From: Hrutvik Kanabar <hrkanabar@gmail.com>
To: Hrutvik Kanabar <hrutvik@google.com>
Cc: "Darrick J . Wong" <djwong@kernel.org>, Chris Mason <clm@fb.com>,
Andreas Dilger <adilger.kernel@dilger.ca>,
kasan-dev@googlegroups.com, linux-ext4@vger.kernel.org,
Namjae Jeon <linkinjeon@kernel.org>,
Marco Elver <elver@google.com>,
Josef Bacik <josef@toxicpanda.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
David Sterba <dsterba@suse.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
Anton Altaparmakov <anton@tuxera.com>,
Theodore Ts'o <tytso@mit.edu>,
linux-ntfs-dev@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-xfs@vger.kernel.org, Aleksandr Nogikh <nogikh@google.com>,
linux-fsdevel@vger.kernel.org,
Sungjong Seo <sj1557.seo@samsung.com>,
linux-btrfs@vger.kernel.org
Subject: [f2fs-dev] [PATCH RFC 0/7] fs: Debug config option to disable filesystem checksum verification for fuzzing
Date: Fri, 14 Oct 2022 08:48:30 +0000 [thread overview]
Message-ID: <20221014084837.1787196-1-hrkanabar@gmail.com> (raw)
From: Hrutvik Kanabar <hrutvik@google.com>
Fuzzing is a proven technique to discover exploitable bugs in the Linux
kernel. But fuzzing filesystems is tricky: highly structured disk images
use redundant checksums to verify data integrity. Therefore,
randomly-mutated images are quickly rejected as corrupt, testing only
error-handling code effectively.
The Janus [1] and Hydra [2] projects probe filesystem code deeply by
correcting checksums after mutation. But their ad-hoc
checksum-correcting code supports only a few filesystems, and it is
difficult to support new ones - requiring significant duplication of
filesystem logic which must also be kept in sync with upstream changes.
Corrected checksums cannot be guaranteed to be valid, and reusing this
code across different fuzzing frameworks is non-trivial.
Instead, this RFC suggests a config option:
`DISABLE_FS_CSUM_VERIFICATION`. When it is enabled, all filesystems
should bypass redundant checksum verification, proceeding as if
checksums are valid. Setting of checksums should be unaffected. Mutated
images will no longer be rejected due to invalid checksums, allowing
testing of deeper code paths. Though some filesystems implement their
own flags to disable some checksums, this option should instead disable
all checksums for all filesystems uniformly. Critically, any bugs found
remain reproducible on production systems: redundant checksums in
mutated images can be fixed up to satisfy verification.
The patches below suggest a potential implementation for a few
filesystems, though we may have missed some checksums. The option
requires `DEBUG_KERNEL` and is not intended for production systems.
The first user of the option would be syzbot. We ran preliminary local
syzkaller tests to compare behaviour with and without these patches.
