Uploaded image for project: 'Erlang/OTP'
  1. Erlang/OTP
  2. ERL-944

Calling erlang:binary_to_existing_atom with latin1 encoding causes crash (stack smashing)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 20.3, 21.3
    • Fix Version/s: 21.3.8.1, 22.0.4, 20.3.8.22
    • Component/s: erts
    • Labels:
      None

      Description

      The following code causes crash (stack smashing):

      erlang:binary_to_existing_atom( <<0:511/unit:8, 196, 133>>, latin1 ).
      

      Below is stack trace from gdb:

      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
      #1  0x00007f8cecda0801 in __GI_abort () at abort.c:79
      #2  0x00007f8cecde9897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f8cecf16988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
      #3  0x00007f8cece94cd1 in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=false, msg=msg@entry=0x7f8cecf16966 "stack smashing detected") at fortify_fail.c:33
      #4  0x00007f8cece94c92 in __stack_chk_fail () at stack_chk_fail.c:29
      #5  0x000056047bc899ec in erts_atom_get (name=<optimized out>, len=<optimized out>, ap=ap@entry=0x7f8ca8c38c80, enc=enc@entry=ERTS_ATOM_ENC_LATIN1) at beam/atom.c:400
      #6  0x000056047bcd6412 in binary_to_atom (must_exist=1, enc=20171, bin=140242095081898, proc=0x7f8cab400f18) at beam/erl_unicode.c:1996
      #7  binary_to_existing_atom_2 (A__p=0x7f8cab400f18, BIF__ARGS=<optimized out>, A__I=<optimized out>) at beam/erl_unicode.c:2032
      #8  0x000056047bb3e19f in process_main () at x86_64-unknown-linux-gnu/opt/smp/beam_cold.h:59
      #9  0x000056047bb31c1b in sched_thread_func (vesdp=0x7f8caa48c800) at beam/erl_process.c:8444
      #10 0x000056047bd8269d in thr_wrapper (vtwd=0x7ffc06362a60) at pthread/ethread.c:118
      #11 0x00007f8ced3606db in start_thread (arg=0x7f8ca8c39700) at pthread_create.c:463
      #12 0x00007f8cece8188f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      The bug is in erts_atom_get. The allocated buffer have MAX_ATOM_SZ_FROM_LATIN1 size (510 bytes) and there is no check for actual len of binary passed to this function.

        Attachments

          Activity

            People

            Assignee:
            john John Högberg
            Reporter:
            smyke Sebastian Smyczyński
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: