[erlang-bugs] Port driver use-after-free
Salikhov Dinislam
Dinislam.Salikhov@REDACTED
Fri Feb 17 10:20:52 CET 2017
Hello,
Failure scenario:
1. A process calls erlang:port_control() and passes a binary to port driver.
2. The driver is not invoked immediately, so the binary's refc is
incremented and the pointers to binary and to binary's data are kept in
struct ErtsProc2PortSigData_ for later call. The process is in pending
queue.
3. The pending process is the only one having the refcount to binary.
4. An event occurs causing garbage collecting of the pending process.
5. The binary is relocated, so the pointers kept in
ErtsProc2PortSigData_ become invalid.
6. The driver manipulates with already freed data.
Unfortunately, I don't have the minimal code sample reproducing the issue.
The described behavior is observed only on high loads and leads to VM crash.
The issue presents in OTP-18.3 release. I didn't try it for later
releases, but I couldn't find any related fixes done either.
The memory for binary was first allocated as:
0x481a39 <do_erts_alcu_alloc+270>
0x481c06 <erts_alcu_alloc_thr_pref+135>
0x58db08 <erts_alloc+75>
0x58dc91 <erts_bin_nrml_alloc+68>
0x591362 <erts_bs_append+1566>
0x44177b <process_main+51114>
0x508a27 <sched_thread_func+499>
0x68f72d <thr_wrapper+235>
And then reallocated as:
0x482026 <do_erts_alcu_realloc+190>
0x4828f9 <realloc_thr_pref+257>
0x482ac1 <erts_alcu_realloc_thr_pref+51>
0x585984 <erts_realloc_fnf+81>
0x586200 <erts_bin_realloc+110>
0x58caac <sweep_off_heap+1277>
0x58a37e <major_collection+3163>
0x586ca8 <erts_garbage_collect+493>
0x43c36b <process_main+29594>
0x508a27 <sched_thread_func+499>
0x68f72d <thr_wrapper+235>
In the attachment there is a patch with a quick fix for the issue.
The idea is to always copy the data passed to the port driver if the
actual call is pended.
It is fine for small data, but can lead to performance degradation if
megabytes-size binaries are passed to port_control(), that's why I
haven't done a PR.
Salikhov Dinislam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: erlang.patch
Type: text/x-patch
Size: 1433 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-bugs/attachments/20170217/8750c576/attachment.bin>
More information about the erlang-bugs
mailing list