[erlang-patches] [PATCH] Fix memory corruption when reading topology information

Benjamin Herrenschmidt benh@REDACTED
Wed Mar 14 21:00:10 CET 2012


On Wed, 2012-03-14 at 17:52 +0100, Sverker Eriksson wrote:
> I found two other places in erl_misc_utils.c where the same mistake 
> seems to be done.
> 
> Do you have some test to share that provokes this bug?

On a reasonably large machine, offline some CPUs and run erlang, it will
either segfault or abort with a glibc detected heap corruption. Our test
setup is some POWER7 machines on which we disable SMT with the command:

	ppc64_cpu --smt=off

That disables 3 out of 4 logical CPUs, so the machine goes from 64 to 16
which is plenty enough to trigger glibc heap corruption detection.

Cheers,
Ben.

> diff --git a/erts/lib_src/common/erl_misc_utils.c 
> b/erts/lib_src/common/erl_misc_utils.c
> index 4806311..162c908 100644
> --- a/erts/lib_src/common/erl_misc_utils.c
> +++ b/erts/lib_src/common/erl_misc_utils.c
> @@ -727,7 +727,7 @@ adjust_processor_nodes(erts_cpu_info_t *cpuinfo, int 
> no_nodes)
> 
>         prev = NULL;
>         this = &cpuinfo->topology[0];
> -       last = &cpuinfo->topology[cpuinfo->configured-1];
> +       last = &cpuinfo->topology[cpuinfo->topology_size-1];
>         while (1) {
>             if (processor == this->processor) {
>                 if (node != this->node)
> @@ -939,7 +939,7 @@ read_topology(erts_cpu_info_t *cpuinfo)
> 
>         if (res > 1) {
>             prev = this++;
> -           last = &cpuinfo->topology[cpuinfo->configured-1];
> +           last = &cpuinfo->topology[cpuinfo->topology_size-1];
> 
>             while (1) {
>                 this->thread = ((this->node == prev->node
> @@ -1094,7 +1094,7 @@ read_topology(erts_cpu_info_t *cpuinfo)
> 
>         if (res > 1) {
>             prev = this++;
> -           last = &cpuinfo->topology[cpuinfo->configured-1];
> +           last = &cpuinfo->topology[cpuinfo->topology_size-1];
> 
>             while (1) {
>                 this->thread = ((this->node == prev->node
> 
> 
> /Sverker, Erlang/OTP Ericsson
> 
> 
> Benjamin Herrenschmidt wrote:
> > On Tue, 2012-03-13 at 14:50 +0100, Gustav Simonsson wrote:
> >   
> >> Hi Benjamin,
> >>
> >> We discovered this error in a few other places, and will create a 
> >> slightly larger internal patch for this issue.
> >> Thank you for finding this error and reporting it!
> >>     
> >
> > Thanks. Any chance you can CC me on the patch ? I'd like to try to get
> > it included/backported in some distro as it prevents anything using
> > erlang from running on some setups. (Typically if you have unplugged
> > CPU, which is common when running KVM on POWER7 machines where the host
> > has to unplug the SMT threads).
> >
> > Cheers,
> > Ben.
> >
> >   
> >> Regards,
> >> Gustav Simonsson
> >> Erlang/OTP team
> >>
> >>
> >> On 2012-03-09 04:23, Benjamin Herrenschmidt wrote:
> >>     
> >>> If the number of processors actually found while reading sysfs
> >>> is lower than the configured value, we realloc() the cpuinfo array
> >>> to the smaller size, but we then iterate it using the original
> >>> configured size, thus corrupting memory beyond the allocated
> >>> block.
> >>>
> >>> Signed-off-by: Benjamin Herrenschmidt<benh@REDACTED>
> >>> ---
> >>>
> >>> diff -urN otp_src_R15B.orig/erts/lib_src/common/erl_misc_utils.c otp_src_R15B/erts/lib_src/common/erl_misc_utils.c
> >>> --- otp_src_R15B.orig/erts/lib_src/common/erl_misc_utils.c	2011-12-14 21:22:11.000000000 +1100
> >>> +++ otp_src_R15B/erts/lib_src/common/erl_misc_utils.c	2012-03-08 14:40:18.111420986 +1100
> >>> @@ -939,7 +939,7 @@
> >>>
> >>>   	if (res>  1) {
> >>>   	    prev = this++;
> >>> -	    last =&cpuinfo->topology[cpuinfo->configured-1];
> >>> +	    last =&cpuinfo->topology[cpuinfo->topology_size-1];
> >>>
> >>>   	    while (1) {
> >>>   		this->thread = ((this->node == prev->node
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> erlang-patches mailing list
> >>> erlang-patches@REDACTED
> >>> http://erlang.org/mailman/listinfo/erlang-patches
> >>>       
> >
> >
> > _______________________________________________
> > erlang-patches mailing list
> > erlang-patches@REDACTED
> > http://erlang.org/mailman/listinfo/erlang-patches
> >
> >   





More information about the erlang-patches mailing list