Re: [PATCH v7 1/2] fs/erofs: Add support for EROFS

[Yifan Zhao]

Thanks! I will deal with it ASAP.


Yifan Zhao

On 2024/4/23 23:08, Daniel Axtens wrote:
> Hi,
>
> > EROFS [1] is a lightweight read-only filesystem designed for performance
> > which has already been shipped in most Linux distributions as well as widely
> > used in several scenarios, such as Android system partitions, container
> > images, and rootfs for embedded devices.
> >
> > This patch brings EROFS uncompressed support. Now, it's possible to boot
> > directly through GRUB with an EROFS rootfs.
>
> I ran a fuzzer with ASAN against the your EROFS driver.
>
> I found a couple of over-reads, but they only crash when ASAN is enabled.
>
> =================================================================
> ==509871==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x602000000078 at pc 0x55d0e2d31f13 bp 0x7ffdc4e46530 sp 0x7ffdc4e46528
> READ of size 2 at 0x602000000078 thread T0
>      #0 0x55d0e2d31f12 in erofs_iterate_dir grub/grub-core/fs/erofs.c:560:17
>      #1 0x55d0e2d2ed7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
>      #2 0x55d0e2d446dd in grub_fs_probe grub/grub-core/kern/fs.c:73:6
>      #3 0x55d0e2d384a6 in LLVMFuzzerTestOneInput 
> grub/grub-core/tests/fuzz/fsXX.c:82:7
>      #4 0x55d0e2d78918 in ExecuteFilesOnyByOne 
> AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
>      #5 0x55d0e2d786b8 in LLVMFuzzerRunDriver 
> AFLplusplus64/utils/aflpp_driver/aflpp_driver.c
>      #6 0x55d0e2d7826d in main 
> AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:320:10
>      #7 0x7fe4a8ab0249 in __libc_start_call_main 
> csu/../sysdeps/nptl/libc_start_call_main.h:58:16
>      #8 0x7fe4a8ab0304 in __libc_start_main csu/../csu/libc-start.c:360:3
>      #9 0x55d0e2c705d0 in _start (grub-fuzz-fs-erofs.san+0x355d0) (BuildId: 
> 4b530d3fec7f4416282e140912b5f92c1e66bc26)
>
> 0x602000000078 is located 7 bytes to the right of 1-byte region 
> [0x602000000070,0x602000000071)
> allocated by thread T0 here:
>      #0 0x55d0e2cf341e in __interceptor_malloc (grub-fuzz-fs-erofs.san+0xb841e) 
> (BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
>      #1 0x55d0e2d3f7ec in grub_malloc grub/grub-core/kern/emu/mm.c:42:9
>      #2 0x55d0e2d31a3d in erofs_iterate_dir grub/grub-core/fs/erofs.c:543:9
>      #3 0x55d0e2d2ed7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
>      #4 0x55d0e2d446dd in grub_fs_probe grub/grub-core/kern/fs.c:73:6
>      #5 0x55d0e2d384a6 in LLVMFuzzerTestOneInput 
> grub/grub-core/tests/fuzz/fsXX.c:82:7
>      #6 0x55d0e2d78918 in ExecuteFilesOnyByOne 
> AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> grub/grub-core/fs/erofs.c:560:17 in erofs_iterate_dir
> Shadow bytes around the buggy address:
>    0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c047fff8000: fa fa 00 00 fa fa 00 01 fa fa fd fa fa fa 01[fa]
>    0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>    Addressable:           00
>    Partially addressable: 01 02 03 04 05 06 07
>    Heap left redzone:       fa
>    Freed heap region:       fd
>    Stack left redzone:      f1
>    Stack mid redzone:       f2
>    Stack right redzone:     f3
>    Stack after return:      f5
>    Stack use after scope:   f8
>    Global redzone:          f9
>    Global init order:       f6
>    Poisoned by user:        f7
>    Container overflow:      fc
>    Array cookie:            ac
>    Intra object redzone:    bb
>    ASan internal:           fe
>    Left alloca redzone:     ca
>    Right alloca redzone:    cb
> ==509871==ABORTING
>
> =================================================================
> ==540775==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x621000003900 at pc 0x5640afb44ae4 bp 0x7ffc0a8a9d10 sp 0x7ffc0a8a9d08
> READ of size 1 at 0x621000003900 thread T0
>      #0 0x5640afb44ae3 in grub_strnlen grub/grub-core/kern/misc.c:605:10
>      #1 0x5640afb15389 in erofs_iterate_dir grub/grub-core/fs/erofs.c:600:19
>      #2 0x5640afb12d7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
>      #3 0x5640afb1c54b in LLVMFuzzerTestOneInput 
> grub/grub-core/tests/fuzz/fsXX.c:87:3
>      #4 0x5640afb5c918 in ExecuteFilesOnyByOne 
> AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
>      #5 0x5640afb5c6b8 in LLVMFuzzerRunDriver 
> AFLplusplus64/utils/aflpp_driver/aflpp_driver.c
>      #6 0x5640afb5c26d in main 
> AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:320:10
>      #7 0x7fa856fda249 in __libc_start_call_main 
> csu/../sysdeps/nptl/libc_start_call_main.h:58:16
>      #8 0x7fa856fda304 in __libc_start_main csu/../csu/libc-start.c:360:3
>      #9 0x5640afa545d0 in _start (grub-fuzz-fs-erofs.san+0x355d0) (BuildId: 
> 4b530d3fec7f4416282e140912b5f92c1e66bc26)
>
> 0x621000003900 is located 0 bytes to the right of 4096-byte region 
> [0x621000002900,0x621000003900)
> allocated by thread T0 here:
>      #0 0x5640afad741e in __interceptor_malloc (grub-fuzz-fs-erofs.san+0xb841e) 
> (BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
>      #1 0x5640afb237ec in grub_malloc grub/grub-core/kern/emu/mm.c:42:9
>      #2 0x5640afb15a3d in erofs_iterate_dir grub/grub-core/fs/erofs.c:543:9
>      #3 0x5640afb12d7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
>      #4 0x5640afb1c54b in LLVMFuzzerTestOneInput 
> grub/grub-core/tests/fuzz/fsXX.c:87:3
>      #5 0x5640afb5c918 in ExecuteFilesOnyByOne 
> AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
>
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> grub/grub-core/kern/misc.c:605:10 in grub_strnlen
> Shadow bytes around the buggy address:
>    0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>    0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>    Addressable:           00
>    Partially addressable: 01 02 03 04 05 06 07
>    Heap left redzone:       fa
>    Freed heap region:       fd
>    Stack left redzone:      f1
>    Stack mid redzone:       f2
>    Stack right redzone:     f3
>    Stack after return:      f5
>    Stack use after scope:   f8
>    Global redzone:          f9
>    Global init order:       f6
>    Poisoned by user:        f7
>    Container overflow:      fc
>    Array cookie:            ac
>    Intra object redzone:    bb
>    ASan internal:           fe
>    Left alloca redzone:     ca
>    Right alloca redzone:    cb
> ==540775==ABORTING
>
>
> I’ve attached the files that can reproduce these crashes if grub-fstest is 
> built with ASAN and run like this:
>
> ./grub-fstest crasher.erofs ls ‘(loop0)/'
>
> Kind regards,
> Daniel