Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Runtime Error with Syft on Singularity .sif file (panic: index out of range) #3390

Closed
SaurabhNair96 opened this issue Oct 28, 2024 · 7 comments · Fixed by anchore/stereoscope#329
Closed

Runtime Error with Syft on Singularity .sif file (panic: index out of range) #3390

SaurabhNair96 opened this issue Oct 28, 2024 · 7 comments · Fixed by anchore/stereoscope#329
Assignees
@willmurphyscode
Labels
bug Something isn't working

Comments

@SaurabhNair96
Copy link

Description: I'm attempting to generate an SBOM for a Singularity file using Syft, but I encounter a runtime error.
Below is my setup and the command I used. I apologize, but due to the proprietary nature of the code I cannot share the .sif file

Environment:
OS: Windows 10 running a virtual Ubuntu 24.04.1
Syft version: 1.14.1

Steps to taken:

  1. Running the tool directly on the sif file
    syft scan singularity:/mnt/shareee/siffiles/[FILE].sif -o cyclonedx-json > sbom-output.json

Error:
panic: runtime error: index out of range [512] with length 512

running syft scan singularity:/mnt/shareee/siffiles/[FILE].sif -o cyclonedx-json > sbom-output.json -vv
returns

panic: runtime error: index out of range [512] with length 512

goroutine 52 [running]:
github.com/sylabs/squashfs/low.(*Reader).fragEntry(0xc000162000, 0x16abf80?)
/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/reader.go:162 +0x4d3
github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders.func1()
/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:110 +0x39
github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders(0x53?, 0xc000162000)
/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:120 +0x67e
github.com/sylabs/squashfs.(*File).initializeReaders(...)
/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/file.go:176
github.com/sylabs/squashfs.(*File).Read(0xc001e28180, {0xc001378000, 0xc00, 0xc00})
/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/file.go:103 +0x5c
github.com/anchore/stereoscope/pkg/file.(*sizer).Read(0xc0016ab248, {0xc001378000?, 0xc0004aa0e8?, 0x458849?})
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/mime_type.go:41 +0x28
io.ReadAtLeast({0x1fafbc0, 0xc0016ab248}, {0xc001378000, 0xc00, 0xc00}, 0xc00)
/opt/hostedtoolcache/go/1.22.8/x64/src/io/io.go:335 +0x90
io.ReadFull(...)
/opt/hostedtoolcache/go/1.22.8/x64/src/io/io.go:354
github.com/gabriel-vasile/mimetype.DetectReader({0x1fafbc0, 0xc0016ab248})
/home/runner/go/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.6/mimetype.go:61 +0xe5
github.com/anchore/stereoscope/pkg/file.MIMEType({0x1fafbe0, 0xc001e28180})
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/mime_type.go:21 +0x85
github.com/anchore/stereoscope/pkg/file.NewMetadataFromSquashFSFile({0xc001449f60, 0x1b}, 0xc001e28180)
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/metadata.go:118 +0x475
github.com/anchore/stereoscope/pkg/image.(*Layer).readSingularityImageLayer.squashfsVisitor.func1({0x1fafba0?, 0xc0001a0de0?}, {0xc0001fc150, 0x6f}, {0xc001449f60, 0x1b})
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/layer.go:331 +0x16b
github.com/anchore/stereoscope/pkg/file.WalkSquashFS.walkDir.func1({0xc001449f60?, 0x0?}, {0x0?, 0x0?}, {0x0?, 0x0?})
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/squashfs_walk.go:47 +0x57
io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0xc001449f60, 0x1b}, {0x1fbe920, 0xc0002eac20}, 0xc0004aa9d8)
/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:73 +0x6c
io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0xc0008abea8, 0x11}, {0x1fbe920, 0xc0003d0000}, 0xc0004aa9d8)
