| Author |
Message |
|
| Guest |
 Posted: Wed Dec 20, 2006 10:49 pm |
 |
|
|
Guest
|
Erlang/OTP team,
There is a buffer overflow that can occur in the beam interpreter in
the etrs_save_mb[] array. This can occur if a module contains a large
number of binary matches. This buffer overflow is known to exist for all
Erlang/OTP versions between R10B-6 and R11B-2. Sample code is attached
that causes a SEGV (at least on Linux systems).
The source of the overflow is the opcode "bs_save".
The code in BEAM that interprets this opcode is in
erts/emulator/beam/beam_emu.c:process_main():
OpCase(bs_save_I): {
Eterm* next;
PreFetch(1, next);
erts_save_mb[Arg(0)] = erts_mb;
NextPF(1, next);
}
This saves the current value of "erts_mb" into the array
"erts_save_mb[1024]" at an offset of "Arg(0)". This code does not do
any bounds checking on this array. If a compiled ".beam" file has an
opcode such as "{bs_save,1040}", then the beam interpreter's memory will
be corrupted.
The erlang byte-code compiler can easily generate arguments to "bs_save"
that are greater than 1024. If a module contains matching to static
binary values, the compiler generates code for each byte in the binaries
such as:
...
{bs_save,1040}.
{test,is_eq_exact,{f,1},[{x,12},{integer,21}]}.
{bs_restore,1040}.
...
{bs_save,1041}.
{test,is_eq_exact,{f,1},[{x,13},{integer,182}]}.
{bs_restore,1041}.
...
Even though the saved value is never referenced again, the compiler
increments the arg to "bs_save" and it does so without checking if the
argument exceeds the size of the "erts_save_mb[]" array.
I have not tried this code with HiPE, but since HiPE uses the function
erts/emulator/beam/erl_bits.c:erts_bs_save() (which also does not check
the bounds of erts_save_mb), it most likely has the same bug:
void erts_bs_save(ERL_BITS_PROTO_1(int index))
{
erts_save_mb[index] = erts_mb;
}
Most likely, to avoid this bug:
- the compiler should re-use args to "bs_save" (especially where it
immediately does a "bs_restore") instead of just incremented it each
byte.
- the beam runtime should check the offsets for "bs_save" at beam file
load time to make sure it is < MAX_REG (perhaps in beam_validator?)
Thank you,
Matt Reilly
SIPphone Inc.
%%%%%%%%%%%% Begin buffer_overflow.erl %%%%%%%%%%%%%
%% Test with:
%% $ erlc buffer_overflow.erl
%% $ erl -s buffer_overflow crash
-module(buffer_overflow).
-export([
crash/0
]).
m(<<196,202,66,56,160,185,35,130,13,204,80,154,111,117,132,155>>) -> 1;
m(<<200,30,114,141,157,76,47,99,111,6,127,137,204,20,134,44>>) -> 2;
m(<<236,203,200,126,75,92,226,254,40,48,143,217,242,167,186,243>>) -> 3;
m(<<168,127,246,121,162,243,231,29,145,129,166,123,117,66,18,44>>) -> 4;
m(<<228,218,59,127,187,206,35,69,215,119,43,6,116,163,24,213>>) -> 5;
m(<<22,121,9,28,90,136,15,175,111,181,230,8,126,177,178,220>>) -> 6;
m(<<143,20,228,95,206,234,22,122,90,54,222,221,75,234,37,67>>) -> 7;
m(<<201,240,248,149,251,152,171,145,89,245,31,208,41,126,35,109>>) -> 8;
