linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Kernel LZO compressor
@ 2019-03-19 20:15 Nick Terrell
  2019-03-25 13:13 ` Dave Rodgman
  0 siblings, 1 reply; 3+ messages in thread
From: Nick Terrell @ 2019-03-19 20:15 UTC (permalink / raw)
  To: dave.rodgman, linux-kernel, Kernel Team

Hi Dave,

I just saw you patches adding LZO-RLE, so I decided to fuzz the LZO
compressor and decompressor. I didn't find any crashes, but I found some edge
cases in the decompressor.

After compressing the empty input with lzo1x_1_compress() I get
[0x11, 0x00, 0x00] which is rejected by lzo1x_decompress_safe() on line 60
because *ip == 17 and in_len < 5 with error LZO_E_INPUT_OVERRUN.

After compressing the input [0x00] with lzorle1x_1_compress() I get
[0x11, 0x01, 0x00, 0x11, 0x00, 0x00] which is rejected by
lzo1x_decompress_safe() with error LZO_E_OUTPUT_OVERRUN.

I ported LZO to userspace by copying the headers from the kernel to
userspace and/or rewriting them. The fuzzers and ported LZO are in
a GitHub repo so it can be easily reproduced [1]. The compression
fuzzer is also included inline below.

```
#undef NDEBUG
#include <string.h>
#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>
#include <assert.h>
#include <stdio.h>

#include "lzo.h"

char wrkmem[LZO1X_MEM_COMPRESS];

#define RLE 1

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  size_t outSize = lzo1x_worst_compress(size);
  uint8_t* const out = (uint8_t*)malloc(outSize);
  assert(out);
#if RLE
  assert(LZO_E_OK == lzorle1x_1_compress(data, size, out, &outSize, wrkmem));
#else
  assert(LZO_E_OK == lzo1x_1_compress(data, size, out, &outSize, wrkmem));
#endif
  uint8_t* const rt = (uint8_t*)malloc(size);
  assert(rt);
  size_t rtsize = size;
  int const ret = lzo1x_decompress_safe(out, outSize, rt, &rtsize);
  if (ret != LZO_E_OK) {
    assert(size < 4);
    fprintf(stderr, "INPUT: ");
    for (size_t i = 0; i < size; ++i)
      fprintf(stderr, "%u ", (unsigned)data[i]);
    fprintf(stderr, "\nOUTPUT: ");
    for (size_t i = 0; i < outSize; ++i)
      fprintf(stderr, "%u ", (unsigned)out[i]);
    fprintf(stderr, "\nret = %d\n", ret);
  }
  assert(ret == LZO_E_OK);
  assert(rtsize == size);
  assert(memcmp(data, rt, size) == 0);
  free(out);
  free(rt);
  return 0;
}
```

[1] https://github.com/terrelln/lzo-userspace-fuzz

Best,
Nick Terrell

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Kernel LZO compressor
  2019-03-19 20:15 Kernel LZO compressor Nick Terrell
@ 2019-03-25 13:13 ` Dave Rodgman
  2019-03-25 17:59   ` Nick Terrell
  0 siblings, 1 reply; 3+ messages in thread
From: Dave Rodgman @ 2019-03-25 13:13 UTC (permalink / raw)
  To: Nick Terrell, linux-kernel, Kernel Team

On 19/03/2019 8:15 pm, Nick Terrell wrote:
> Hi Dave,
>
> I just saw you patches adding LZO-RLE, so I decided to fuzz the LZO
> compressor and decompressor. I didn't find any crashes, but I found some edge
> cases in the decompressor.

Hi Nick,

Thanks - I will take a look at this. These cases won't affect zram, which is
currently the only place lzo-rle is used, because zram operates over complete
pages, but I would prefer not to have this kind of edge case lurking.

Presumably the fuzzer generates inputs of various sizes - how large did you
test up to?

thanks

Dave

>
> After compressing the empty input with lzo1x_1_compress() I get
> [0x11, 0x00, 0x00] which is rejected by lzo1x_decompress_safe() on line 60
> because *ip == 17 and in_len < 5 with error LZO_E_INPUT_OVERRUN.
>
> After compressing the input [0x00] with lzorle1x_1_compress() I get
> [0x11, 0x01, 0x00, 0x11, 0x00, 0x00] which is rejected by
> lzo1x_decompress_safe() with error LZO_E_OUTPUT_OVERRUN.
>
> I ported LZO to userspace by copying the headers from the kernel to
> userspace and/or rewriting them. The fuzzers and ported LZO are in
> a GitHub repo so it can be easily reproduced [1]. The compression
> fuzzer is also included inline below.
>
> ```
> #undef NDEBUG
> #include <string.h>
> #include <stdint.h>
> #include <stddef.h>
> #include <stdlib.h>
> #include <assert.h>
> #include <stdio.h>
>
> #include "lzo.h"
>
> char wrkmem[LZO1X_MEM_COMPRESS];
>
> #define RLE 1
>
> extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>   size_t outSize = lzo1x_worst_compress(size);
>   uint8_t* const out = (uint8_t*)malloc(outSize);
>   assert(out);
> #if RLE
>   assert(LZO_E_OK == lzorle1x_1_compress(data, size, out, &outSize, wrkmem));
> #else
>   assert(LZO_E_OK == lzo1x_1_compress(data, size, out, &outSize, wrkmem));
> #endif
>   uint8_t* const rt = (uint8_t*)malloc(size);
>   assert(rt);
>   size_t rtsize = size;
>   int const ret = lzo1x_decompress_safe(out, outSize, rt, &rtsize);
>   if (ret != LZO_E_OK) {
>     assert(size < 4);
>     fprintf(stderr, "INPUT: ");
>     for (size_t i = 0; i < size; ++i)
>       fprintf(stderr, "%u ", (unsigned)data[i]);
>     fprintf(stderr, "\nOUTPUT: ");
>     for (size_t i = 0; i < outSize; ++i)
>       fprintf(stderr, "%u ", (unsigned)out[i]);
>     fprintf(stderr, "\nret = %d\n", ret);
>   }
>   assert(ret == LZO_E_OK);
>   assert(rtsize == size);
>   assert(memcmp(data, rt, size) == 0);
>   free(out);
>   free(rt);
>   return 0;
> }
> ```
>
> [1] https://github.com/terrelln/lzo-userspace-fuzz
>
> Best,
> Nick Terrell
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Kernel LZO compressor
  2019-03-25 13:13 ` Dave Rodgman
@ 2019-03-25 17:59   ` Nick Terrell
  0 siblings, 0 replies; 3+ messages in thread
From: Nick Terrell @ 2019-03-25 17:59 UTC (permalink / raw)
  To: Dave Rodgman; +Cc: linux-kernel, Kernel Team