/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0xc00047ca67, 0x7}, {0x1fbe920, 0xc00068a190}, 0xc0004aa9d8)
/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0xc000682d5a, 0x3}, {0x1fbe920, 0xc0001a0120}, 0xc0004aa9d8)
/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fafba0, 0xc0001a0de0}, {0x1f9ef28, 0x1}, {0x1fbe920, 0xc0001a0e00}, 0xc0004aa9d8)
/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.WalkDir({0x1fafba0, 0xc0001a0de0}, {0x1f9ef28, 0x1}, 0xc0006529d8)
/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:122 +0xa5
github.com/anchore/stereoscope/pkg/file.WalkSquashFS({0xc0001fc150, 0x6f}, 0xc000652ae0)
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/file/squashfs_walk.go:37 +0x138
github.com/anchore/stereoscope/pkg/image.(*Layer).readSingularityImageLayer(0xc0005a26c0, 0xc000100008?, {0xc00009a090, 0x27}, 0xc0000c81c8)
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/layer.go:167 +0x399
github.com/anchore/stereoscope/pkg/image.(*Layer).Read(0xc0005a26c0, 0xc0000d2f90, 0x0, {0xc00009a090, 0x27})
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/layer.go:106 +0x149
github.com/anchore/stereoscope/pkg/image.(*Image).Read(0xc000260008)
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/image.go:227 +0x6e5
github.com/anchore/stereoscope/pkg/image/sif.(*singularityImageProvider).Provide(0xc0001ad0b0, {0xc000149800?, 0x15ad15c?})
/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.4/pkg/image/sif/archive_provider.go:61 +0x249
github.com/anchore/syft/syft/source/stereoscopesource.stereoscopeImageSourceProvider.Provide({{0x1fb6740, 0xc0001ad0b0}, {{{0x7ffeb43bb0d4, 0x27}, 0x0, {0x0, 0x0, {...}, {...}, {...}}}, ...}}, ...)
/home/runner/work/syft/syft/syft/source/stereoscopesource/image_source_provider.go:32 +0xb3
github.com/anchore/syft/syft.GetSource({0x1fbe798, 0xc000692410}, {0x7ffeb43bb0d4, 0x27}, 0xc000149a40?)
/home/runner/work/syft/syft/syft/get_source.go:29 +0x1b8
github.com/anchore/syft/cmd/syft/internal/commands.getSource({0x1fbe798, 0xc000692410}, 0xc000004440, {0x7ffeb43bb0d4, 0x27}, {0xc0002eb880, 0x1, 0x1})
/home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:248 +0x63b
github.com/anchore/syft/cmd/syft/internal/commands.runScan({0x1fbe798, 0xc000692410}, {{0x19a1e1d, 0x4}, {0x1fa61ac, 0x6}, {0x1fbae60, 0x28}, {0x1fa7e20, 0x7}, ...}, ...)
/home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:185 +0x27d
github.com/anchore/syft/cmd/syft/internal/commands.Scan.func1(0xc0000ccc08, {0xc00038a300, 0x1, 0x0?})
/home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:102 +0xe6
github.com/anchore/clio.(*application).setupCommand.(*application).WrapRunE.func2.1(0x0?, {0xc00038a300?, 0x0?, 0x0?})
/home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20240522144804-d81e109008aa/application.go:146 +0x9e
github.com/anchore/clio.async.func1()
/home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20240522144804-d81e109008aa/application.go:344 +0x6a
created by github.com/anchore/clio.async in goroutine 1
/home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20240522144804-d81e109008aa/application.go:342 +0xc5

I was wondering if you would have some insight how I can circumvent the issue. Thank you in advance.
@SaurabhNair96 SaurabhNair96 added the bug Something isn't working label Oct 28, 2024
@willmurphyscode
Copy link
Contributor

Hi @SaurabhNair96! Thanks for the issue!

It looks like this panic is happening here: https://github.com/sylabs/squashfs/blob/3afc631a963a045b6863f2b3ceddcb0d969cac99/low/reader.go#L162

Syft (via Stereoscope) already depends on the latest version of that library, so this might require an upstream fix in that library (cc @tri-adam).