m(<<69,196,140,206,46,45,127,189,234,26,252,81,199,198,173,38>>) -> 9;
m(<<211,217,68,104,2,164,66,89,117,93,56,230,209,99,232,32>>) -> 10;
m(<<101,18,189,67,217,202,166,224,44,153,11,10,130,101,45,202>>) -> 11;
m(<<194,10,212,215,111,233,119,89,170,39,160,201,155,255,103,16>>) ->12;
m(<<197,28,228,16,193,36,161,14,13,181,228,185,127,194,175,57>>) -> 13;
m(<<170,179,35,137,34,188,194,90,111,96,110,181,37,255,220,86>>) -> 14;
m(<<155,243,28,127,240,98,147,106,150,211,200,189,31,143,47,243>>) ->15;
m(<<199,77,151,176,30,174,37,126,68,170,157,91,173,233,123,175>>) -> 16;
m(<<112,239,223,46,201,176,134,7,151,149,196,66,99,107,85,251>>) -> 17;
m(<<111,73,34,244,85,104,22,26,140,223,74,210,41,159,109,35>>) -> 18;
m(<<31,14,61,173,153,144,131,69,247,67,159,143,250,189,255,196>>) -> 19;
m(<<152,241,55,8,33,1,148,196,117,104,123,230,16,106,59,132>>) -> 20;
m(<<60,89,220,4,142,136,80,36,59,232,7,154,92,116,208,121>>) -> 21;
m(<<182,215,103,210,248,237,93,33,164,75,14,88,134,104,12,185>>) -> 22;
m(<<55,105,60,252,116,128,73,228,93,135,184,199,216,185,170,205>>) ->23;
m(<<31,241,222,119,64,5,248,218,19,244,41,67,136,28,101,95>>) -> 24;
m(<<142,41,106,6,122,55,86,51,112,222,208,95,90,59,243,236>>) -> 25;
m(<<78,115,44,237,52,99,208,109,224,202,154,21,182,21,54,119>>) -> 26;
m(<<2,231,79,16,224,50,122,216,104,209,56,242,180,253,214,240>>) -> 27;
m(<<51,231,95,240,157,214,1,187,230,159,53,16,57,21,33,137>>) -> 28;
m(<<110,169,171,27,170,14,251,158,25,9,68,64,195,23,226,27>>) -> 29;
m(<<52,23,60,179,143,7,248,157,219,235,194,172,145,40,48,63>>) -> 30;
m(<<193,106,83,32,250,71,85,48,217,88,60,52,253,53,110,245>>) -> 31;
m(<<99,100,211,240,244,149,182,171,157,207,141,59,92,110,11,1>>) -> 32;
m(<<24,43,224,197,205,205,80,114,187,24,100,205,238,77,61,110>>) -> 33;
m(<<227,105,133,61,247,102,250,68,225,237,15,246,19,245,99,189>>) -> 34;
m(<<28,56,60,211,11,124,41,138,181,2,147,173,254,203,123,24>>) -> 35;
m(<<25,202,20,231,234,99,40,164,46,14,177,61,88,94,76,34>>) -> 36;
m(<<165,191,201,224,121,100,248,221,222,185,95,197,132,205,150,93>>)->37;
m(<<165,119,27,206,147,226,0,195,111,124,217,223,208,229,222,170>>)->38;
m(<<214,125,138,180,244,193,11,242,42,163,83,226,120,121,19,60>>) -> 39;
m(<<214,69,146,14,57,95,237,173,123,187,237,14,202,63,226,224>>) -> 40;
m(<<52,22,167,95,76,234,145,9,80,124,172,216,226,242,174,252>>) -> 41;
m(<<161,208,198,232,63,2,115,39,216,70,16,99,244,172,88,166>>) -> 42;
m(<<23,230,33,102,252,133,134,223,164,209,188,14,23,66,192,139>>) -> 43;
m(<<247,23,113,99,200,51,223,244,179,143,200,210,135,47,30,198>>) -> 44;
m(<<108,131,73,204,114,96,174,98,227,177,57,104,49,168,57,143>>) -> 45;
m(<<217,212,244,149,232,117,162,224,117,161,164,166,225,185,119,15>>)->46;
m(<<103,198,161,231,206,86,211,214,250,116,138,182,217,175,63,215>>)->47;
m(<<100,46,146,239,183,148,33,115,72,129,181,62,30,27,24,182>>) -> 48;
m(<<244,87,197,69,169,222,216,143,24,236,238,71,20,90,114,192>>) -> 49;
m(<<192,199,199,109,48,189,61,202,239,201,111,64,39,91,220,10>>) -> 50;
