000078 is located 7 bytes to the right of 1-byte region 
[0x602000000070,0x602000000071)
allocated by thread T0 here:
    #0 0x55d0e2cf341e in __interceptor_malloc (grub-fuzz-fs-erofs.san+0xb841e) 
(BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
    #1 0x55d0e2d3f7ec in grub_malloc grub/grub-core/kern/emu/mm.c:42:9
    #2 0x55d0e2d31a3d in erofs_iterate_dir grub/grub-core/fs/erofs.c:543:9
    #3 0x55d0e2d2ed7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
    #4 0x55d0e2d446dd in grub_fs_probe grub/grub-core/kern/fs.c:73:6
    #5 0x55d0e2d384a6 in LLVMFuzzerTestOneInput 
grub/grub-core/tests/fuzz/fsXX.c:82:7
    #6 0x55d0e2d78918 in ExecuteFilesOnyByOne 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7

SUMMARY: AddressSanitizer: heap-buffer-overflow 
grub/grub-core/fs/erofs.c:560:17 in erofs_iterate_dir
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 00 fa fa 00 01 fa fa fd fa fa fa 01[fa]
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==509871==ABORTING

=================================================================
==540775==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x621000003900 at pc 0x5640afb44ae4 bp 0x7ffc0a8a9d10 sp 0x7ffc0a8a9d08
READ of size 1 at 0x621000003900 thread T0
    #0 0x5640afb44ae3 in grub_strnlen grub/grub-core/kern/misc.c:605:10
    #1 0x5640afb15389 in erofs_iterate_dir grub/grub-core/fs/erofs.c:600:19
    #2 0x5640afb12d7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
    #3 0x5640afb1c54b in LLVMFuzzerTestOneInput 
grub/grub-core/tests/fuzz/fsXX.c:87:3
    #4 0x5640afb5c918 in ExecuteFilesOnyByOne 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
    #5 0x5640afb5c6b8 in LLVMFuzzerRunDriver 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c
    #6 0x5640afb5c26d in main 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:320:10
    #7 0x7fa856fda249 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #8 0x7fa856fda304 in __libc_start_main csu/../csu/libc-start.c:360:3
    #9 0x5640afa545d0 in _start (grub-fuzz-fs-erofs.san+0x355d0) (BuildId: 
4b530d3fec7f4416282e140912b5f92c1e66bc26)

0x621000003900 is located 0 bytes to the right of 4096-byte region 
[0x621000002900,0x621000003900)
allocated by thread T0 here:
    #0 0x5640afad741e in __interceptor_malloc (grub-fuzz-fs-erofs.san+0xb841e) 
(BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
    #1 0x5640afb237ec in grub_malloc grub/grub-core/kern/emu/mm.c:42:9
    #2 0x5640afb15a3d in erofs_iterate_dir grub/grub-core/fs/erofs.c:543:9
    #3 0x5640afb12d7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
    #4 0x5640afb1c54b in LLVMFuzzerTestOneInput 
grub/grub-core/tests/fuzz/fsXX.c:87:3
    #5 0x5640afb5c918 in ExecuteFilesOnyByOne 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7

SUMMARY: AddressSanitizer: heap-buffer-overflow 
grub/grub-core/kern/misc.c:605:10 in grub_strnlen
Shadow bytes around the buggy address:
  0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==540775==ABORTING


I’ve attached the files that can reproduce these crashes if grub-fstest is 
built with ASAN and run like this:

./grub-fstest crasher.erofs ls ‘(loop0)/'

Kind regards,
Daniel

Attachment: crasher2.erofs
Description: Binary data

Attachment: crasher.erofs
Description: Binary data

reply via email to
[Prev in Thread] Current Thread [Next in Thread]