/* Rumpkernel assisted fuzzing of the NetBSD file system kernel code in userland */ /* $ LC_ALL=C date Sat Aug 31 02:10:59 CEST 2019 Author: Kamil Rytarowski ( kamil @ NetBSD DOT org) $ uname -a NetBSD chieftec 9.99.10 NetBSD 9.99.10 (GENERIC) #0: Wed Aug 28 22:13:46 CEST 2019 root@chieftec:/public/netbsd-root/sys/arch/amd64/compile/GENERIC amd64 */ /* * Problem statement * ================= * * A garbage disk volume can panic the kernel. * * NEWFS(8) System Manager's Manual NEWFS(8) * * NAME * newfs - construct a new file system * * [...] * * -G Treat garbage parameters as non-fatal. Using this option may * result in a file system which causes a kernel panic and * should only be used for testing. * [...] * * HISTORY * The newfs command appeared in 4.2BSD. * * NetBSD 9.99 April 13, 2019 NetBSD 9.99 */ /* * Personal experience * =================== * Not cleanly unmounted USB pendrive used to panic the NetBSD host. * * A typical workaround is to mount suspicious filesystems with rumpkernel in userspace (mount -o rump). */ /* * Expectation * =========== * Never ever crash the host kernel due to a malformed disk volume. */ /* * Idea * ==== * * Feed the mount(2) and unmount(2) system calls with a garbage volume. * Bypass the newfs(8) tool in this process and create the image by a fuzzer. * * Use modern compiler instrumentation and code coverage assisted fuzzing. * * Test the kernel code in userland to maximize the efficiency of the bug detecting process. */ /* * FAQ: * 1. What is rumpkernel? It's the NetBSD kernel code compilable and runnable as a standalone userland process. * 2. What is NetBSD? It's an Open-Source UNIX derived Operating System. * 3. What is this POC about? It's about fuzzing the unmodified kernel filesystem (VFS) code in userspace with userland tools. * 4. What is a sanitizer? A compiler instrumentation to ease bug detecting. * 5. What is a fuzzer? It's a computer program that generates random input attempting to crash the program that parses the input. * 6. Are there non-fuzzable programs? Yes, `hello world' ones and benchmarks. * 7. Why NetBSD? MKSANITIZER support; RUMPKERNEL; good and continuously improving support of tools (sanitizers, fuzzers, ptrace, ...) */ /* * Prerequisites: NetBSD/amd64 9.99.10 or newer (changes backported to NetBSD-9, for 9.0) * * Steps: * 1. Build the distribution with fuzzer coverage * * ./build.sh -j8 -N0 -U -u -V MAKECONF=/dev/null -V MKCOMPAT=no -V MKDEBUGLIB=yes -V MKDEBUG=yes -V MKSANITIZER=yes -V USE_SANITIZER=fuzzer-no-link -V MKLLVM=yes -V MKGCC=no -V HAVE_LLVM=yes -O /public/netbsd.fuzzer distribution * * `fuzzer-no-link' adds instrumentation, but does not add custom main() into programs. * * libFuzzer is a LIB fuzzer, a fuzzer for libraries and their APIs in particular. * https://llvm.org/docs/LibFuzzer.html * * 2. Install devel/honggfuzz (ptrace(2) aided fuzzing) on host * * honggfuzz makes use of the NetBSD ptrace(2) API to detect crashes * * https://github.com/google/honggfuzz * * 3. Mount useful dirs into destdir * * mount -t null /dev /public/netbsd.fuzzer/destdir.amd64/dev * mount -t null /dev/pts /public/netbsd.fuzzer/destdir.amd64/dev/pts * mount -t null /tmp /public/netbsd.fuzzer/destdir.amd64/tmp * mkdir -p /public/netbsd.fuzzer/destdir.amd64/usr/pkg * mount -t null /usr/pkg /public/netbsd.fuzzer/destdir.amd64/usr/pkg * * chroot /public/netbsd.fuzzer/destdir.amd64 * cd /tmp * * 4. Fetch this .c file and put into e.g. /tmp * * hfuzz-clang -lrumpvfs -lrump -lrumpfs_ffs -lrumpuser -lrumpdev_disk -lrumpdev -pthread rump_pub_etfs_register_buffer.c * mkdir corpus * newfs -F -s 10000 corpus/ffs.img * honggfuzz -P -f corpus/ -- ./a.out * Log after 1h of running the fuzzer: ------------------------[ 0 days 01 hrs 00 mins 00 secs ]---------------------- Iterations : 367,977 [367.98k] Mode : [2/2] Feedback Driven Mode Target : ./a.out Threads : 4, CPUs: 8, CPU%: 0% [0%/CPU] Speed : 25/sec [avg: 102] Crashes : 7817 [unique: 7817, blacklist: 0, verified: 0] Timeouts : 13 [10 sec] Corpus Size : 203, max size: 5,120,000 bytes, init dir: 361 files Cov Update : 0 days 00 hrs 00 mins 29 secs ago Coverage : edge: 28 pc: 206 cmp: 104,650 ---------------------------------- [ LOGS ] ------------------/ honggfuzz 1.7 /- Persistent mode: Launched new persistent PID: 18581 [ 1.0400090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.0400090] rump kernel halting... halted [ 1.0300090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 817b2ac6 with allerror 0 [ 1.0300090] panic: ufs_inactive: dirty filesystem? [ 1.0300090] rump kernel halting... halted Crash: saved as './SIGABRT.PC.0.STACK.badbad183b661ac0.CODE.-5.ADDR.0x0.INSTR.jb_0x7f7ff4d79acd.2019-08-31.01:57:47.18384.fuzz' [2019-08-31T01:57:47+0200][W][5] arch_checkWait():230 Persistent mode: PID 18384 exited with status: SIGNALED, signal: 6 (Abort trap) Persistent mode: Launched new persistent PID: 10281 * Example trace (a tiny part of the log) of rumpkernel messages: [ 1.0900090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.0900090] rump kernel halting... halted [ 1.4300090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.4300090] /devdisk: lost blocks 0 files 0 [ 1.4500090] /devdisk: file system not clean (fs_clean=0x8); please fsck(8) [ 1.4500090] /devdisk: lost blocks 0 files 0 [ 1.6300090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.6300090] panic: ufs_inactive: dirty filesystem? [ 1.6300090] rump kernel halting... halted [ 1.4200090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.4200090] rump kernel halting... halted [ 3.5900090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 3.5900090] rump kernel halting... halted [ 1.1800090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1800090] rump kernel halting... halted [ 5.0300090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 5.0300090] rump kernel halting... halted [ 1.5700090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.5700090] rump kernel halting... halted [ 1.2000090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.2000090] rump kernel halting... halted [ 1.2000090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.2000090] rump kernel halting... halted [ 1.1000090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1000090] rump kernel halting... halted [ 1.1600090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.1600090] /devdisk: lost blocks 0 files 0 [ 1.1600090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1600090] rump kernel halting... halted [ 1.0500090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0500090] rump kernel halting... halted [ 1.0500090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.0500090] rump kernel halting... halted [ 1.9000090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.9000090] rump kernel halting... halted [ 1.2600090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2600090] rump kernel halting... halted [ 1.4600090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.4600090] rump kernel halting... halted [ 1.1000090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.1000090] panic: ufs_inactive: dirty filesystem? [ 1.1000090] rump kernel halting... halted [ 1.1600090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1600090] rump kernel halting... halted [ 4.7300090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 4.7300090] rump kernel halting... halted [ 1.0700090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0700090] rump kernel halting... halted [ 1.1100090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1100090] rump kernel halting... halted [ 1.1000090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.1000090] panic: ufs_inactive: dirty filesystem? [ 1.1000090] rump kernel halting... halted [ 12.7100090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 12.7100090] rump kernel halting... halted [ 2.2400090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 2.2400090] rump kernel halting... halted [ 1.1300090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1300090] rump kernel halting... halted [ 6.6000090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 6.6000090] rump kernel halting... halted [ 1.1200090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.1200090] panic: ufs_inactive: dirty filesystem? [ 1.1200090] rump kernel halting... halted [ 1.0300090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0300090] rump kernel halting... halted [ 1.1900090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.1900090] rump kernel halting... halted [ 1.2400090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2400090] rump kernel halting... halted [ 1.1200090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.1200090] rump kernel halting... halted [ 1.1300090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1300090] rump