regcomp(3) Multiple Vulnerabilities

Vladimir Levijev vladimir.levijev@gmail.com
Fri Feb 17 14:01:00 GMT 2012


Hi,

Sorry, if this issue has been discussed or if this is inappropriate
place for such a discussion I'd be glad if you could point me to the
right place.

I'm a developer at Zabbix and we use (and have been using for many
years) libc/regex to provide extended regular expressions support in
our product. Recently we discovered that using a certain valid
(correct me if I'm wrong here) regexp it's possible to crash/hang our
programs on GNU/Linux. The result is either crash or 100% CPU load and
constant memory leak (something like 100 MB in 5 minutes).

An example patterns that do that:

crash: ".*{10,}{10,}{10,}{10,}{10,}"
hang: ".*{10,}{10,}{10,}{10,}"
hang: (.*+++++++++++++++++++++++++++++(\w+))

Example usage:

$ echo foo | grep -E ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault

Here is a link to our issue in our issue tracker:

https://support.zabbix.com/browse/ZBX-4625

Platform used: Debian "Squeeze" (stable), eglibc version: 2.11.3-2

Debian issue tracker:

http://security-tracker.debian.org/tracker/CVE-2010-4052

One of the sources describing the issue in more detail:

http://securityreason.com/securityalert/8003

I have asked eglibc guys about the issue and they pointed out that
this is rather an FSF GLIBC issue:

http://www.eglibc.org/archives/issues/msg00116.html

I have tried to get more info how other libc implementations handle
such situations and it appeared NetBSD guys has fixed this issue (see
revision 1.30):

http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/regex/regcomp.c?only_with_tag=MAIN

I'm sure you are aware of that problem and probably sick of
discussions about it :-) but here go my questions anyway:

1. Are you planning to do anything regarding this issue and if yes,
are there any timelines?
2. If the answer of the question above is negative, do you know of any or
can you recommend any workaround/solution for regcomp() users to handle
such situations? We are not considering moving to other library, for
us this is too big effort. Perhaps you could recommend some input
validator/filter that could be used before feeding the regexp to regcomp()?

Thank you,

VL

-- 
Vladimir Levijev
email: vladimir.levijev@gmail.com
tel: +371 29950 768



More information about the Libc-help mailing list