[erlang-bugs] Buffer overflow in etrs_save_mb[]

Fri Dec 22 08:58:48 CET 2006

Bjorn Gustavsson writes:

 > For R11B-3, I have changed the loader to reject bs_save/bs_restore
 > instruction with an index greater than 1023 if you load code
 > compiled by R10B.

That left me wondering whether any of my existing code was a time bomb
or not. So I wrote a little program to check for such opcodes in
existing .beam files. It might be useful for others too.

   1> check_bs:dir("/home/matthias"). 
   Checking /home/matthias/buffer_overflow.beam
   ** exited: "beam file contains bs_save instruction with argument > 1023" **

Matthias

----------------------------------------------------------------------

%% Multiple versions of R11-B and R10B have a bug which results in
%% the emulator corrupting its memory and then, probably, segfaulting.
%%
%% See erlang-bugs 2006-12-21
%%
%% This module checks beam files to make sure they don't contain
%% code that triggers the bug. Exits if it finds one.
%%
-module(check_bs).
-export([file/1, files/1, dir/1]).

%% check one beam 
file(Filename) ->
    io:fwrite("Checking ~s\n", [Filename]),
    Dis = beam_disasm:file(Filename),
    top_level(Dis),
    no_worries.

files(Filenames) ->
    lists:foreach(fun file/1, Filenames),
    no_worries.

%% check all beams in a given path
dir(Path) ->
    {ok, Files} = file:list_dir(Path),
    Beams = [Path ++ "/" ++ X || X <- Files, maeb_si(lists:reverse(X))],
    files(Beams).

maeb_si("maeb." ++ _) -> true;
maeb_si(_) -> false.

%%--------------------
top_level({beam_file, Chunks}) ->
    [Code] = [X || {code, X} <- Chunks],
    lists:foreach(fun function/1, Code).

function({function, _Name, _Arity, _, Opcodes}) ->
    lists:foreach(fun opcode/1, Opcodes).

opcode({bs_save, Arg}) when Arg < 1024 ->
    no_problem_mate;
opcode({bs_save, _Arg}) ->
    exit("beam file contains bs_save instruction with argument > 1023");
opcode(_) ->
    do_nothing.

%% eof