With the patches, we found a 19% increase in coverage, as well as many
new crash types and increases in the total number of crashes:
Filesystem | % new crash types | % increase in crashes
—----------|-------------------|----------------------
ext4 | 60% | 1400%
btrfs | 25% | 185%
f2fs | 63% | 16%
[1] Fuzzing file systems via two-dimensional input space exploration,
Xu et al., 2019, IEEE Symposium on Security and Privacy,
doi: 10.1109/SP.2019.00035
[2] Finding semantic bugs in file systems with an extensible fuzzing
framework, Kim et al., 2019, ACM Symposium on Operating Systems
Principles, doi: 10.1145/3341301.3359662
Hrutvik Kanabar (7):
fs: create `DISABLE_FS_CSUM_VERIFICATION` config option
fs/ext4: support `DISABLE_FS_CSUM_VERIFICATION` config option
fs/btrfs: support `DISABLE_FS_CSUM_VERIFICATION` config option
fs/exfat: support `DISABLE_FS_CSUM_VERIFICATION` config option
fs/xfs: support `DISABLE_FS_CSUM_VERIFICATION` config option
fs/ntfs: support `DISABLE_FS_CSUM_VERIFICATION` config option
fs/f2fs: support `DISABLE_FS_CSUM_VERIFICATION` config option
fs/Kconfig.debug | 20 ++++++++++++++++++++
fs/btrfs/check-integrity.c | 3 ++-
fs/btrfs/disk-io.c | 6 ++++--
fs/btrfs/free-space-cache.c | 3 ++-
fs/btrfs/inode.c | 3 ++-
fs/btrfs/scrub.c | 9 ++++++---
fs/exfat/nls.c | 3 ++-
fs/exfat/super.c | 3 +++
fs/ext4/bitmap.c | 6 ++++--
fs/ext4/extents.c | 3 ++-
fs/ext4/inode.c | 3 ++-
fs/ext4/ioctl.c | 3 ++-
fs/ext4/mmp.c | 3 ++-
fs/ext4/namei.c | 6 ++++--
fs/ext4/orphan.c | 3 ++-
fs/ext4/super.c | 6 ++++--
fs/ext4/xattr.c | 3 ++-
fs/f2fs/checkpoint.c | 3 ++-
fs/f2fs/compress.c | 3 ++-
fs/f2fs/f2fs.h | 2 ++
fs/f2fs/inode.c | 3 +++
fs/ntfs/super.c | 3 ++-
fs/xfs/libxfs/xfs_cksum.h | 5 ++++-
lib/Kconfig.debug | 6 ++++++
24 files changed, 86 insertions(+), 25 deletions(-)
create mode 100644 fs/Kconfig.debug
--
2.38.0.413.g74048e4d9e-goog
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
next reply other threads:[~2022-10-14 8:49 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-14 8:48 Hrutvik Kanabar [this message]
2022-10-14 8:48 ` [f2fs-dev] [PATCH RFC 1/7] fs: create `DISABLE_FS_CSUM_VERIFICATION` config option Hrutvik Kanabar
2022-10-14 8:48 ` [f2fs-dev] [PATCH RFC 2/7] fs/ext4: support " Hrutvik Kanabar
2022-10-14 8:48 ` [f2fs-dev] [PATCH RFC 3/7] fs/btrfs: " Hrutvik Kanabar
2022-10-14 10:23 ` Qu Wenruo via Linux-f2fs-devel
2022-10-17 8:43 ` Dmitry Vyukov via Linux-f2fs-devel
2022-10-17 9:35 ` Qu Wenruo
2022-10-14 8:48 ` [f2fs-dev] [PATCH RFC 4/7] fs/exfat: " Hrutvik Kanabar
2022-10-14 8:48 ` [f2fs-dev] [PATCH RFC 5/7] fs/xfs: " Hrutvik Kanabar
2022-10-14 15:44 ` Darrick J. Wong
2022-10-17 8:32 ` Dmitry Vyukov via Linux-f2fs-devel
2022-10-14 8:48 ` [f2fs-dev] [PATCH RFC 6/7] fs/ntfs: " Hrutvik Kanabar
2022-10-14 8:48 ` [f2fs-dev] [PATCH RFC 7/7] fs/f2fs: " Hrutvik Kanabar
2022-10-14 9:15 ` [f2fs-dev] [PATCH RFC 0/7] fs: Debug config option to disable filesystem checksum verification for fuzzing David Sterba
2022-10-17 8:31 ` Dmitry Vyukov via Linux-f2fs-devel
2022-10-17 12:02 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221014084837.1787196-1-hrkanabar@gmail.com \
--to=hrkanabar@gmail.com \
--cc=adilger.kernel@dilger.ca \
--cc=anton@tuxera.com \
--cc=clm@fb.com \
--cc=djwong@kernel.org \
--cc=dsterba@suse.com \
--cc=elver@google.com \
--cc=hrutvik@google.com \
--cc=jaegeuk@kernel.org \
--cc=josef@toxicpanda.com \
--cc=kasan-dev@googlegroups.com \
--cc=linkinjeon@kernel.org \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-ntfs-dev@lists.sourceforge.net \
--cc=linux-xfs@vger.kernel.org \
--cc=nogikh@google.com \
--cc=sj1557.seo@samsung.com \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).