The inclusion of the file system EROFS in the Linux kernel leads to a discussion about how robust the file system drivers should be in the kernel. About that reports Linux Weekly News, Many file system drivers have known, unixed vulnerabilities. In particular, XFS is problematic.
EROFS is a compressed read-only file system developed by Huawei. Since version 4.19, it is part of the so-called staging area of the Linux kernel, which contains drivers that are still being tested. Gao Xiang, one of the developers of EROFS, recently asked to ship the file system as a normal kernel file system driver.
How robust must kernel file system drivers be?
Kernel developer Richard Weinberger pointed out in the discussion that the code apparently expects that the imported file system is correct and contains no erroneous data. So he had succeeded with little effort to produce a faulty file system image that has resulted in the code of EROFS to an infinite loop. This led to a general discussion on whether Linux file system drivers can be expected to handle flawed file systems.
Theodore Ts'o, who manages the kernel's Ext4 file system, pointed out that other file systems that have long been part of Linux also have such problems. Although he tries to fix such errors in Ext4, but it does not have high priority for him. It was unfair to expect something from new file systems, which already existing file systems could not fulfill.
Fuzzing finds many bugs in file system drivers
There have been several attempts in the past to use Fuzzing to find such errors in file system drivers. Here, a fuzzing tool generates faulty input data and tests whether they lead to crashes or other errors.
In 2016, Oracle developers used a modified version of American Fuzzy Lop (AFL) to find file system driver bugs. On the Usenix Conference 2017 was another approach called kAFL, also based on AFL. Also googles Syzkaller project finds partial errors in file system drivers and reports them automatically.
Wen Xu from the Georgia Institute of Technology extended this approach and introduced a fuzzing method in May of this year, in which not only the reading of a defective file system was tested, but then also accesses to it. As part of this research was a reported a number of bugs to the kernel developersincluding several memory corruption bugs. Many of the bugs were not fixed in the file system drivers for XFS, ReiserFS, HFS, and GFS2. Also for Ext4 you will find three bugs. These were fixed, it was probably forgotten only to close the corresponding bug reports.
XFS developer finds fuzzing harmful
In several online discussions in the past, developers of the XFS file system wrote that they do not want to fix such errors, In response to a bug report from a kAFL developer, a developer of the XFS file system replied that he such fuzzing is considered harmful,
Several times, XFS developers pointed out in these discussions that contains the current version of XFS CRC32 checksums, However, while these can detect random bit errors, they do not prevent maliciously manipulated file systems. The detection of bugs by fuzzing, however, is made more difficult by such checksum mechanisms.
Attacks via USB sticks and automount
This can be a security issue if bad file system drivers contain memory corruption errors. Some Linux distributions automatically mount external drives such as USB sticks when connected. But even without automount there is a security risk, so you could give users such as a USB stick with a file system that exploits such a vulnerability.
However, mounting foreign file systems is risky under the circumstances. As the discussion shows, you can not rely on Linux file system drivers to handle malicious input data. And some kernel developers say openly that that's not their goal.