[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Chicken-users] [SECURITY] Resource exhaustion bug in irregex compilatio
From: |
Peter Bex |
Subject: |
[Chicken-users] [SECURITY] Resource exhaustion bug in irregex compilation |
Date: |
Wed, 14 Dec 2016 21:37:16 +0100 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hi all,
Irregex versions before 0.9.6 contain a resource exhaustion
vulnerability: when compiling deeply nested regexes containing
the "+" operator due to exponential expansion behaviour.
All released CHICKEN versions with Irregex are affected by this.
The upcoming versions 4.12 (and/or dev snapshot 4.11.2) and 5.0.0
will include a fix.
For example, the following expression will trigger an out of
memory error, using up many Gigabytes(!) of memory:
(irregex
"($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($(${-2,16}+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)")
In CHICKEN, the maximum heap size will prevent this from eating
up all your system's memory (assuming you have more free memory
than the heap limit), so it would manifest as "merely" a denial of
service. The default value of this setting is 2GB, and can be
tuned using the -:hm runtime option.
Currently, no workaround or mitigation is known. A program could
validate an SRE to detect the issue. This can be done relatively
easily by counting the depth of (+ ...) expressions in a user-
supplied SRE and abort if it's larger than a (very) small constant.
A fix has been implemented in the master branch as 2c419f1 and in the
chicken-5 branch as 60118b0. The patches can be found at
http://lists.gnu.org/archive/html/chicken-hackers/2016-12/msg00010.html
Thanks to Alex Shinn for reviewing the fix.
Regards,
The CHICKEN Team
signature.asc
Description: Digital signature
- [Chicken-users] [SECURITY] Resource exhaustion bug in irregex compilation,
Peter Bex <=