From nobody Wed Feb 15 00:29:46 2023 X-Original-To: freebsd-arm@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PGf8f6RQ9z3qTBj for ; Wed, 15 Feb 2023 00:29:22 +0000 (UTC) (envelope-from fbsd@www.zefox.net) Received: from www.zefox.net (www.zefox.net [50.1.20.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "www.zefox.com", Issuer "www.zefox.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PGf8d68cSz4TDp for ; Wed, 15 Feb 2023 00:29:21 +0000 (UTC) (envelope-from fbsd@www.zefox.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=none (mx1.freebsd.org: domain of fbsd@www.zefox.net has no SPF policy when checking 50.1.20.27) smtp.mailfrom=fbsd@www.zefox.net; dmarc=none Received: from www.zefox.net (localhost [127.0.0.1]) by www.zefox.net (8.16.1/8.15.2) with ESMTPS id 31F0Tlo4031862 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Tue, 14 Feb 2023 16:29:47 -0800 (PST) (envelope-from fbsd@www.zefox.net) Received: (from fbsd@localhost) by www.zefox.net (8.16.1/8.15.2/Submit) id 31F0TlGZ031861 for freebsd-arm@freebsd.org; Tue, 14 Feb 2023 16:29:47 -0800 (PST) (envelope-from fbsd) Date: Tue, 14 Feb 2023 16:29:46 -0800 From: bob prohaska To: freebsd-arm@freebsd.org Subject: Re: fsck segfaults on rpi3 running 13-stable (and on 14-CURRENT analyzing the same file system that resulted from the 13-STABLE crash) Message-ID: <20230215002946.GA29330@www.zefox.net> References: <20230212191308.GA21535@www.zefox.net> <20230212195324.GB21535@www.zefox.net> <03840D0B-13D4-4F22-BDAF-2887A4D78BED@yahoo.com> <20230213232519.GD95670@funkthat.com> <20230214161415.GA28276@www.zefox.net> <20230214183827.GG95670@funkthat.com> <20230214210601.GA28959@www.zefox.net> <20230214232746.GI95670@funkthat.com> List-Id: Porting FreeBSD to ARM processors List-Archive: https://lists.freebsd.org/archives/freebsd-arm List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arm@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230214232746.GI95670@funkthat.com> X-Spamd-Result: default: False [-1.06 / 15.00]; AUTH_NA(1.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.96)[-0.956]; MID_RHS_WWW(0.50)[]; WWW_DOT_DOMAIN(0.50)[]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[freebsd-arm@freebsd.org]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:7065, ipnet:50.1.16.0/20, country:US]; R_SPF_NA(0.00)[no SPF record]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[zefox.net]; RCPT_COUNT_ONE(0.00)[1]; RCVD_TLS_LAST(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arm@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[] X-Rspamd-Queue-Id: 4PGf8d68cSz4TDp X-Spamd-Bar: - X-ThisMailContainsUnwantedMimeParts: N On Tue, Feb 14, 2023 at 03:27:46PM -0800, John-Mark Gurney wrote: > bob prohaska wrote this message on Tue, Feb 14, 2023 at 13:06 -0800: > > On Tue, Feb 14, 2023 at 10:38:27AM -0800, John-Mark Gurney wrote: > > > bob prohaska wrote this message on Tue, Feb 14, 2023 at 08:14 -0800: > > > > > > > > Is this a demonstration that the fsck segfault can be reproduced > > > > independtly of my particular corrupt filesystem? AFL is new to me. > > > > > > Yes, it is. It turns out that the FS to produce this failure is a LOT > > > smaller than I expected when compresed, I have included it later in the > > > email. The constant above was taken directly from the failing FS. > > > > > > AFL is a very useful tool, and found this crash and apparently 50+ > > > other crashes in only 5-10 minutes of running... I'll be investigating > > > a few of the other crashes as well, as fsck does ocassionally deal w/ > > > untrusted fs's. > > > > > > > Would trying to run fsck on the corrupt filesystem from an 8GB Pi4 > > (also running -current) make any difference? I.e., might more physical > > RAM cover up the bug and allow fsck to complete successfully? > > No, it will not. It's trying to access memory address 0x4 which does > not exist, no matter how much memory. > > In this case, an inode's mtime is wildly incorrect. Here is a simple > patch that will let it get farther, BUT, it doesn't necessarily mean > that the kernel can properly handle the mtime: > diff --git a/sbin/fsck_ffs/inode.c b/sbin/fsck_ffs/inode.c > index 82338f4f8c08..d0892a822dc5 100644 > --- a/sbin/fsck_ffs/inode.c > +++ b/sbin/fsck_ffs/inode.c > @@ -1311,7 +1311,10 @@ prtinode(struct inode *ip) > printf("SIZE=%ju ", (uintmax_t)DIP(dp, di_size)); > t = DIP(dp, di_mtime); > p = ctime(&t); > - printf("MTIME=%12.12s %4.4s ", &p[4], &p[20]); > + if (p == NULL) > + printf("MTIME=invalid "); > + else > + printf("MTIME=%12.12s %4.4s ", &p[4], &p[20]); > } > > void > > > If you can get the inode number (should be in the gdb backtrace in one > of the frames), you can use fsdb to switch to the inode (inode ), > and then set the mtime to something reasonable (mtime 0), and then fsck > should complete as well... > That looks fairly tricky. I'm tempted to just wait till the fix propagates into -current, unless that'll take an extraordinary amount of time. > > Is there a plain-English description of how AFL works? I gather it > > manipulates input read by a program to discover improperly handled > > cases, but even that is far from certain. There's no hope of me doing > > anything useful with AFL. I'm merely curious. > > You are correct. It insturments a program to see when it modifies > the input, which branches it takes, and uses that to make better choices > on how to mutate the input. > > In another email I sent the instructions on how I ran it, but I used: > https://afl-1.readthedocs.io/en/latest/quick_start.html > > to figure/remind myself how to run it. Only difference is that instead > of running ./configure, I used make instead in the correct directory of > the FreeBSD src tree. The Wikepedia page is nearly readable for a non-programmer. It seems to suggest that one starts with a valid input file and valid input command for a specially-compiled version of the test program, then randomly modifies the command or input, catalogs the result and repeats successively until something gets past the program's error handling filters. Thanks for writing! bob prohaska