oss-sec mailing list archives
Multiple DoS parsing and executing extended regex expressions in GNU libc
From: Gustavo Grieco <gustavo.grieco () gmail com>
Date: Thu, 9 Feb 2017 14:24:58 -0300
Hello, We found a few extended regex expressions in GNU libc that will crash or abort the execution of regcomp or regexec. For instance: \a?{1,32767} will immediately exhaust the stack calling calc_eclosure_iter in the compilation. A small variation of this regex is: \a?{0,32767} will consume a very large amount of memory: it seems to eat 16GB in less than a minute. It is also possible to exhaust the stack memory trying to parse: (((((((( ... repeated 15000 times this issue is caused because regcomp will call the parse_expression, parse_branch and parse_reg_exp functions over and over again. Finally, the following regex will trigger an abort or invalid free when regexec is called: /S^^|\0|()//S^^|\0|()//S^^|\1|()/ I don't think these issues can be used to execute arbitrary code, but it seems quite easy to produce a DoS if a remote application is parsing untrusted regex expressions. In fact, we asked one of our students, AgustÃn Mista, to create a simple PoC to show how to crash a proFTP server if you can write a .ftpaccess file. You can find the script attached. These issues were tested in GNU libc 2.19 (Ubuntu 14.04) and 2.24 (ArchLinux). I think it should affect the last version of GNU libc as well. Can someone confirm it? I'm investigating how to submit these issues in the new CVE form... Regards, Gustavo.
Attachment:
PoC.hs
Description:
Current thread:
- Multiple DoS parsing and executing extended regex expressions in GNU libc Gustavo Grieco (Feb 09)
- Re: Multiple DoS parsing and executing extended regex expressions in GNU libc Jakub Wilk (Feb 09)