I don't have any suggestions as a workaround right now - it looks like you're using Syft correctly and we're hitting a bug parsing the SIF image.

It would be helpful if there were a link to a publicly available artifact that causes this issue. @SaurabhNair96 is there a link you're able to share?

Dev notes:

https://github.com/sylabs/squashfs/blob/3afc631a963a045b6863f2b3ceddcb0d969cac99/low/reader.go#L123-L163

This panics at the last line, apparently because i is one higher than expected (index 512 in length 512).

@SaurabhNair96
Copy link
Author

Hi @willmurphyscode, thanks for the response!
I don't think we have a publicly available version of the sif file that we can share, but we can definitely share the requirements file for the sif image. Would it be possible for you to create the image based on this requirements file for debugging purposes?
requirements.txt

Thank you very much in advance and looking forward!

@willmurphyscode willmurphyscode self-assigned this Nov 4, 2024
@willmurphyscode willmurphyscode moved this to In Progress in OSS Nov 4, 2024
@willmurphyscode willmurphyscode added the needs-reproduction missing steps to reproduce or steps have not been confirmed label Nov 4, 2024
@willmurphyscode
Copy link
Contributor

@SaurabhNair96 thanks for the requirements.txt, but I haven't been able to reproduce the issue from that, because I don't know how you're going from a requirements.txt file to a singularity image. Can you tell me about how you are going from requiremets.txt to a singularity image? Syft doesn't panic scanning the singularity images I have, and I don't have access to your image, so anything you could tell me about your build process would help us understand the bug here.

Thanks very much!

@willmurphyscode willmurphyscode moved this from In Progress to Stalled in OSS Nov 4, 2024
@SaurabhNair96
Copy link
Author

Hi @willmurphyscode. Thanks for letting me know. I spoke to my seniors are I think we can share the sif image with you directly. Hopefully, this helps! Please let me know if you need any more information.
Please find attached the onedrive link for the zipped image file - https://1drv.ms/f/c/d595eda503cbaa82/Ej4VSlrev4tNnfeFFKq12mwBPtU8cU8-Tva9PsvNkvCFDg?e=12k30t
Thank you and looking forward!

@sbutcher
Copy link

sbutcher commented Nov 7, 2024

I can replicate too on all my singularity/apptainer images. Using a basic container recipe similar to https://apptainer.org/docs/user/main/build_a_container.html

Bootstrap: docker
From: ubuntu:24.04

%post
    apt-get -y update
    apt-get -y install cowsay lolcat

%environment
    export LC_ALL=C
    export PATH=/usr/games:$PATH

%runscript
    date | cowsay | lolcat

Then apptainer build lol.sif lol.def
and syft singularity:./lol.sif gives me:

⠧ Parsing image                   ━━━━━━━━━━━━━━━━━━━━                 sha256:3d42aab2bf432777e3253d540767d16fbe7a35955d9e66dd398d13ff6388528e
panic: runtime error: index out of range [512] with length 512

                                                              goroutine 28 [running]:
                                                                                     github.com/sylabs/squashfs/low.(*Reader).fragEntry(0xc0004db930, 0x8?)
                /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/reader.go:162 +0x4d3
                                                                                                  github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders.func1()
                        /home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:110 +0x39
                                                                                                            github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders(0x10?, 0xc0004db930)
...

@popey
Copy link
Contributor

popey commented Nov 7, 2024

Thanks for the reproduction steps @sbutcher !

