[Bug regex/17070] New: regcomp with REG_EXTENDED uses unbounded CPU or RAM

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug regex/17070] New: regcomp with REG_EXTENDED uses unbounded CPU or RAM

tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=17070

            Bug ID: 17070
           Summary: regcomp with REG_EXTENDED uses unbounded CPU or RAM
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: regex
          Assignee: unassigned at sourceware dot org
          Reporter: konstantin.s.serebryany at gmail dot com
                CC: drepper.fsp at gmail dot com

[not sure how useful these reports are, but filing just in case.]


#include <regex.h>                                                              
int main(int argc, char **argv) {                                              
  regex_t r;                                                                    
  regcomp(&r,                                                                  
#if 1          
"([\\u]\\N|||){85,}[:ascii:]l[:(?!graph:]x?x)",
#else
"[(?{x<]})x{146}{,78}{,154}{,211}\\P{(?>^Latin}"
"x\\w\\p{^So}\\P{Alphabetic}[:punct:]\\P{^Mc}xxx)"
"[:alnum:]{-9,}[:blankcntrl:][:upperword:][:punct:]\\e",
#endif
          REG_EXTENDED);                                                        
  regfree(&r);                                                                  
}                                    

% gcc r1.c && ./a.out

The first pattern just never ends, most of the time is spent
in deep recursive call to calc_eclosure_iter

The second case is much worse -- it quickly eats all available RAM on the
machine,
doing tons of allocations here:
#1  0x00007ffff7a9cf95 in __GI___libc_malloc (bytes=968) at malloc.c:2924
#2  0x00007ffff7af1e3b in create_token_tree
#3  duplicate_tree
#4  0x00007ffff7af7f6f in parse_dup_op
#5  parse_expression
#6  0x00007ffff7af6470 in parse_branch
#7  0x00007ffff7af67be in parse_reg_exp
#8  0x00007ffff7af6cc0 in parse
#9  re_compile_internal


Checked with 2.15 and fresh trunk, tests were generated by regfuzz

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/17070] regcomp with REG_EXTENDED uses unbounded CPU or RAM

tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=17070

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=12896
              Flags|                            |security+

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/17070] regcomp with REG_EXTENDED uses unbounded CPU or RAM

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=17070

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugdal at aerifal dot cx

--- Comment #1 from Rich Felker <bugdal at aerifal dot cx> ---
I'm guessing -9 got interpreted as (size_t)-9, in which case that many states
are really needed in the compiled regex. This is why POSIX allows
implementations to place a limit on the number of repetitions supported in
{n,m} (IIRC only up to 256 need to be supported) and why glibc should make use
of this allowance.

--
You are receiving this mail because:
You are on the CC list for the bug.
Reply | Threaded
Open this post in threaded view
|

[Bug regex/17070] regcomp with REG_EXTENDED uses unbounded CPU or RAM

tromey at sourceware dot org
In reply to this post by tromey at sourceware dot org
https://sourceware.org/bugzilla/show_bug.cgi?id=17070

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=18013
              Flags|security+                   |security-

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Per our Security Exceptions, this is not a security bug:

https://sourceware.org/glibc/wiki/Security%20Exceptions

Also see the relatted bugs.

--
You are receiving this mail because:
You are on the CC list for the bug.