kernel halting... halted [ 1.0500090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.0500090] rump kernel halting... halted [ 2.4800090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 2.4800090] rump kernel halting... halted [ 1.1400090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1400090] rump kernel halting... halted [ 1.2400090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2400090] rump kernel halting... halted [ 8.4200090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 8.4200090] rump kernel halting... halted [ 1.2500090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2500090] rump kernel halting... halted [ 1.2000090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.2000090] panic: ufs_inactive: dirty filesystem? [ 1.2000090] rump kernel halting... halted [ 1.0200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0200090] rump kernel halting... halted [ 1.1200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1200090] rump kernel halting... halted [ 1.1000090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1000090] rump kernel halting... halted [ 1.2000090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.2000090] rump kernel halting... halted [ 1.1600090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.1600090] /devdisk: lost blocks 0 files 0 [ 1.1600090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1600090] rump kernel halting... halted [ 1.2100090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2100090] rump kernel halting... halted [ 1.0500090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0500090] rump kernel halting... halted [ 1.3000090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.3000090] /devdisk: lost blocks 0 files 0 [ 1.0600090] /devdisk: file system not clean (fs_clean=0x8); please fsck(8) [ 1.0600090] /devdisk: lost blocks 0 files 0 [ 1.3000090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.3000090] rump kernel halting... halted [ 1.0600090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0600090] rump kernel halting... halted [ 1.0800090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0800090] rump kernel halting... halted [ 1.0700090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0700090] rump kernel halting... halted [ 1.0500090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.0500090] panic: ufs_inactive: dirty filesystem? [ 1.0500090] rump kernel halting... halted [ 1.3200090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.3200090] panic: ufs_inactive: dirty filesystem? [ 1.3200090] rump kernel halting... halted [ 1.0500090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0500090] rump kernel halting... halted [ 1.1000090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1000090] rump kernel halting... halted [ 1.1900090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1900090] rump kernel halting... halted [ 1.0200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0200090] rump kernel halting... halted [ 1.1000090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.1000090] /devdisk: lost blocks 0 files 0 [ 1.0300090] /devdisk: file system not clean (fs_clean=0x8); please fsck(8) [ 1.0300090] /devdisk: lost blocks 0 files 0 [ 1.6600090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.6600090] rump kernel halting... halted [ 1.4100090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.4100090] rump kernel halting... halted [ 1.0600090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.0600090] panic: ufs_inactive: dirty filesystem? [ 1.0600090] rump kernel halting... halted [ 1.0300090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0300090] rump kernel halting... halted [ 3.7300090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 3.7300090] rump kernel halting... halted [ 1.0700090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0700090] rump kernel halting... halted [ 4.8100090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 4.8100090] rump kernel halting... halted [ 1.1800090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.1800090] rump kernel halting... halted [ 2.0700090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 2.0700090] rump kernel halting... halted [ 1.4000090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.4000090] rump kernel halting... halted [ 1.3500090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.3500090] rump