fix integer truncation bugs in error logger path #1795
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sending a large term to the error logger has two problems related
to the size and sign of the variables used to represent lengths:
the API functions (erts_send_error_term_to_logger() et al) perform
an unchecked narrowing conversion from size_t to int when passing
dsbufp->str_len to the internal functions; this may both truncate
the length and make it negative
do_send_term_to_logger() and do_send_to_logger() multiply the
int-typed length by 2 before widening it to Uint and adding a few
more values; the intermediate product may overflow causing loss
of high bits and a change of sign; if the intermediate product is
negative the final size will be an extremely large positive value
The end result is that the computed buffer size can be arbitrarily
wrong, either too small or too large.
While reviewing this code I also found and fixed a potential narrowing
bug in erts_set_hole_marker().
--
I don't have a test case, but this is based on analysis of a SIGSEGV
posted to the mailing list: http://erlang.org/pipermail/erlang-questions/2018-April/095285.html