[erlang-patches] [PATCH] Fix memory corruption when reading topology information
Benjamin Herrenschmidt
benh@REDACTED
Wed Mar 14 21:00:10 CET 2012
On Wed, 2012-03-14 at 17:52 +0100, Sverker Eriksson wrote:
> I found two other places in erl_misc_utils.c where the same mistake
> seems to be done.
>
> Do you have some test to share that provokes this bug?
On a reasonably large machine, offline some CPUs and run erlang, it will
either segfault or abort with a glibc detected heap corruption. Our test
setup is some POWER7 machines on which we disable SMT with the command:
ppc64_cpu --smt=off
That disables 3 out of 4 logical CPUs, so the machine goes from 64 to 16
which is plenty enough to trigger glibc heap corruption detection.
Cheers,
Ben.
> diff --git a/erts/lib_src/common/erl_misc_utils.c
> b/erts/lib_src/common/erl_misc_utils.c
> index 4806311..162c908 100644
> --- a/erts/lib_src/common/erl_misc_utils.c
> +++ b/erts/lib_src/common/erl_misc_utils.c
> @@ -727,7 +727,7 @@ adjust_processor_nodes(erts_cpu_info_t *cpuinfo, int
> no_nodes)
>
> prev = NULL;
> this = &cpuinfo->topology[0];
> - last = &cpuinfo->topology[cpuinfo->configured-1];
> + last = &cpuinfo->topology[cpuinfo->topology_size-1];
> while (1) {
> if (processor == this->processor) {
> if (node != this->node)
> @@ -939,7 +939,7 @@ read_topology(erts_cpu_info_t *cpuinfo)
>
> if (res > 1) {
> prev = this++;
> - last = &cpuinfo->topology[cpuinfo->configured-1];
> + last = &cpuinfo->topology[cpuinfo->topology_size-1];
>
> while (1) {
> this->thread = ((this->node == prev->node
> @@ -1094,7 +1094,7 @@ read_topology(erts_cpu_info_t *cpuinfo)
>
> if (res > 1) {
> prev = this++;
> - last = &cpuinfo->topology[cpuinfo->configured-1];
> + last = &cpuinfo->topology[cpuinfo->topology_size-1];
>
> while (1) {
> this->thread = ((this->node == prev->node
>
>
> /Sverker, Erlang/OTP Ericsson
>
>
> Benjamin Herrenschmidt wrote:
> > On Tue, 2012-03-13 at 14:50 +0100, Gustav Simonsson wrote:
> >
> >> Hi Benjamin,
> >>
> >> We discovered this error in a few other places, and will create a
> >> slightly larger internal patch for this issue.
> >> Thank you for finding this error and reporting it!
> >>
> >
> > Thanks. Any chance you can CC me on the patch ? I'd like to try to get
> > it included/backported in some distro as it prevents anything using
> > erlang from running on some setups. (Typically if you have unplugged
> > CPU, which is common when running KVM on POWER7 machines where the host
> > has to unplug the SMT threads).
> >
> > Cheers,
> > Ben.
> >
> >
> >> Regards,
> >> Gustav Simonsson
> >> Erlang/OTP team
> >>
> >>
> >> On 2012-03-09 04:23, Benjamin Herrenschmidt wrote:
> >>
> >>> If the number of processors actually found while reading sysfs
> >>> is lower than the configured value, we realloc() the cpuinfo array
> >>> to the smaller size, but we then iterate it using the original
> >>> configured size, thus corrupting memory beyond the allocated
> >>> block.
> >>>
> >>> Signed-off-by: Benjamin Herrenschmidt<benh@REDACTED>
> >>> ---
> >>>
> >>> diff -urN otp_src_R15B.orig/erts/lib_src/common/erl_misc_utils.c otp_src_R15B/erts/lib_src/common/erl_misc_utils.c
> >>> --- otp_src_R15B.orig/erts/lib_src/common/erl_misc_utils.c 2011-12-14 21:22:11.000000000 +1100
> >>> +++ otp_src_R15B/erts/lib_src/common/erl_misc_utils.c 2012-03-08 14:40:18.111420986 +1100
> >>> @@ -939,7 +939,7 @@
> >>>
> >>> if (res> 1) {
> >>> prev = this++;
> >>> - last =&cpuinfo->topology[cpuinfo->configured-1];
> >>> + last =&cpuinfo->topology[cpuinfo->topology_size-1];
> >>>
> >>> while (1) {
> >>> this->thread = ((this->node == prev->node
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> erlang-patches mailing list
> >>> erlang-patches@REDACTED
> >>> http://erlang.org/mailman/listinfo/erlang-patches
> >>>
> >
> >
> > _______________________________________________
> > erlang-patches mailing list
> > erlang-patches@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-patches
> >
> >
More information about the erlang-patches
mailing list