kernel halting... halted [ 1.0700090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.0700090] rump kernel halting... halted [ 1.1400090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1400090] rump kernel halting... halted [ 1.2100090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2100090] rump kernel halting... halted [ 1.0200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0200090] rump kernel halting... halted [ 1.1100090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1100090] rump kernel halting... halted [ 1.0600090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0600090] rump kernel halting... halted [ 1.1000090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1000090] rump kernel halting... halted [ 1.1200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1200090] rump kernel halting... halted [ 1.1000090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1000090] rump kernel halting... halted [ 1.1600090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.1600090] /devdisk: lost blocks 0 files 0 [ 1.1600090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.1600090] panic: ufs_inactive: dirty filesystem? [ 1.3600090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.1600090] rump kernel halting... [ 1.3600090] panic: ufs_inactive: dirty filesystem? halted [ 1.3600090] rump kernel halting... halted [ 1.3200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.3200090] rump kernel halting... halted [ 1.0200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0200090] rump kernel halting... halted [ 1.1900090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1900090] rump kernel halting... halted [ 1.2600090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2600090] rump kernel halting... halted [ 1.1100090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.1100090] /devdisk: lost blocks 0 files 0 [ 1.3400090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.3400090] rump kernel halting... halted [ 1.1400090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.1400090] /devdisk: lost blocks 0 files 0 [ 1.1400090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1400090] rump kernel halting... halted [ 1.0900090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0900090] rump kernel halting... halted [ 1.2000090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2000090] rump kernel halting... halted [ 1.0300090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.0300090] panic: ufs_inactive: dirty filesystem? [ 1.0300090] rump kernel halting... halted [ 1.0300090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0300090] rump kernel halting... halted [ 1.2500090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.2500090] rump kernel halting... halted [ 1.4100090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.4100090] rump kernel halting... halted [ 1.1600090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1600090] rump kernel halting... halted [ 1.8300090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.8300090] rump kernel halting... halted [ 1.1700090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 1.1700090] rump kernel halting... halted [ 5.3500090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 5.3500090] rump kernel halting... halted [ 1.2700090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.2700090] rump kernel halting... halted [ 2.4000090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 2.4000090] rump kernel halting... halted [ 1.2400090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.2400090] panic: ufs_inactive: dirty filesystem? [ 1.2400090] rump kernel halting... halted [ 4.3600090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 4.3600090] rump kernel halting... halted [ 1.1100090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1100090] rump kernel halting... halted [ 4.1500090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 4.1500090] rump kernel halting... halted [ 1.0300090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.0300090] panic: ufs_inactive: dirty filesystem? [ 1.0300090] rump kernel halting... halted [ 3.3000090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 3.3000090] rump kernel halting... halted [ 1.0900090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.0900090] rump kernel halting... halted [ 4.2000090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 