[erlang-bugs] Denial-of-service vulnerability in erlang's group.erl

Matthias Lang matthias@REDACTED
Sat Jun 29 23:59:09 CEST 2013


Hi,

While it sounds like there's a problem in group.erl which should be
fixed, my experience is that things aren't quite as bad as:

>       * We cannot simply amend the situation.

On our embedded device, we completely avoid the situation by
authenticating users before they get to the CLI implemented in Erlang.

We use 'dropbear' as the SSH server and have /etc/passwd use 'to_erl'
as the user's shell. The approach for serial ports is similar.

Once authenticated, you can reboot our system using the 'reset' command.

---

You were also concerned about linux's OOM killer.

Finding and stopping all possible ways Erlang can grab unexpected
amounts of RAM is difficult, and not just because they're no longer
unexpected once you find them. Telling linux to limit the amount
Erlang _can_ grab is much easier. You can do that with 'ulimit' or, if
starting from something like 'heart' (which you probably should be),
setrlimit().

---

Finally, if I start a server like this:

    # cat ss.erl
    -module(ss).
    -export([go/0]).

    go() ->
       crypto:start(),
       ssh:start(),
       ssh:daemon(9988, [{password, "bla"}, {ip_v6_disabled, true}]).

    # ulimit -m 12000
    # /usr/local/src/otp_src_R15B03/bin/erl
    Erlang R15B03 (erts-5.9.3.1) [source] [64-bit] [smp:2:2] ...
    1> ss:go().
    {ok,<0.46.0>}

can you give me a program which crashes that through overflow, automatically?

(You've given a description. I'd like a program so that I can be sure
I'm doing exactly what you're doing.)

Matt



More information about the erlang-bugs mailing list