binary_to_term can crash the VM

Matthias Lang <>
Thu Feb 2 00:13:21 CET 2006


Hi,

I recall binary_to_list being fixed to be able to cope with 'bad'
binaries a few years ago. But I stumbled across another way to crash
it:

  2> binary_to_term(<<131,109,255,255,255,255>>).
  Segmentation fault

This can bite when code such as 'rb' calls binary_to_term on corrupt
data:

  /usr/local/src/otp_src_R10B-8/bin/erl -boot start_sasl
  ...
  Eshell V5.4.10  (abort with ^G)
  1> c(crash).
  {ok,crash}
  2> crash:go().
  rb: reading report...Segmentation fault

I haven't tried making dets fail, but I bet 'rb' isn't the only thing
which uses binary_to_term on data it can't be sure it created.

Matthias

(FWIW: I don't use 'log_mf_handler' or 'rb' in production systems
because of past problems. This seems like another good reason to give
them a miss.)

%%----------------------------------------------------------------------
-module(crash).
-export([go/0]).

go() ->
  file:make_dir("/tmp/zap"),
  file:write_file("/tmp/zap/index", <<1>>),
  %% simulate a corrupt logfile
  file:write_file("/tmp/zap/1", <<0,6,131,109,255,255,255,255>>),
  rb:start([{report_dir, "/tmp/zap"}]),
  rb:list().



More information about the erlang-questions mailing list