4.2000090] rump kernel halting... halted [ 2.0800090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 2.0800090] rump kernel halting... halted [ 1.1700090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1700090] rump kernel halting... halted [ 1.0300090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0300090] rump kernel halting... halted [ 1.0200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0200090] rump kernel halting... halted [ 1.0300090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 1.0300090] panic: ufs_inactive: dirty filesystem? [ 1.0300090] rump kernel halting... halted [ 1.1500090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1500090] rump kernel halting... halted [ 1.0700090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.0700090] rump kernel halting... halted [ 1.1800090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1800090] rump kernel halting... halted [ 1.1800090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1800090] rump kernel halting... halted [ 1.0500090] /devdisk: file system not clean (fs_clean=0x4); please fsck(8) [ 1.0500090] /devdisk: lost blocks 0 files 0 [ 1.6000090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.6000090] rump kernel halting... halted [ 1.2100090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.2100090] rump kernel halting... halted [ 3.1400090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 3.1400090] rump kernel halting... halted [ 1.1200090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1200090] rump kernel halting... halted [ 1.1400090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1400090] rump kernel halting... halted [ 3.9200090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 3.9200090] rump kernel halting... halted [ 1.0300090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.0300090] rump kernel halting... halted [ 5.5000090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 5.5000090] rump kernel halting... halted [ 1.9400090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.9400090] rump kernel halting... halted [ 2.5300090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 2.5300090] rump kernel halting... halted [ 5.4400090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 5.4400090] rump kernel halting... halted [ 6.2700090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 6.2700090] rump kernel halting... halted [ 2.4600090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 2.4600090] rump kernel halting... halted [ 3.0000090] panic: kernel diagnostic assertion "size + offset <= flen" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/librump/rumpvfs/rumpblk.c", line 292 [ 3.0000090] rump kernel halting... halted [ 1.1300090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.1300090] rump kernel halting... halted [ 1.1500090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1500090] rump kernel halting... halted [ 1.1800090] panic: kernel diagnostic assertion "oip->i_size == 0" failed: file "/usr/src/sys/rump/fs/lib/libffs/../../../../ufs/ffs/ffs_inode.c", line 227 [ 1.1800090] rump kernel halting... halted [ 1.0800090] panic: kernel diagnostic assertion "newsize != VSIZENOTSET && newsize >= 0" failed: file "/usr/src/lib/librumpvfs/../../sys/rump/../uvm/uvm_vnode.c", line 353 [ 1.0800090] rump kernel halting... halted ***** * Future work, use libFuzzer, needs more work * * clang -fsanitize=fuzzer -lrumpvfs -lrump -lrumpfs_ffs -lrumpuser -lrumpdev_disk -lrumpdev -pthread rump_pub_etfs_register_buffer.c * # ./a.out ./corpus/ -max_len=5120000 -jobs=1 ./a.out ./corpus/ -max_len=5120000 >fuzz-0.log 2>&1 ================== Job 0 exited with exit code 19712 ============ INFO: Seed: 2170333738 INFO: Loaded 10 modules (59024 inline 8-bit counters): 19889 [0x7f7ff7b9a330, 0x7f7ff7b9f0e1), 640 [0x7f7ff68126e0, 0x7f7ff6812960), 20115 [0x7f7ff71c8e2c, 0x7f7ff71cdcbf), 8664 [0x7f7ff76bf640, 0x7f7ff76c1818), 6161 [0x7f7ff6c7f090, 0x7f7ff6c808a1), 881 [0x7f7ff6416828, 0x7f7ff6416b99), 420 [0x7f7ff600b398, 0x7f7ff600b53c), 2120 [0x7f7ff462e480, 0x7f7ff462ecc8), 112 [0x7f7ff50041e8, 0x7f7ff5004258), 22 [0x674710, 0x674726), INFO: Loaded 10 PC tables (59024 PCs): 19889 [0x7f7ff7b9f0e8,0x7f7ff7becbf8), 640 [0x7f7ff6812960,0x7f7ff6815160), 20115 [0x7f7ff71cdcc0,0x7f7ff721c5f0), 8664 [0x7f7ff76c1818,0x7f7ff76e3598), 6161 [0x7f7ff6c808a8,0x7f7ff6c989b8), 881 [0x7f7ff6416ba0,0x7f7ff641a2b0), 420 [0x7f7ff600b540,0x7f7ff600cf80), 2120 [0x7f7ff462ecc8,0x7f7ff4637148), 112 [0x7f7ff5004258,0x7f7ff5004958), 22 [0x460a90,0x460bf0), INFO: 483 files found in ./corpus/ INFO: seed corpus: files: 483 min: 1b max: 5120000b total: 1213854782b rss: 30Mb [ 9.3500090] ufs_inactive: unlinked ino 2 on "/mnt" has non zero size 0 or blocks 1b8b53de with allerror 0 [ 9.3500090] panic: ufs_inactive: dirty filesystem? [ 9.3500090] rump kernel halting... halted ==10270== ERROR: libFuzzer: deadly signal #0 0x42394f in __sanitizer_print_stack_trace (/tmp/./a.out+0x42394f) #1 0x4224e5 in fuzzer::PrintStackTrace() (/tmp/./a.out+0x4224e5) #2 0x414136 in fuzzer::Fuzzer::CrashCallback() (/tmp/./a.out+0x414136) #3 0x4140f0 in fuzzer::Fuzzer::StaticCrashSignalCallback() (/tmp/./a.out+0x4140f0) NOTE: libFuzzer has rudimentary signal handlers. Combine libFuzzer with AddressSanitizer or similar for better crash reports. SUMMARY: libFuzzer: deadly signal MS: 0 ; base unit: 0000000000000000000000000000000000000000 artifact_prefix='./'; Test unit written to ./crash-efc072c6179538b4f28f911f4719693e3b683535 */ /* * TODO: * * - get MKSANITIZER sanitizers (ASan, UBSan, TSan, MSan, ...) functional with the whole userland and especially RUMP * - fuzz rumpkernels with sanitizers (ASan, UBSan, TSan, MSan, ...) involved * - fuzz with libFuzzer (needs sanitizers enabled) * - rework rumpkernel to be more sensitive to memory related bugs * (e.g. rework rumpkernel allocators to instrumented malloc(3) + free(3) pairs) * - add more sophisticated fuzzing scenarios than mount+umount * - fuzz other rumpkernel subsystems * - fix detected bugs * - 24/7 fuzzing instance testing NetBSD-current * * Last but not least.. implement rump_pub_etfs_register_buffer() as a native API call in the rumpkernel code. */ #include #include #include #include #include #include #include #include #include #include #include #include static struct ufs_args args; #define DISKPATH "/devdisk" #define MNTPATH "/mnt" #define BUFFERFILE "/tmp/buf" /* entry point for library fuzzers (libFuzzer / honggfuzz) */ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); /* * The rump ExtraTerrestrial File System (rump_etfs) is used to provide * access to the host file system namespace within a rump kernel. * * The current rump_etfs(3) API allows only to map a file. The fuzzer ships with * a buffer populated with a random data. As a quick workaround save the buffer * into a file located in /tmp (mounted as tmpfs - RAM filesystem) and mount * it into the rump system. */ static int rump_pub_etfs_register_buffer(const char *key, const uint8_t *Data, size_t Size, enum rump_etfs_type ftype) { FILE *fp; fp = fopen(BUFFERFILE, "wb"); if (fp == NULL) __builtin_trap(); /* what to do */ if (fwrite (Data, sizeof(char), Size, fp) != Size) __builtin_trap(); /* what to do */ if (fclose(fp) == EOF) __builtin_trap(); /* what to do */ return rump_pub_etfs_register(key, BUFFERFILE, ftype); } /* Initialize rumpkernel only once. */ static void Initialize(void) { if (rump_init() != 0) __builtin_trap(); /* what to do */ if (rump_sys_mkdir(MNTPATH, 0777) == -1) { rump_sys_reboot(RUMP_RB_HALT, NULL); __builtin_trap(); /* what to do */ } args.fspec = __UNCONST(DISKPATH); } int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { static bool Initialized; if (!Initialized) { Initialize(); Initialized = true; } if (rump_pub_etfs_register_buffer(DISKPATH, Data, Size, RUMP_ETFS_BLK)) { /* * We shall return 0 on error paths as otherwise * a fuzzer (honggfuzz) restarts the fuzzing process * and restarting the program costs time. */ return 0; } if (rump_sys_mount(MOUNT_FFS, MNTPATH, 0, &args, sizeof(args)) == -1) { if (rump_pub_etfs_remove(DISKPATH) == -1) __builtin_trap(); /* What to do? */ return 0; } if (rump_sys_unmount(MNTPATH, 0) == -1) { if (rump_pub_etfs_remove(DISKPATH) == -1) __builtin_trap(); /* What to do? */ return 0; } if (rump_pub_etfs_remove(DISKPATH) == -1) __builtin_trap(); /* What to do? */ return 0; } #ifdef MAIN /* For manual testing only. */ int main(int argc, char **argv) { const char *memblock; struct stat sb; int fd; size_t sz; if (argc < 2) errx(1, "argc < 2"); fd = open(argv[1], O_RDONLY); fstat(fd, &sb); sz = sb.st_size; memblock = mmap(NULL, sz, PROT_READ, MAP_SHARED, fd, 0); if (memblock == MAP_FAILED) err(1, "mmap"); return LLVMFuzzerTestOneInput(memblock, sz); } #endif