Bug 12896 - regexec() stack overflow denial of service
Summary: regexec() stack overflow denial of service
Alias: None
Product: glibc
Classification: Unclassified
Component: regex (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2011-06-16 03:06 UTC by Yang Dingning
Modified: 2015-02-24 11:58 UTC (History)
2 users (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description Yang Dingning 2011-06-16 03:06:50 UTC
An easy way to reproduce is:

$ echo | grep -E "(.*)\1{4}+"
Segmentation fault (core dumped)

This bug has been verified to exist in glibc 2.11.1 shipped with Ubuntu 10.04, as well as the latest version from git repository. It may have security implications as shown in the description of CVE-2010-4051 and CVE-2010-4052.
Comment 1 Paolo Bonzini 2011-06-18 13:20:13 UTC
This is not really a vulnerability in glibc; in various forms, it is common to pretty much any regular expression engine.

In general, applications should not pass to regcomp regular expressions coming from untrusted sources.  The glibc implementations ensures that "good" regular expressions, in particular not including very high repetition counts or backreferences, do not cause anomalous stack usage in either regcomp or regexec.  This is usually a sufficient guarantee.
Comment 2 Florian Weimer 2014-06-13 10:55:54 UTC
Back references are impossible to implement efficiently, but the glibc implementation should at least avoid a stack overflow.
Comment 3 Florian Weimer 2015-02-24 11:58:43 UTC
Flagging as security-, per the documented Security Exceptions for regcomp: