From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 06E2C3858D37; Thu, 7 Sep 2023 18:57:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 06E2C3858D37 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1694113040; bh=Hi3eVWxlJ8aPkWppsJ1bNMVbKdoF4g0bZ+p6oN9HcJk=; h=From:To:Subject:Date:From; b=pET2BfqHPnPqnMO6zEMIjNiHEyb1ovgXtFT03ruEPvLB6PpxnX1c/4e1SwhXFz8BV NOW1pnRLzxNFrSXUkQ10gC/DJ0TV3uvfVW0516rxEsLcnKRhmz5msRSxOqNEooX7sr wYHAzpitiTltCG78QGHQEuGFYxfVm7GHtxgWVsxE= From: "aasmita at ucdavis dot edu" To: glibc-bugs-regex@sourceware.org Subject: [Bug regex/30833] New: Segmentation fault in glibc 2.35, regcomp.c Date: Thu, 07 Sep 2023 18:57:19 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: regex X-Bugzilla-Version: 2.35 X-Bugzilla-Keywords: X-Bugzilla-Severity: minor X-Bugzilla-Who: aasmita at ucdavis dot edu X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30833 Bug ID: 30833 Summary: Segmentation fault in glibc 2.35, regcomp.c Product: glibc Version: 2.35 Status: UNCONFIRMED Severity: minor Priority: P2 Component: regex Assignee: unassigned at sourceware dot org Reporter: aasmita at ucdavis dot edu CC: drepper.fsp at gmail dot com Target Milestone: --- Created attachment 15103 --> https://sourceware.org/bugzilla/attachment.cgi?id=3D15103&action=3Ded= it It contains doc with details about the bug, the pattern that caused bug, corresponding screenshot. Version - Glibc 2.35 , was also reproducible in Glibc 2.38 Machine on which it was tested -=20 `Uname -a` : Linux xxxx 5.19.0-45-generic #46~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Wed Jun 7 15:06:04 UTC 20 x86_64 x86_64 x86_64 GNU/Linux ( Was also reproducible on a debian based system). Note : Both Glibc 2.35 and 2.38 were compiled from the source code. (And was also tested with the one that came with distro. Issue was found in both) Issue : In regcomp() denial of service (DoS) by stack exhaustion. Triggers = deep recursion that causes stack exhaustion. It=E2=80=99s similar to CVE-2010-4051 and it occurred in these latest glibc= versions as well. Two types of pattern that caused the issue are :=20 1st pattern : long repeated =E2=80=98(((((((((((.........=E2=80=9D and=20 2nd pattern : =E2=80=9C/????{,29999}}=E2=80=9D It leads to deep recursion causing stack exhaustion and hence Segmentation fault. Note : This work is done together with Yaroslav Oliinyk ( yaroslav.oliinyk@netrise.io) while doing my internship at Netrise --=20 You are receiving this mail because: You are on the CC list for the bug.=