I was able to reproduce it on Ubuntu 24.04 here.

syft -vvv singularity:./lol.sif
[0000]  INFO syft version: 1.16.0
[0000] DEBUG config:
  log:
      quiet: false
      level: trace
      file: ""
  dev:
      profile: none
  config: ""
  output:
      - syft-table
  format:
      pretty: null
      template:
          path: ""
          legacy: false
      json:
          legacy: false
          pretty: false
      spdx-json:
          pretty: false
      cyclonedx-json:
          pretty: false
      cyclonedx-xml:
          pretty: false
  check-for-app-update: true
  default-catalogers: []
  select-catalogers: []
  package:
      search-unindexed-archives: false
      search-indexed-archives: true
      exclude-binary-overlap-by-ownership: true
  file:
      metadata:
          selection: owned-by-package
          digests:
              - sha1
              - sha256
      content:
          skip-files-above-size: 256000
          globs: []
      executable:
          globs: []
  scope: squashed
  parallelism: 1
  relationships:
      package-file-ownership: true
      package-file-ownership-overlap: true
  compliance:
      missing-name: drop
      missing-version: stub
  enrich: []
  golang:
      search-local-mod-cache-licenses: null
      local-mod-cache-dir: /home/alan/go/pkg/mod
      search-remote-licenses: null
      proxy: https://proxy.golang.org,direct
      no-proxy: ""
      main-module-version:
          from-ld-flags: true
          from-contents: true
          from-build-settings: true
  java:
      use-network: null
      use-maven-local-repository: null
      maven-local-repository-dir: /home/alan/.m2/repository
      maven-url: https://repo1.maven.org/maven2
      max-parent-recursive-depth: 0
      resolve-transitive-dependencies: false
  javascript:
      search-remote-licenses: null
      npm-base-url: ""
      include-dev-dependencies: null
  linux-kernel:
      catalog-modules: true
  python:
      guess-unpinned-requirements: false
  registry:
      insecure-skip-tls-verify: false
      insecure-use-http: false
      auth: []
      ca-cert: ""
  from: []
  platform: ""
  source:
      name: ""
      version: ""
      base-path: ""
      file:
          digests:
              - SHA-256
      image:
          default-pull-source: ""
  exclude: []
  unknowns:
      remove-when-packages-defined: true
      executables-without-packages: true
      unexpanded-archives: true
  cache:
      dir: /home/alan/.cache/syft
      ttl: 7d
[0000] DEBUG checking if a new version of syft is available
[0000] DEBUG no new syft update available
[0000] TRACE looking for matching encoder name=syft-table version=
[0000] TRACE considering format aliases=[json syft] name=syft-json version=16.0.18
[0000] TRACE considering format aliases=[table] name=syft-table version=
[0000] TRACE considering format aliases=[text] name=syft-text version=
[0000] TRACE considering format aliases=[github] name=github-json version=
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.0
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.1
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.2
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.3
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.4
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.5
[0000] TRACE considering format aliases=[cyclonedx cyclone cdx] name=cyclonedx-xml version=1.6
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.2
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.3
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.4
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.5
[0000] TRACE considering format aliases=[] name=cyclonedx-json version=1.6
[0000] TRACE considering format aliases=[] name=spdx-json version=2.2
[0000] TRACE considering format aliases=[] name=spdx-json version=2.3
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.1
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.2
[0000] TRACE considering format aliases=[spdx spdx-tv] name=spdx-tag-value version=2.3
[0000] TRACE found matching encoder name=syft-table version=
[0000] DEBUG image metadata: digest=sha256:5c3bb61e4be6a53b71820ca79bb40d0db472968fe4aa9d53745c537838e5198a mediaType=application/vnd.sylabs.sif.layer.v1.sif tags=[]
[0000] DEBUG layer metadata: index=0 digest=sha256:fb51c8f1f383dad9f0632d14b7c44b25b7dafc95bdbee61d0c9e1fff5a815145 mediaType=application/vnd.sylabs.sif.layer.v1.squashfs
panic: runtime error: index out of range [512] with length 512