m(<<40,56,2,58,119,141,250,236,220,33,39,8,247,33,183,136>>) -> 51;
m(<<154,17,88,21,77,250,66,202,221,189,6,148,164,233,189,200>>) -> 52;
m(<<216,44,141,22,25,173,129,118,214,101,69,60,251,46,85,240>>) -> 53;
m(<<166,132,236,238,231,111,197,34,119,50,134,168,149,188,132,54>>)->54;
m(<<181,59,58,61,106,185,12,224,38,130,41,21,28,155,222,17>>) -> 55;
m(<<159,97,64,142,58,251,99,62,80,205,241,178,13,230,244,102>>) -> 56;
m(<<114,179,42,31,117,75,161,192,155,54,149,224,203,108,222,127>>) ->57;
m(<<102,240,65,225,106,96,146,139,5,167,226,40,168,156,55,153>>) -> 58;
m(<<9,63,101,224,128,162,149,248,7,107,28,87,34,164,106,162>>) -> 59;
m(<<7,43,3,11,161,38,178,244,178,55,79,52,43,233,237,68>>) -> 60;
m(<<127,57,248,49,127,189,177,152,142,244,198,40,235,160,37,145>>) ->61;
m(<<68,246,131,168,65,99,179,82,58,254,87,194,224,8,188,140>>) -> 62;
m(<<3,175,219,214,110,121,41,177,37,248,89,120,52,250,131,164>>) -> 63;
m(<<234,93,47,28,70,8,35,46,7,211,170,61,153,142,81,53>>) -> 64;
m(<<252,73,12,164,92,0,177,36,155,190,53,84,164,253,246,251>>) -> 65;
m(<<50,149,199,106,203,244,202,174,211,60,54,177,181,252,44,177>>) ->66;
m(<<115,91,144,180,86,129,37,237,108,63,103,136,25,182,224,88>>) -> 67;
m(<<163,243,144,216,142,76,65,242,116,123,250,47,27,95,135,219>>) -> 68;
m(<<20,191,166,187,20,135,94,69,187,160,40,162,30,211,128,70>>) -> 69;
m(<<124,187,196,9,236,153,15,25,199,140,117,189,30,6,242,21>>) -> 70;
m(<<226,196,32,217,40,212,191,140,224,255,46,193,155,55,21,20>>) -> 71;
m(<<50,187,144,232,151,106,171,82,152,213,218,16,254,102,242,29>>) ->72;
m(<<210,221,234,24,240,6,101,206,134,35,227,107,212,227,199,197>>) ->73;
m(<<173,97,171,20,50,35,239,188,36,199,210,88,59,230,146,81>>) -> 74;
m(<<208,155,244,21,68,163,54,90,70,201,7,126,187,94,53,195>>) -> 75;
m(<<251,215,147,157,103,73,151,205,180,105,45,52,222,134,51,196>>) ->76;
m(<<40,221,44,121,85,206,146,100,86,36,11,47,240,16,11,222>>) -> 77;
m(<<53,244,168,212,101,230,225,237,192,95,61,138,182,88,197,81>>) -> 78;
m(<<209,254,23,61,8,233,89,57,122,223,52,177,215,126,136,215>>) -> 79;
m(<<240,51,171,55,195,2,1,247,63,20,36,73,208,55,2,141>>) -> 80;
m(<<67,236,81,125,104,182,237,211,1,91,62,220,154,17,54,123>>) -> 81;
m(<<151,120,213,210,25,197,8,11,154,106,23,190,240,41,51,28>>) -> 82;
m(<<254,159,194,137,195,255,10,241,66,182,211,190,173,152,169,35>>)->83;
m(<<104,211,10,149,148,114,139,195,154,162,75,233,75,49,157,33>>) -> 84;
m(<<62,248,21,65,111,119,80,152,254,151,112,4,1,92,97,147>>) -> 85;
m(<<147,219,133,237,144,156,19,131,143,249,92,207,169,76,235,217>>)->86;
m(<<199,225,36,159,252,3,235,157,237,144,140,35,107,209,153,109>>) ->87;
m(<<42,56,164,169,49,108,73,229,168,51,81,124,69,211,16,112>>) -> 88;
m(<<118,71,150,107,115,67,194,144,72,103,50,82,228,144,247,54>>) -> 89;
m(<<134,19,152,94,196,158,184,247,87,174,100,57,232,121,187,42>>) -> 90;
m(<<84,34,154,191,207,165,100,158,112,3,184,61,212,117,82,148>>) -> 91;
m(<<146,204,34,117,50,209,126,86,224,121,2,178,84,223,173,16>>) -> 92;
