Re: [PATCH v7 1/2] fs/erofs: Add support for EROFS

Tue, 23 Apr 2024 09:40:23 -0700 

Thanks! I will deal with it ASAP.


Yifan Zhao

On 2024/4/23 23:08, Daniel Axtens wrote:

Hi,


EROFS [1] is a lightweight read-only filesystem designed for performance
which has already been shipped in most Linux distributions as well as widely
used in several scenarios, such as Android system partitions, container
images, and rootfs for embedded devices.

This patch brings EROFS uncompressed support. Now, it's possible to boot
directly through GRUB with an EROFS rootfs.


I ran a fuzzer with ASAN against the your EROFS driver.

I found a couple of over-reads, but they only crash when ASAN is enabled.

=================================================================
==509871==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x602000000078 at pc 0x55d0e2d31f13 bp 0x7ffdc4e46530 sp 0x7ffdc4e46528
READ of size 2 at 0x602000000078 thread T0
     #0 0x55d0e2d31f12 in erofs_iterate_dir grub/grub-core/fs/erofs.c:560:17
     #1 0x55d0e2d2ed7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
     #2 0x55d0e2d446dd in grub_fs_probe grub/grub-core/kern/fs.c:73:6
     #3 0x55d0e2d384a6 in LLVMFuzzerTestOneInput 
grub/grub-core/tests/fuzz/fsXX.c:82:7
     #4 0x55d0e2d78918 in ExecuteFilesOnyByOne 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
     #5 0x55d0e2d786b8 in LLVMFuzzerRunDriver 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c
     #6 0x55d0e2d7826d in main 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:320:10
     #7 0x7fe4a8ab0249 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
     #8 0x7fe4a8ab0304 in __libc_start_main csu/../csu/libc-start.c:360:3
     #9 0x55d0e2c705d0 in _start (grub-fuzz-fs-erofs.san+0x355d0) (BuildId: 
4b530d3fec7f4416282e140912b5f92c1e66bc26)

0x602000000078 is located 7 bytes to the right of 1-byte region 
[0x602000000070,0x602000000071)
allocated by thread T0 here:
     #0 0x55d0e2cf341e in __interceptor_malloc (grub-fuzz-fs-erofs.san+0xb841e) 
(BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
     #1 0x55d0e2d3f7ec in grub_malloc grub/grub-core/kern/emu/mm.c:42:9
     #2 0x55d0e2d31a3d in erofs_iterate_dir grub/grub-core/fs/erofs.c:543:9
     #3 0x55d0e2d2ed7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
     #4 0x55d0e2d446dd in grub_fs_probe grub/grub-core/kern/fs.c:73:6
     #5 0x55d0e2d384a6 in LLVMFuzzerTestOneInput 
grub/grub-core/tests/fuzz/fsXX.c:82:7
     #6 0x55d0e2d78918 in ExecuteFilesOnyByOne 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7

SUMMARY: AddressSanitizer: heap-buffer-overflow 
grub/grub-core/fs/erofs.c:560:17 in erofs_iterate_dir
Shadow bytes around the buggy address:
   0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 00 fa fa 00 01 fa fa fd fa fa fa 01[fa]
   0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
==509871==ABORTING

=================================================================
==540775==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x621000003900 at pc 0x5640afb44ae4 bp 0x7ffc0a8a9d10 sp 0x7ffc0a8a9d08
READ of size 1 at 0x621000003900 thread T0
     #0 0x5640afb44ae3 in grub_strnlen grub/grub-core/kern/misc.c:605:10
     #1 0x5640afb15389 in erofs_iterate_dir grub/grub-core/fs/erofs.c:600:19
     #2 0x5640afb12d7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
     #3 0x5640afb1c54b in LLVMFuzzerTestOneInput 
grub/grub-core/tests/fuzz/fsXX.c:87:3
     #4 0x5640afb5c918 in ExecuteFilesOnyByOne 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7
     #5 0x5640afb5c6b8 in LLVMFuzzerRunDriver 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c
     #6 0x5640afb5c26d in main 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:320:10
     #7 0x7fa856fda249 in __libc_start_call_main 
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
     #8 0x7fa856fda304 in __libc_start_main csu/../csu/libc-start.c:360:3
     #9 0x5640afa545d0 in _start (grub-fuzz-fs-erofs.san+0x355d0) (BuildId: 
4b530d3fec7f4416282e140912b5f92c1e66bc26)

0x621000003900 is located 0 bytes to the right of 4096-byte region 
[0x621000002900,0x621000003900)
allocated by thread T0 here:
     #0 0x5640afad741e in __interceptor_malloc (grub-fuzz-fs-erofs.san+0xb841e) 
(BuildId: 4b530d3fec7f4416282e140912b5f92c1e66bc26)
     #1 0x5640afb237ec in grub_malloc grub/grub-core/kern/emu/mm.c:42:9
     #2 0x5640afb15a3d in erofs_iterate_dir grub/grub-core/fs/erofs.c:543:9
     #3 0x5640afb12d7b in grub_erofs_dir grub/grub-core/fs/erofs.c:795:3
     #4 0x5640afb1c54b in LLVMFuzzerTestOneInput 
grub/grub-core/tests/fuzz/fsXX.c:87:3
     #5 0x5640afb5c918 in ExecuteFilesOnyByOne 
AFLplusplus64/utils/aflpp_driver/aflpp_driver.c:264:7

SUMMARY: AddressSanitizer: heap-buffer-overflow 
grub/grub-core/kern/misc.c:605:10 in grub_strnlen
Shadow bytes around the buggy address:
   0x0c427fff86d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c427fff86e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c427fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c427fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   0x0c427fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8720:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c427fff8750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c427fff8760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x0c427fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable:           00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone:       fa
   Freed heap region:       fd
   Stack left redzone:      f1
   Stack mid redzone:       f2
   Stack right redzone:     f3
   Stack after return:      f5
   Stack use after scope:   f8
   Global redzone:          f9
   Global init order:       f6
   Poisoned by user:        f7
   Container overflow:      fc
   Array cookie:            ac
   Intra object redzone:    bb
   ASan internal:           fe
   Left alloca redzone:     ca
   Right alloca redzone:    cb
==540775==ABORTING


I’ve attached the files that can reproduce these crashes if grub-fstest is 
built with ASAN and run like this:

./grub-fstest crasher.erofs ls ‘(loop0)/'

Kind regards,
Daniel


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to