Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix integer truncation bugs in error logger path #1795

Merged
merged 1 commit into from
Apr 24, 2018
Merged

fix integer truncation bugs in error logger path #1795

merged 1 commit into from
Apr 24, 2018

Conversation

mikpe
Copy link
Contributor

@mikpe mikpe commented Apr 21, 2018

Sending a large term to the error logger has two problems related
to the size and sign of the variables used to represent lengths:

  • the API functions (erts_send_error_term_to_logger() et al) perform
    an unchecked narrowing conversion from size_t to int when passing
    dsbufp->str_len to the internal functions; this may both truncate
    the length and make it negative

  • do_send_term_to_logger() and do_send_to_logger() multiply the
    int-typed length by 2 before widening it to Uint and adding a few
    more values; the intermediate product may overflow causing loss
    of high bits and a change of sign; if the intermediate product is
    negative the final size will be an extremely large positive value

The end result is that the computed buffer size can be arbitrarily
wrong, either too small or too large.

While reviewing this code I also found and fixed a potential narrowing
bug in erts_set_hole_marker().

--
I don't have a test case, but this is based on analysis of a SIGSEGV
posted to the mailing list: http://erlang.org/pipermail/erlang-questions/2018-April/095285.html

@mikpe
fix integer truncation bugs in error logger path
bf96458 
Sending a large term to the error logger has two problems related
to the size and sign of the variables used to represent lengths:

- the API functions (erts_send_error_term_to_logger() et al) perform
  an unchecked narrowing conversion from size_t to int when passing
  dsbufp->str_len to the internal functions; this may both truncate
  the length and make it negative

- do_send_term_to_logger() and do_send_to_logger() multiply the
  int-typed length by 2 before widening it to Uint and adding a few
  more values; the intermediate product may overflow causing loss
  of high bits and a change of sign; if the intermediate product is
  negative the final size will be an extremely large positive value

The end result is that the computed buffer size can be arbitrarily
wrong, either too small or too large.

While reviewing this code I also found and fixed a potential narrowing
bug in erts_set_hole_marker().
@garazdawi garazdawi self-assigned this Apr 23, 2018
@garazdawi garazdawi added team:VM Assigned to OTP team VM fix testing currently being tested, tag is used by OTP internal CI labels Apr 23, 2018
@garazdawi garazdawi changed the base branch from maint to master April 23, 2018 07:52
@garazdawi garazdawi merged commit 8a965fa into erlang:master Apr 24, 2018
@mikpe mikpe deleted the erts-logger-integer-truncation branch March 15, 2020 12:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@garazdawi garazdawi

Labels
fix team:VM Assigned to OTP team VM testing currently being tested, tag is used by OTP internal CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mikpe @garazdawi