From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dog.birch.relay.mailchannels.net (dog.birch.relay.mailchannels.net [23.83.209.48]) by sourceware.org (Postfix) with ESMTPS id DB6D63857812 for ; Thu, 25 Feb 2021 03:15:55 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org DB6D63857812 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gotplt.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=siddhesh@gotplt.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id AA2BC322286; Thu, 25 Feb 2021 03:15:54 +0000 (UTC) Received: from pdx1-sub0-mail-a53.g.dreamhost.com (100-96-16-18.trex.outbound.svc.cluster.local [100.96.16.18]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 32FCF32224E; Thu, 25 Feb 2021 03:15:54 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a53.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.16.18 (trex/6.0.2); Thu, 25 Feb 2021 03:15:54 +0000 X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Thread-Fumbling: 5db065d442e88771_1614222954511_2830150185 X-MC-Loop-Signature: 1614222954511:3487114110 X-MC-Ingress-Time: 1614222954511 Received: from pdx1-sub0-mail-a53.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a53.g.dreamhost.com (Postfix) with ESMTP id EEB547E69A; Wed, 24 Feb 2021 19:15:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=gotplt.org; h=subject:to :cc:references:from:message-id:date:mime-version:in-reply-to :content-type:content-transfer-encoding; s=gotplt.org; bh=jNkTCC NMk81iyTl8q1GuzPqK9g4=; b=AidE256U4r+ekk+9VyltGny41UGaVpycfy4NzF ArDJRtIwO+ZIxSwODqZxvXPGNT1GL1sTRX9fBv5loW7RdGBn5vdZNOPbAJKEcoGV kuklr06+pGmC5rf5M59AmhlmkkFaq7aoWz0HzLFz20DuA9gcwxa9J/xzU6NHlfu9 xQjDs= Received: from [192.168.1.111] (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a53.g.dreamhost.com (Postfix) with ESMTPSA id 2A41C7E3AB; Wed, 24 Feb 2021 19:15:50 -0800 (PST) Subject: Re: 'trusted and reasonably structured' regular expressions To: Zack Weinberg Cc: Joseph Myers , Florian Weimer , Siddhesh Poyarekar via Libc-alpha References: <2152f614-0003-8dcf-f5cd-2d12c4e77e28@gotplt.org> <72abad60-65ab-10e9-45fb-748fdcd310db@gotplt.org> X-DH-BACKEND: pdx1-sub0-mail-a53 From: Siddhesh Poyarekar Message-ID: <31c6cdcf-7882-6ec2-e709-2e05cbeb6b76@gotplt.org> Date: Thu, 25 Feb 2021 08:45:47 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3030.3 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, NICE_REPLY_A, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2021 03:15:57 -0000 On 2/25/21 8:33 AM, Zack Weinberg wrote: > On Wed, Feb 24, 2021 at 9:51 PM Siddhesh Poyarekar wrote: >> ==== >> Consequently, resource exhaustion issues which can be triggered only >> with crafted patterns (either during compilation or execution) are not >> treated as security bugs. (This does not mean we do not intend to fix >> such issues as regular bugs if possible.) >> ==== >> >> I'll change the following line in the security exception: >> >> ==== >> However, during execution, crashes, infinite loops, buffer overflows and >> reading past buffers (read-only buffer overruns), memory leaks and >> other, similar bugs should be treated as security vulnerabilities, >> assuming that the pattern is trusted and reasonably structured. >> ==== >> >> to read as: >> >> ==== >> However, crashes, infinite loops, buffer overflows and overreads, memory >> leaks and other bugs resulting from the regex implementation relying on >> undefined behavior should be treated as security vulnerabilities. >> ==== > > Probably stack-busting recursion should be specifically called out as > something we *don't* promise to be able to fix. I'd also suggest > saying that "merely" quadratic or exponential backtracking behavior > from e.g. /(x+x+)+y/ is different than a genuinely infinite loop. How about this; it's the full replacement blurb now and not just the one paragraph: ==== Regular expression processing comes in two parts, compilation (through regcomp) and execution (through regexec). Implementing regular expressions efficiently, in a standard-conforming way, and without denial-of-service vulnerabilities is very difficult and impossible for Basic Regular Expressions. Most implementation strategies have issues dealing with certain classes of patterns. Consequently, certain issues which can be triggered only with crafted patterns (either during compilation or execution) are treated as regular bugs and not security issues. Examples of such issues would include (but is not limited to): * Running out of memory through valid use of malloc * Quadratic or exponential behaviour resulting in slow execution time * Stack overflows due to recursion when processing patterns Crashes, user controlled unbounded alloca, infinite loops (and not merely exponential behavior), buffer overflows and overreads, memory leaks and other bugs resulting from the regex implementation relying on undefined behavior should be treated as security vulnerabilities. ==== Siddhesh