> On Mar 25, 2019, at 6:13 AM, Dave Rodgman <dave.rodgman@arm.com> wrote:
> 
> On 19/03/2019 8:15 pm, Nick Terrell wrote:
>> Hi Dave,
>> 
>> I just saw you patches adding LZO-RLE, so I decided to fuzz the LZO
>> compressor and decompressor. I didn't find any crashes, but I found some edge
>> cases in the decompressor.
> 
> Hi Nick,
> 
> Thanks - I will take a look at this. These cases won't affect zram, which is
> currently the only place lzo-rle is used, because zram operates over complete
> pages, but I would prefer not to have this kind of edge case lurking.
> 
> Presumably the fuzzer generates inputs of various sizes - how large did you
> test up to?

I tested on inputs up to 4096 bytes large, which is the default, but the fuzzing
library libFuzzer has a flag -max_len which allows you to control the maximum
input size.

> thanks
> 
> Dave
> 
>> 
>> After compressing the empty input with lzo1x_1_compress() I get
>> [0x11, 0x00, 0x00] which is rejected by lzo1x_decompress_safe() on line 60
>> because *ip == 17 and in_len < 5 with error LZO_E_INPUT_OVERRUN.
>> 
>> After compressing the input [0x00] with lzorle1x_1_compress() I get
>> [0x11, 0x01, 0x00, 0x11, 0x00, 0x00] which is rejected by
>> lzo1x_decompress_safe() with error LZO_E_OUTPUT_OVERRUN.
>> 
>> I ported LZO to userspace by copying the headers from the kernel to
>> userspace and/or rewriting them. The fuzzers and ported LZO are in
>> a GitHub repo so it can be easily reproduced [1]. The compression
>> fuzzer is also included inline below.
>> 
>> ```
>> #undef NDEBUG
>> #include <string.h>
>> #include <stdint.h>
>> #include <stddef.h>
>> #include <stdlib.h>
>> #include <assert.h>
>> #include <stdio.h>
>> 
>> #include "lzo.h"
>> 
>> char wrkmem[LZO1X_MEM_COMPRESS];
>> 
>> #define RLE 1
>> 
>> extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
>>  size_t outSize = lzo1x_worst_compress(size);
>>  uint8_t* const out = (uint8_t*)malloc(outSize);
>>  assert(out);
>> #if RLE
>>  assert(LZO_E_OK == lzorle1x_1_compress(data, size, out, &outSize, wrkmem));
>> #else
>>  assert(LZO_E_OK == lzo1x_1_compress(data, size, out, &outSize, wrkmem));
>> #endif
>>  uint8_t* const rt = (uint8_t*)malloc(size);
>>  assert(rt);
>>  size_t rtsize = size;
>>  int const ret = lzo1x_decompress_safe(out, outSize, rt, &rtsize);
>>  if (ret != LZO_E_OK) {
>>    assert(size < 4);
>>    fprintf(stderr, "INPUT: ");
>>    for (size_t i = 0; i < size; ++i)
>>      fprintf(stderr, "%u ", (unsigned)data[i]);
>>    fprintf(stderr, "\nOUTPUT: ");
>>    for (size_t i = 0; i < outSize; ++i)
>>      fprintf(stderr, "%u ", (unsigned)out[i]);
>>    fprintf(stderr, "\nret = %d\n", ret);
>>  }
>>  assert(ret == LZO_E_OK);
>>  assert(rtsize == size);
>>  assert(memcmp(data, rt, size) == 0);
>>  free(out);
>>  free(rt);
>>  return 0;
>> }
>> ```
>> 
>> [1] https://github.com/terrelln/lzo-userspace-fuzz
>> 
>> Best,
>> Nick Terrell
>> 
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-03-25 17:59 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-19 20:15 Kernel LZO compressor Nick Terrell
2019-03-25 13:13 ` Dave Rodgman
2019-03-25 17:59   ` Nick Terrell

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).