m(<<152,220,232,61,165,123,3,149,225,99,70,124,157,174,82,27>>) -> 93;
m(<<244,185,236,48,173,159,104,248,155,41,99,151,134,203,98,239>>) ->94;
m(<<129,43,75,162,135,245,238,11,201,212,59,191,91,190,135,251>>) -> 95;
m(<<38,101,125,95,249,2,13,42,190,254,85,135,150,185,149,132>>) -> 96;
m(<<226,239,82,79,191,61,159,230,17,213,168,233,15,239,220,156>>) -> 97;
m(<<237,61,44,33,153,30,59,239,94,6,151,19,175,159,166,202>>) -> 98;
m(<<172,98,122,177,204,189,182,46,201,110,112,47,7,246,66,91>>) -> 99;
m(<<248,153,19,157,245,225,5,147,150,67,20,21,231,112,198,221>>) -> 100.
crash() ->
lists:foreach(
fun(N) ->
io:format("Trying to match md5(~B)~n",[N]),
BinaryToMatch = erlang:md5(integer_to_list(N)),
%% The pattern matching on binaries for this call
%% will cause buffer overflow.
m(BinaryToMatch)
end,
lists:seq(1,100)
).
%%%%%%%%%%%% End buffer_overflow.erl %%%%%%%%%%%%%
--
Matthew Reilly
SIPphone Inc.
matthew.reilly@sipphone.com
Gizmo Project name: matt
_______________________________________________
erlang-bugs mailing list
erlang-bugs@erlang.org
http://www.erlang.org/mailman/listinfo/erlang-bugs
Post recived from mailinglist |
|
|
| Back to top |
|
| Guest |
| Posted: Thu Dec 21, 2006 2:23 pm |
|
|
|
Guest
|
Thanks for your bug report!
R11B has new instructions for bit syntax matching, so the
problem doesn't exist there, unless you load code compiled
by an R10B compiler. For R11B-3, I have changed the loader
to reject bs_save/bs_restore instruction with an index greater
than 1023 if you load code compiled by R10B. I have also
changed beam_validator to reject those instructions (in case
it is used for validating R10B code).
/Bjorn
Matthew Reilly <matthew.reilly@sipphone.com> writes:
> Erlang/OTP team,
>
> There is a buffer overflow that can occur in the beam interpreter in
> the etrs_save_mb[] array. This can occur if a module contains a large
> number of binary matches. This buffer overflow is known to exist for all
> Erlang/OTP versions between R10B-6 and R11B-2. Sample code is attached
> that causes a SEGV (at least on Linux systems).
>
> The source of the overflow is the opcode "bs_save".
>
> The code in BEAM that interprets this opcode is in
> erts/emulator/beam/beam_emu.c:process_main():
> OpCase(bs_save_I): {
> Eterm* next;
>
> PreFetch(1, next);
> erts_save_mb[Arg(0)] = erts_mb;
> NextPF(1, next);
> }
>
> This saves the current value of "erts_mb" into the array
> "erts_save_mb[1024]" at an offset of "Arg(0)". This code does not do
> any bounds checking on this array. If a compiled ".beam" file has an
> opcode such as "{bs_save,1040}", then the beam interpreter's memory will
> be corrupted.
>
> The erlang byte-code compiler can easily generate arguments to "bs_save"
> that are greater than 1024. If a module contains matching to static
> binary values, the compiler generates code for each byte in the binaries
> such as:
> ...
> {bs_save,1040}.
> {test,is_eq_exact,{f,1},[{x,12},{integer,21}]}.
> {bs_restore,1040}.
> ...
