This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH v3] powerpc: strstr optimization
- From: Joseph Myers <joseph at codesourcery dot com>
- To: Tulio Magno Quites Machado Filho <tuliom at linux dot vnet dot ibm dot com>
- Cc: Carlos O'Donell <carlos at redhat dot com>, Steve Munroe <sjmunroe at us dot ibm dot com>, Florian Weimer <fweimer at redhat dot com>, Ondřej Bílka <neleai at seznam dot cz>, GNU C Library <libc-alpha at sourceware dot org>, Rajalakshmi Srinivasaraghavan <raji at linux dot vnet dot ibm dot com>
- Date: Wed, 22 Jul 2015 19:41:41 +0000
- Subject: Re: [PATCH v3] powerpc: strstr optimization
- Authentication-results: sourceware.org; auth=none
- References: <558A5642 dot 5020107 at linux dot vnet dot ibm dot com> <558A5761 dot 2000409 at linux dot vnet dot ibm dot com> <87oajpm8nc dot fsf at totoro dot br dot ibm dot com> <871tgijuri dot fsf at linux dot vnet dot ibm dot com> <55A6FE3F dot 6090701 at redhat dot com> <55A70B70 dot 6090607 at redhat dot com> <20150716195538 dot GA5140 at domone> <55A8110C dot 7000209 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1507221607370 dot 21570 at digraph dot polyomino dot org dot uk> <55AFD91C dot 30404 at redhat dot com> <87d1zk9hc7 dot fsf at linux dot vnet dot ibm dot com>
On Wed, 22 Jul 2015, Tulio Magno Quites Machado Filho wrote:
> >> If there's a quadratic worst case newly introduced for 2.22, I'd consider
> >> that a security hole (denial of service) that needs to block the release
> >> of 2.22 until it's fixed (possibly by removing the implementation in
> >> question).
> Could you elaborate why a quadratic worst case in a string function can be
> considered a denial of service, please?
Because code may use strstr on untrusted inputs, meaning small inputs
(e.g. MB in size) cause large (effectively infinite) CPU usage - any case
where an attacker can cause your resource usage to grow more than linearly
with their usage is a denial-of-service problem. Thus gnulib considers
such strstr implementations buggy and disables them (so preventing any of
your optimizations from being effective for any program using gnulib), but
not everything uses gnulib.
(There are cases, e.g. untrusted regular expressions, where glibc can't
reasonably avoid such resource usage, and so anyone using untrusted
regular expressions must apply resource limits externally. But strstr
isn't such a case.)
> > Tulio,
> > Could you please review the possibility of quadratic behaviour and respond
> > prompty? I don't want this to hold up the release.
> I confirm this algorithm does have a quadratic worst case, which appears if
> needle <= 2048.
> If the needle > 2048, it falls back to the previous implementation.
strstr should be O(m+n) (for needle length m, haystack length n); a naive
implementation could be O(mn). Are you saying that, for constant m <=
2048, it's O(n^2)? Because O(mn) for bounded m is fine (the threshold
2048 would preferably have been determined by some sort of benchmark, but
the precise choice of threshold isn't something to block a release).
Joseph S. Myers