[erlang-bugs] Denial-of-service vulnerability in erlang's group.erl

[Stefan Zegenhagen]

Dear Matthias,

sorry for the delayed answer, I was on vacation for two weeks and read
your mail just today.


> While it sounds like there's a problem in group.erl which should be
> fixed, my experience is that things aren't quite as bad as:
> 
> >       * We cannot simply amend the situation.
> 
> On our embedded device, we completely avoid the situation by
> authenticating users before they get to the CLI implemented in Erlang.
> 
> We use 'dropbear' as the SSH server and have /etc/passwd use 'to_erl'
> as the user's shell. The approach for serial ports is similar.
> 
> Once authenticated, you can reboot our system using the 'reset' command.

Our system probably differs slightly. We keep the "to_erl" option for
the developer's shell (yes, we have a hidden serial port on the board
that's not accessible to customers). And we need much more control over
configurability and features than getty/dropbear give us. Therefore we
would like to stick to the option of implementing our application logic
in erlang with the software stacks that are already available.


> You were also concerned about linux's OOM killer.
> 
> Finding and stopping all possible ways Erlang can grab unexpected
> amounts of RAM is difficult, and not just because they're no longer
> unexpected once you find them. Telling linux to limit the amount
> Erlang _can_ grab is much easier. You can do that with 'ulimit' or, if
> starting from something like 'heart' (which you probably should be),
> setrlimit().

That might be an option to stop linux from crashing other processes, but
still it's bad if the erlang VM itself crashes because that means that
the service is out of operation until everything is fully
re-initialized.


I want to underline that I do not want to start a flame war or be overly
offensive, but I'm astonished about the reluctance to fix this
particular bug which we consider a security bug due to the way it
affects our devices.


Kind regards,

-- 
Dr. Stefan Zegenhagen

arcutronix GmbH
Garbsener Landstr. 10
30419 Hannover
Germany

Tel:   +49 511 277-2734
Fax:   +49 511 277-2709
Email: stefan.zegenhagen@REDACTED
Web:   www.arcutronix.com

*Synchronize the Ethernet*

General Managers: Dipl. Ing. Juergen Schroeder, Dr. Josef Gfrerer -
Legal Form: GmbH, Registered office: Hannover, HRB 202442, Amtsgericht
Hannover; Ust-Id: DE257551767.

Please consider the environment before printing this message.