> {bs_save,1041}.
> {test,is_eq_exact,{f,1},[{x,13},{integer,182}]}.
> {bs_restore,1041}.
> ...
>
> Even though the saved value is never referenced again, the compiler
> increments the arg to "bs_save" and it does so without checking if the
> argument exceeds the size of the "erts_save_mb[]" array.
>
> I have not tried this code with HiPE, but since HiPE uses the function
> erts/emulator/beam/erl_bits.c:erts_bs_save() (which also does not check
> the bounds of erts_save_mb), it most likely has the same bug:
> void erts_bs_save(ERL_BITS_PROTO_1(int index))
> {
> erts_save_mb[index] = erts_mb;
> }
>
>
> Most likely, to avoid this bug:
>
> - the compiler should re-use args to "bs_save" (especially where it
> immediately does a "bs_restore") instead of just incremented it each
> byte.
>
> - the beam runtime should check the offsets for "bs_save" at beam file
> load time to make sure it is < MAX_REG (perhaps in beam_validator?)
>
>
> Thank you,
> Matt Reilly
> SIPphone Inc.
>
> %%%%%%%%%%%% Begin buffer_overflow.erl %%%%%%%%%%%%%
> %% Test with:
> %% $ erlc buffer_overflow.erl
> %% $ erl -s buffer_overflow crash
> -module(buffer_overflow).
>
> -export([
> crash/0
> ]).
>
> m(<<196,202,66,56,160,185,35,130,13,204,80,154,111,117,132,155>>) -> 1;
> m(<<200,30,114,141,157,76,47,99,111,6,127,137,204,20,134,44>>) -> 2;
> m(<<236,203,200,126,75,92,226,254,40,48,143,217,242,167,186,243>>) -> 3;
> m(<<168,127,246,121,162,243,231,29,145,129,166,123,117,66,18,44>>) -> 4;
> m(<<228,218,59,127,187,206,35,69,215,119,43,6,116,163,24,213>>) -> 5;
> m(<<22,121,9,28,90,136,15,175,111,181,230,8,126,177,178,220>>) -> 6;
> m(<<143,20,228,95,206,234,22,122,90,54,222,221,75,234,37,67>>) -> 7;
> m(<<201,240,248,149,251,152,171,145,89,245,31,208,41,126,35,109>>) -> 8;
> m(<<69,196,140,206,46,45,127,189,234,26,252,81,199,198,173,38>>) -> 9;
> m(<<211,217,68,104,2,164,66,89,117,93,56,230,209,99,232,32>>) -> 10;
> m(<<101,18,189,67,217,202,166,224,44,153,11,10,130,101,45,202>>) -> 11;
> m(<<194,10,212,215,111,233,119,89,170,39,160,201,155,255,103,16>>) ->12;
> m(<<197,28,228,16,193,36,161,14,13,181,228,185,127,194,175,57>>) -> 13;
> m(<<170,179,35,137,34,188,194,90,111,96,110,181,37,255,220,86>>) -> 14;
> m(<<155,243,28,127,240,98,147,106,150,211,200,189,31,143,47,243>>) ->15;
> m(<<199,77,151,176,30,174,37,126,68,170,157,91,173,233,123,175>>) -> 16;
> m(<<112,239,223,46,201,176,134,7,151,149,196,66,99,107,85,251>>) -> 17;
> m(<<111,73,34,244,85,104,22,26,140,223,74,210,41,159,109,35>>) -> 18;
> m(<<31,14,61,173,153,144,131,69,247,67,159,143,250,189,255,196>>) -> 19;
> m(<<152,241,55,8,33,1,148,196,117,104,123,230,16,106,59,132>>) -> 20;
> m(<<60,89,220,4,142,136,80,36,59,232,7,154,92,116,208,121>>) -> 21;
> m(<<182,215,103,210,248,237,93,33,164,75,14,88,134,104,12,185>>) -> 22;
> m(<<55,105,60,252,116,128,73,228,93,135,184,199,216,185,170,205>>) ->23;
