oss-sec mailing list archives
Re: Multiple DoS parsing and executing extended regex expressions in GNU libc
From: Jakub Wilk <jwilk () jwilk net>
Date: Thu, 9 Feb 2017 19:45:30 +0100
* Gustavo Grieco <gustavo.grieco () gmail com>, 2017-02-09, 14:24:
We found a few extended regex expressions in GNU libc that will crash or abort the execution of regcomp or regexec. For instance:\a?{1,32767}will immediately exhaust the stack calling calc_eclosure_iter in the compilation.
FWIW, glibc's policy seems to be that DoS via crafted regexp is not considered a security problem: https://sourceware.org/glibc/wiki/Security%20Exceptions
"[...] resource exhaustion issues which can be triggered only with crafted patterns (either during compilation or execution) are not treated as security bugs. (This does not mean we do not intend to fix such issues as regular bugs if possible.)
However, during execution, crashes, infinite loops, buffer overflows and reading past buffers (read-only buffer overruns), memory leaks and other, similar bugs should be treated as security vulnerabilities, assuming that the pattern is trusted and reasonably structured."
-- Jakub Wilk
Current thread:
- Multiple DoS parsing and executing extended regex expressions in GNU libc Gustavo Grieco (Feb 09)
- Re: Multiple DoS parsing and executing extended regex expressions in GNU libc Jakub Wilk (Feb 09)