[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: two (and a half) more crashes in regex module
|
From: |
Tim Rühsen |
|
Subject: |
Re: two (and a half) more crashes in regex module |
|
Date: |
Wed, 12 Sep 2018 09:23:54 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.0 |
On 9/12/18 8:02 AM, Assaf Gordon wrote:
> Hello,
>
> Prompted by the recent bug reports, I decided to do some
> targeted fuzzing on gnulib's regex module using afl.
>
> So far I found two obscure bugs, and one pathological case.
>
> Can be easily reproduced with:
>
> $ echo 1 | grep -E "(\'|^)(\1|)"
> grep: regexec.c:1375: pop_fail_stack: Assertion `num >= 0' failed.
> Aborted
>
> $ echo A | grep -E "$(printf '(\227|)(\\1\\1|t1|\\\2537)+')"
> Segmentation fault ## stack overflow due to infinite recursion
>
> And the following pathological case can easily consume hundreds of MB of
> RAM (more "+" - more RAM):
>
> $ echo 1 | time grep -E '(.)++++++++++++++++++++++|'
I stumbled upon the memory consumption (and slowness) a while ago, but
it seems to be a well-known issue regarding
https://sourceware.org/glibc/wiki/Security%20Exceptions.
So, never accept regex patterns from untrusted sources.
Regards, Tim
signature.asc
Description: OpenPGP digital signature