bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bash regexp parsing would benefit from safe recursion limit


From: willi1337 bald
Subject: Bash regexp parsing would benefit from safe recursion limit
Date: Wed, 30 Mar 2022 17:16:13 +0200

Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2 -Wno-parentheses -Wno-format-security
uname output: Linux DESKTOP-0TQV3NS 5.10.60.1-microsoft-standard-WSL2 #1
SMP Wed Aug 25 23:20:18 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 5.1
Patch Level: 16
Release Status: release

Description:

A deeply nested and incorrect regex expression can cause exhaustion of
stack resources, which crashes the bash process.

Repeat-By:

$ cat regexsegfault.sh  ; gdb -q --args ./bash regexsegfault.sh

#!/bin/bash
A=$(printf "%32768s");
A=${A// /(}
[[ "B"  =~ $A ]]

Reading symbols from ./bash...
(gdb) r
Starting program: /mnt/c/Users/Admin/bash-5.1.16/bash ../regexsegfault.sh
[Detaching after fork from child process 13645]

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e808ad in parse_expression (regexp=regexp@entry=0x7fffffffd880,
preg=preg@entry=0x7fffffffd980, token=token@entry=0x7fffffffd870,
syntax=syntax@entry=242428,
    nest=nest@entry=10914, err=err@entry=0x7fffffffd868) at regcomp.c:2249
2249    regcomp.c: No such file or directory.
(gdb) bt
#0  0x00007ffff7e808ad in parse_expression (regexp=regexp@entry=0x7fffffffd880,
preg=preg@entry=0x7fffffffd980, token=token@entry=0x7fffffffd870,
syntax=syntax@entry=242428,
    nest=nest@entry=10914, err=err@entry=0x7fffffffd868) at regcomp.c:2249
#1  0x00007ffff7e83931 in parse_branch (regexp=regexp@entry=0x7fffffffd880,
preg=preg@entry=0x7fffffffd980, token=token@entry=0x7fffffffd870,
syntax=syntax@entry=242428,
    nest=nest@entry=10914, err=err@entry=0x7fffffffd868) at regcomp.c:2207
#2  0x00007ffff7e83b66 in parse_reg_exp (regexp=regexp@entry=0x7fffffffd880,
preg=preg@entry=0x7fffffffd980, token=token@entry=0x7fffffffd870,
syntax=syntax@entry=242428,
    nest=nest@entry=10914, err=err@entry=0x7fffffffd868) at regcomp.c:2159
#3  0x00007ffff7e80949 in parse_sub_exp (err=0x7fffffffd868, nest=10914,
syntax=242428, token=0x7fffffffd870, preg=0x7fffffffd980,
regexp=0x7fffffffd880) at regcomp.c:2496
#4  parse_expression (regexp=regexp@entry=0x7fffffffd880,
preg=preg@entry=0x7fffffffd980,
token=token@entry=0x7fffffffd870, syntax=syntax@entry=242428,
nest=nest@entry=10913,
    err=err@entry=0x7fffffffd868) at regcomp.c:2282

Fix:
Count the stack frames during recursive parsing and emit error before stack
resources are entirely consumed.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]