> m(<<31,241,222,119,64,5,248,218,19,244,41,67,136,28,101,95>>) -> 24;
> m(<<142,41,106,6,122,55,86,51,112,222,208,95,90,59,243,236>>) -> 25;
> m(<<78,115,44,237,52,99,208,109,224,202,154,21,182,21,54,119>>) -> 26;
> m(<<2,231,79,16,224,50,122,216,104,209,56,242,180,253,214,240>>) -> 27;
> m(<<51,231,95,240,157,214,1,187,230,159,53,16,57,21,33,137>>) -> 28;
> m(<<110,169,171,27,170,14,251,158,25,9,68,64,195,23,226,27>>) -> 29;
> m(<<52,23,60,179,143,7,248,157,219,235,194,172,145,40,48,63>>) -> 30;
> m(<<193,106,83,32,250,71,85,48,217,88,60,52,253,53,110,245>>) -> 31;
> m(<<99,100,211,240,244,149,182,171,157,207,141,59,92,110,11,1>>) -> 32;
> m(<<24,43,224,197,205,205,80,114,187,24,100,205,238,77,61,110>>) -> 33;
> m(<<227,105,133,61,247,102,250,68,225,237,15,246,19,245,99,189>>) -> 34;
> m(<<28,56,60,211,11,124,41,138,181,2,147,173,254,203,123,24>>) -> 35;
> m(<<25,202,20,231,234,99,40,164,46,14,177,61,88,94,76,34>>) -> 36;
> m(<<165,191,201,224,121,100,248,221,222,185,95,197,132,205,150,93>>)->37;
> m(<<165,119,27,206,147,226,0,195,111,124,217,223,208,229,222,170>>)->38;
> m(<<214,125,138,180,244,193,11,242,42,163,83,226,120,121,19,60>>) -> 39;
> m(<<214,69,146,14,57,95,237,173,123,187,237,14,202,63,226,224>>) -> 40;
> m(<<52,22,167,95,76,234,145,9,80,124,172,216,226,242,174,252>>) -> 41;
> m(<<161,208,198,232,63,2,115,39,216,70,16,99,244,172,88,166>>) -> 42;
> m(<<23,230,33,102,252,133,134,223,164,209,188,14,23,66,192,139>>) -> 43;
> m(<<247,23,113,99,200,51,223,244,179,143,200,210,135,47,30,198>>) -> 44;
> m(<<108,131,73,204,114,96,174,98,227,177,57,104,49,168,57,143>>) -> 45;
> m(<<217,212,244,149,232,117,162,224,117,161,164,166,225,185,119,15>>)->46;
> m(<<103,198,161,231,206,86,211,214,250,116,138,182,217,175,63,215>>)->47;
> m(<<100,46,146,239,183,148,33,115,72,129,181,62,30,27,24,182>>) -> 48;
> m(<<244,87,197,69,169,222,216,143,24,236,238,71,20,90,114,192>>) -> 49;
> m(<<192,199,199,109,48,189,61,202,239,201,111,64,39,91,220,10>>) -> 50;
> m(<<40,56,2,58,119,141,250,236,220,33,39,8,247,33,183,136>>) -> 51;
> m(<<154,17,88,21,77,250,66,202,221,189,6,148,164,233,189,200>>) -> 52;
> m(<<216,44,141,22,25,173,129,118,214,101,69,60,251,46,85,240>>) -> 53;
> m(<<166,132,236,238,231,111,197,34,119,50,134,168,149,188,132,54>>)->54;
> m(<<181,59,58,61,106,185,12,224,38,130,41,21,28,155,222,17>>) -> 55;
> m(<<159,97,64,142,58,251,99,62,80,205,241,178,13,230,244,102>>) -> 56;
> m(<<114,179,42,31,117,75,161,192,155,54,149,224,203,108,222,127>>) ->57;
> m(<<102,240,65,225,106,96,146,139,5,167,226,40,168,156,55,153>>) -> 58;
> m(<<9,63,101,224,128,162,149,248,7,107,28,87,34,164,106,162>>) -> 59;
> m(<<7,43,3,11,161,38,178,244,178,55,79,52,43,233,237,68>>) -> 60;
> m(<<127,57,248,49,127,189,177,152,142,244,198,40,235,160,37,145>>) ->61;
