chicken-announce
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Chicken-announce] [SECURITY] Resource exhaustion bug in irregex compila

From: Peter Bex
Subject: [Chicken-announce] [SECURITY] Resource exhaustion bug in irregex compilation
Date: Wed, 14 Dec 2016 21:37:16 +0100
User-agent: Mutt/1.5.23 (2014-03-12) 
Hi all,

Irregex versions before 0.9.6 contain a resource exhaustion
vulnerability: when compiling deeply nested regexes containing
the "+" operator due to exponential expansion behaviour.
All released CHICKEN versions with Irregex are affected by this.
The upcoming versions 4.12 (and/or dev snapshot 4.11.2) and 5.0.0
will include a fix.

For example, the following expression will trigger an out of
memory error, using up many Gigabytes(!) of memory:

  (irregex 
"($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($($(${-2,16}+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)+)")

In CHICKEN, the maximum heap size will prevent this from eating
up all your system's memory (assuming you have more free memory
than the heap limit), so it would manifest as "merely" a denial of
service.  The default value of this setting is 2GB, and can be
tuned using the -:hm runtime option.

Currently, no workaround or mitigation is known.  A program could
validate an SRE to detect the issue.  This can be done relatively
easily by counting the depth of (+ ...) expressions in a user-
supplied SRE and abort if it's larger than a (very) small constant.

A fix has been implemented in the master branch as 2c419f1 and in the
chicken-5 branch as 60118b0.  The patches can be found at
http://lists.gnu.org/archive/html/chicken-hackers/2016-12/msg00010.html

Thanks to Alex Shinn for reviewing the fix.

Regards,
The CHICKEN Team

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]