goroutine 14 [running]:
github.com/sylabs/squashfs/low.(*Reader).fragEntry(0xc0007d2d00, 0x8?)
	/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/reader.go:162 +0x4d3
github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders.func1()
	/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:110 +0x39
github.com/sylabs/squashfs/low.(*FileBase).GetRegFileReaders(0x10?, 0xc0007d2d00)
	/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/low/file_base.go:120 +0x67e
github.com/sylabs/squashfs.(*File).initializeReaders(...)
	/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/file.go:176
github.com/sylabs/squashfs.(*File).Read(0xc0018bbbf0, {0xc001e51000, 0xc00, 0xc00})
	/home/runner/go/pkg/mod/github.com/sylabs/squashfs@v1.0.0/file.go:103 +0x5c
github.com/anchore/stereoscope/pkg/file.(*sizer).Read(0xc001506ca8, {0xc001e51000?, 0xc000bb7e90?, 0x458849?})
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/mime_type.go:41 +0x28
io.ReadAtLeast({0x1fba3e0, 0xc001506ca8}, {0xc001e51000, 0xc00, 0xc00}, 0xc00)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/io.go:335 +0x90
io.ReadFull(...)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/io.go:354
github.com/gabriel-vasile/mimetype.DetectReader({0x1fba3e0, 0xc001506ca8})
	/home/runner/go/pkg/mod/github.com/gabriel-vasile/mimetype@v1.4.6/mimetype.go:61 +0xe5
github.com/anchore/stereoscope/pkg/file.MIMEType({0x1fba400, 0xc0018bbbf0})
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/mime_type.go:21 +0x85
github.com/anchore/stereoscope/pkg/file.NewMetadataFromSquashFSFile({0xc0018628d0, 0x29}, 0xc0018bbbf0)
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/metadata.go:118 +0x475
github.com/anchore/stereoscope/pkg/image.(*Layer).readSingularityImageLayer.squashfsVisitor.func1({0x1fba3c0?, 0xc0006817a0?}, {0xc0001340e0, 0x6f}, {0xc0018628d0, 0x29})
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/layer.go:331 +0x16b
github.com/anchore/stereoscope/pkg/file.WalkSquashFS.walkDir.func1({0xc0018628d0?, 0x0?}, {0x0?, 0x0?}, {0x0?, 0x0?})
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/squashfs_walk.go:47 +0x57
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc0018628d0, 0x29}, {0x1fc9160, 0xc00078a330}, 0xc000bb89d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:73 +0x6c
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc000f4fea0, 0x20}, {0x1fc9160, 0xc00078a240}, 0xc000bb89d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc001563780, 0x19}, {0x1fc9160, 0xc000053060}, 0xc000bb89d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc000d07350, 0x15}, {0x1fc9160, 0xc00025c980}, 0xc000bb89d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc000c276b0, 0xe}, {0x1fc9160, 0xc0007b8580}, 0xc000bb89d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc0000123d0, 0x9}, {0x1fc9160, 0xc000680230}, 0xc000bb89d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0xc000c40e4a, 0x3}, {0x1fc9160, 0xc000460000}, 0xc000bb89d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.walkDir({0x1fba3c0, 0xc0006817a0}, {0x1fa9728, 0x1}, {0x1fc9160, 0xc0006817b0}, 0xc000bb89d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:95 +0x2bf
io/fs.WalkDir({0x1fba3c0, 0xc0006817a0}, {0x1fa9728, 0x1}, 0xc00057a9d8)
	/opt/hostedtoolcache/go/1.22.8/x64/src/io/fs/walk.go:122 +0xa5
github.com/anchore/stereoscope/pkg/file.WalkSquashFS({0xc0001340e0, 0x6f}, 0xc00057aae0)
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/file/squashfs_walk.go:37 +0x138
github.com/anchore/stereoscope/pkg/image.(*Layer).readSingularityImageLayer(0xc0000dc2d0, 0xc000093008?, {0xc000712000, 0x27}, 0xc000592588)
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/layer.go:167 +0x399
github.com/anchore/stereoscope/pkg/image.(*Layer).Read(0xc0000dc2d0, 0xc0003231a0, 0x0, {0xc000712000, 0x27})
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/layer.go:106 +0x149
github.com/anchore/stereoscope/pkg/image.(*Image).Read(0xc000004388)
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/image.go:227 +0x6e5
github.com/anchore/stereoscope/pkg/image/sif.(*singularityImageProvider).Provide(0xc00073e360, {0xc0007f5800?, 0x15b545c?})
	/home/runner/go/pkg/mod/github.com/anchore/stereoscope@v0.0.6-0.20241101185849-cbd43fb4e5d3/pkg/image/sif/archive_provider.go:61 +0x249
github.com/anchore/syft/syft/source/stereoscopesource.stereoscopeImageSourceProvider.Provide({{0x1fc0f80, 0xc00073e360}, {{{0x7ffc17d1b320, 0x9}, 0x0, {0x0, 0x0, {...}, {...}, {...}}}, ...}}, ...)
	/home/runner/work/syft/syft/syft/source/stereoscopesource/image_source_provider.go:32 +0xb3
github.com/anchore/syft/syft.GetSource({0x1fc8fd8, 0xc0003827d0}, {0x7ffc17d1b320, 0x9}, 0xc0007f5a40?)
	/home/runner/work/syft/syft/syft/get_source.go:29 +0x1b8
github.com/anchore/syft/cmd/syft/internal/commands.getSource({0x1fc8fd8, 0xc0003827d0}, 0xc0001bd240, {0x7ffc17d1b320, 0x9}, {0xc000680f70, 0x1, 0x1})
	/home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:250 +0x63b
github.com/anchore/syft/cmd/syft/internal/commands.runScan({0x1fc8fd8, 0xc0003827d0}, {{0x19aad4f, 0x4}, {0x1fb0980, 0x6}, {0x1fc56a0, 0x28}, {0x1fb25f0, 0x7}, ...}, ...)
	/home/runner/work/syft/syft/cmd/syft/internal/commands/scan.go:187 +0x27d
github.com/anchore/syft/cmd/syft/internal/commands.Root.func1(0xc0004faf08, {0xc000464020, 0x1, 0x8e35e0?})
	/home/runner/work/syft/syft/cmd/syft/internal/commands/root.go:28 +0xe6
github.com/anchore/clio.(*application).setupCommand.(*application).WrapRunE.func2.1(0x1fc8f68?, {0xc000464020?, 0x0?, 0x0?})
	/home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241015191535-f538a9016e10/application.go:147 +0x9e
github.com/anchore/clio.async.func1()
	/home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241015191535-f538a9016e10/application.go:345 +0x6a
created by github.com/anchore/clio.async in goroutine 1
	/home/runner/go/pkg/mod/github.com/anchore/clio@v0.0.0-20241015191535-f538a9016e10/application.go:343 +0xc5