> m(<<68,246,131,168,65,99,179,82,58,254,87,194,224,8,188,140>>) -> 62;
> m(<<3,175,219,214,110,121,41,177,37,248,89,120,52,250,131,164>>) -> 63;
> m(<<234,93,47,28,70,8,35,46,7,211,170,61,153,142,81,53>>) -> 64;
> m(<<252,73,12,164,92,0,177,36,155,190,53,84,164,253,246,251>>) -> 65;
> m(<<50,149,199,106,203,244,202,174,211,60,54,177,181,252,44,177>>) ->66;
> m(<<115,91,144,180,86,129,37,237,108,63,103,136,25,182,224,88>>) -> 67;
> m(<<163,243,144,216,142,76,65,242,116,123,250,47,27,95,135,219>>) -> 68;
> m(<<20,191,166,187,20,135,94,69,187,160,40,162,30,211,128,70>>) -> 69;
> m(<<124,187,196,9,236,153,15,25,199,140,117,189,30,6,242,21>>) -> 70;
> m(<<226,196,32,217,40,212,191,140,224,255,46,193,155,55,21,20>>) -> 71;
> m(<<50,187,144,232,151,106,171,82,152,213,218,16,254,102,242,29>>) ->72;
> m(<<210,221,234,24,240,6,101,206,134,35,227,107,212,227,199,197>>) ->73;
> m(<<173,97,171,20,50,35,239,188,36,199,210,88,59,230,146,81>>) -> 74;
> m(<<208,155,244,21,68,163,54,90,70,201,7,126,187,94,53,195>>) -> 75;
> m(<<251,215,147,157,103,73,151,205,180,105,45,52,222,134,51,196>>) ->76;
> m(<<40,221,44,121,85,206,146,100,86,36,11,47,240,16,11,222>>) -> 77;
> m(<<53,244,168,212,101,230,225,237,192,95,61,138,182,88,197,81>>) -> 78;
> m(<<209,254,23,61,8,233,89,57,122,223,52,177,215,126,136,215>>) -> 79;
> m(<<240,51,171,55,195,2,1,247,63,20,36,73,208,55,2,141>>) -> 80;
> m(<<67,236,81,125,104,182,237,211,1,91,62,220,154,17,54,123>>) -> 81;
> m(<<151,120,213,210,25,197,8,11,154,106,23,190,240,41,51,28>>) -> 82;
> m(<<254,159,194,137,195,255,10,241,66,182,211,190,173,152,169,35>>)->83;
> m(<<104,211,10,149,148,114,139,195,154,162,75,233,75,49,157,33>>) -> 84;
> m(<<62,248,21,65,111,119,80,152,254,151,112,4,1,92,97,147>>) -> 85;
> m(<<147,219,133,237,144,156,19,131,143,249,92,207,169,76,235,217>>)->86;
> m(<<199,225,36,159,252,3,235,157,237,144,140,35,107,209,153,109>>) ->87;
> m(<<42,56,164,169,49,108,73,229,168,51,81,124,69,211,16,112>>) -> 88;
> m(<<118,71,150,107,115,67,194,144,72,103,50,82,228,144,247,54>>) -> 89;
> m(<<134,19,152,94,196,158,184,247,87,174,100,57,232,121,187,42>>) -> 90;
> m(<<84,34,154,191,207,165,100,158,112,3,184,61,212,117,82,148>>) -> 91;
> m(<<146,204,34,117,50,209,126,86,224,121,2,178,84,223,173,16>>) -> 92;
> m(<<152,220,232,61,165,123,3,149,225,99,70,124,157,174,82,27>>) -> 93;
> m(<<244,185,236,48,173,159,104,248,155,41,99,151,134,203,98,239>>) ->94;
> m(<<129,43,75,162,135,245,238,11,201,212,59,191,91,190,135,251>>) -> 95;
> m(<<38,101,125,95,249,2,13,42,190,254,85,135,150,185,149,132>>) -> 96;
> m(<<226,239,82,79,191,61,159,230,17,213,168,233,15,239,220,156>>) -> 97;
> m(<<237,61,44,33,153,30,59,239,94,6,151,19,175,159,166,202>>) -> 98;
> m(<<172,98,122,177,204,189,182,46,201,110,112,47,7,246,66,91>>) -> 99;
> m(<<248,153,19,157,245,225,5,147,150,67,20,21,231,112,198,221>>) -> 100.
>
> crash() ->
> lists:foreach(
> fun(N) ->
> io:format("Trying to match md5(~B)~n",[N]),
> BinaryToMatch = erlang:md5(integer_to_list(N)),
>
> %% The pattern matching on binaries for this call
> %% will cause buffer overflow.
> m(BinaryToMatch)
> end,
> lists:seq(1,100)
> ).
> %%%%%%%%%%%% End buffer_overflow.erl %%%%%%%%%%%%%
>
> --
> Matthew Reilly
> SIPphone Inc.
> matthew.reilly@sipphone.com
> Gizmo Project name: matt
>
> _______________________________________________
> erlang-bugs mailing list
> erlang-bugs@erlang.org
> http://www.erlang.org/mailman/listinfo/erlang-bugs
>
--
Bj |
|
|
| Back to top |
|
| Guest |
| Posted: Fri Dec 22, 2006 7:59 am |
|
|
|
Guest
|
Bjorn Gustavsson writes:
> For R11B-3, I have changed the loader to reject bs_save/bs_restore
> instruction with an index greater than 1023 if you load code
> compiled by R10B.
That left me wondering whether any of my existing code was a time bomb
or not. So I wrote a little program to check for such opcodes in
existing .beam files. It might be useful for others too.
1> check_bs:dir("/home/matthias").
Checking /home/matthias/buffer_overflow.beam
** exited: "beam file contains bs_save instruction with argument > 1023" **
Matthias
----------------------------------------------------------------------
%% Multiple versions of R11-B and R10B have a bug which results in
%% the emulator corrupting its memory and then, probably, segfaulting.
%%
%% See erlang-bugs 2006-12-21
%%
%% This module checks beam files to make sure they don't contain
%% code that triggers the bug. Exits if it finds one.
%%
-module(check_bs).
-export([file/1, files/1, dir/1]).
%% check one beam
file(Filename) ->
io:fwrite("Checking ~s\n", [Filename]),
Dis = beam_disasm:file(Filename),
top_level(Dis),
no_worries.
files(Filenames) ->
lists:foreach(fun file/1, Filenames),
no_worries.
%% check all beams in a given path
dir(Path) ->
{ok, Files} = file:list_dir(Path),
Beams = [Path ++ "/" ++ X || X <- Files, maeb_si(lists:reverse(X))],
files(Beams).
maeb_si("maeb." ++ _) -> true;
maeb_si(_) -> false.
%%--------------------
top_level({beam_file, Chunks}) ->
[Code] = [X || {code, X} <- Chunks],
lists:foreach(fun function/1, Code).
function({function, _Name, _Arity, _, Opcodes}) ->
lists:foreach(fun opcode/1, Opcodes).
opcode({bs_save, Arg}) when Arg < 1024 ->
no_problem_mate;
opcode({bs_save, _Arg}) ->
exit("beam file contains bs_save instruction with argument > 1023");
opcode(_) ->
do_nothing.
%% eof
_______________________________________________
erlang-bugs mailing list
erlang-bugs@erlang.org
http://www.erlang.org/mailman/listinfo/erlang-bugs
Post recived from mailinglist |
|
|
| Back to top |
|
| Idon |
| Posted: Sun Apr 08, 2007 6:01 pm |
|
|
|
Guest
|
|
| Back to top |
|
| Abedtedbasder |
| Posted: Mon Apr 09, 2007 4:21 am |
|
|
|
Guest
|
|
| Back to top |
|
| Wasin |
| Posted: Mon Apr 09, 2007 10:58 pm |
|
|
|
Guest
|
|
| Back to top |
|
|
|
All times are GMT
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
|
|
|
Digg It
Del.icio.us
Reddit
Facebook
Stumble Upon
Technorati
