[erlang-bugs] Buffer overflow in etrs_save_mb[]
Matthias Lang
matthias@REDACTED
Fri Dec 22 08:58:48 CET 2006
Bjorn Gustavsson writes:
> For R11B-3, I have changed the loader to reject bs_save/bs_restore
> instruction with an index greater than 1023 if you load code
> compiled by R10B.
That left me wondering whether any of my existing code was a time bomb
or not. So I wrote a little program to check for such opcodes in
existing .beam files. It might be useful for others too.
1> check_bs:dir("/home/matthias").
Checking /home/matthias/buffer_overflow.beam
** exited: "beam file contains bs_save instruction with argument > 1023" **
Matthias
----------------------------------------------------------------------
%% Multiple versions of R11-B and R10B have a bug which results in
%% the emulator corrupting its memory and then, probably, segfaulting.
%%
%% See erlang-bugs 2006-12-21
%%
%% This module checks beam files to make sure they don't contain
%% code that triggers the bug. Exits if it finds one.
%%
-module(check_bs).
-export([file/1, files/1, dir/1]).
%% check one beam
file(Filename) ->
io:fwrite("Checking ~s\n", [Filename]),
Dis = beam_disasm:file(Filename),
top_level(Dis),
no_worries.
files(Filenames) ->
lists:foreach(fun file/1, Filenames),
no_worries.
%% check all beams in a given path
dir(Path) ->
{ok, Files} = file:list_dir(Path),
Beams = [Path ++ "/" ++ X || X <- Files, maeb_si(lists:reverse(X))],
files(Beams).
maeb_si("maeb." ++ _) -> true;
maeb_si(_) -> false.
%%--------------------
top_level({beam_file, Chunks}) ->
[Code] = [X || {code, X} <- Chunks],
lists:foreach(fun function/1, Code).
function({function, _Name, _Arity, _, Opcodes}) ->
lists:foreach(fun opcode/1, Opcodes).
opcode({bs_save, Arg}) when Arg < 1024 ->
no_problem_mate;
opcode({bs_save, _Arg}) ->
exit("beam file contains bs_save instruction with argument > 1023");
opcode(_) ->
do_nothing.
%% eof
More information about the erlang-bugs
mailing list