@popey popey removed the needs-reproduction missing steps to reproduce or steps have not been confirmed label Nov 7, 2024
@wagoodman wagoodman moved this from Stalled to Ready in OSS Nov 7, 2024
@willmurphyscode willmurphyscode self-assigned this Nov 25, 2024
@willmurphyscode willmurphyscode moved this from Ready to In Progress in OSS Nov 25, 2024
@willmurphyscode
Copy link
Contributor

Hi @sbutcher thanks so much for the repro steps. I was able to build an SIF file that causes this panic using the steps you suggested.

I am fairly certain that this is a bug in our underlying SquashFS library that occurs when a read call asks for fragment 512 in the squashFS table. Lots of images don't have 512 fragments, which explains why the bug has gone unnoticed.

I'll work on a patch for the SquashFS library.

@willmurphyscode willmurphyscode mentioned this issue Nov 26, 2024
Closed
@willmurphyscode willmurphyscode mentioned this issue Dec 3, 2024
Closed
@willmurphyscode willmurphyscode moved this from In Progress to In Review in OSS Dec 3, 2024
@wagoodman wagoodman removed their assignment Dec 5, 2024
@willmurphyscode willmurphyscode mentioned this issue Dec 11, 2024
Merged
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Dec 11, 2024
@BrewTestBot BrewTestBot mentioned this issue Dec 13, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working
Projects
OSS
Archived in project
Milestone
No milestone
5 participants
@wagoodman @popey @sbutcher @willmurphyscode @SaurabhNair96