[Bug regex/12896] New: regexec() stack overflow denial of service

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug regex/12896] New: regexec() stack overflow denial of service

tromey at sourceware dot org
http://sourceware.org/bugzilla/show_bug.cgi?id=12896

           Summary: regexec() stack overflow denial of service
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
        AssignedTo: [hidden email]
        ReportedBy: [hidden email]


An easy way to reproduce is:

$ echo | grep -E "(.*)\1{4}+"
Segmentation fault (core dumped)
$

This bug has been verified to exist in glibc 2.11.1 shipped with Ubuntu 10.04,
as well as the latest version from git repository. It may have security
implications as shown in the description of CVE-2010-4051 and CVE-2010-4052.

--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/12896] regexec() stack overflow denial of service

tromey at sourceware dot org
http://sourceware.org/bugzilla/show_bug.cgi?id=12896

Paolo Bonzini <bonzini at gnu dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |bonzini at gnu dot org
         Resolution|                            |INVALID

--- Comment #1 from Paolo Bonzini <bonzini at gnu dot org> 2011-06-18 13:20:13 UTC ---
This is not really a vulnerability in glibc; in various forms, it is common to
pretty much any regular expression engine.

In general, applications should not pass to regcomp regular expressions coming
from untrusted sources.  The glibc implementations ensures that "good" regular
expressions, in particular not including very high repetition counts or
backreferences, do not cause anomalous stack usage in either regcomp or
regexec.  This is usually a sufficient guarantee.

--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/12896] regexec() stack overflow denial of service

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=12896

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
                 CC|                            |fweimer at redhat dot com
         Resolution|INVALID                     |---
           Assignee|drepper.fsp at gmail dot com       |unassigned at sourceware dot org
              Flags|                            |security+

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Back references are impossible to implement efficiently, but the glibc
implementation should at least avoid a stack overflow.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/12896] regexec() stack overflow denial of service

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=12896

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=17070

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/12896] regexec() stack overflow denial of service

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=12896

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|security+                   |security-

--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
Flagging as security-, per the documented Security Exceptions for regcomp:

https://sourceware.org/glibc/wiki/Security%20Exceptions

--
You are receiving this mail because:
You are on the CC list for the bug.