From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mailbackend.panix.com (mailbackend.panix.com [166.84.1.89]) by sourceware.org (Postfix) with ESMTPS id 4781F387084C for ; Thu, 25 Feb 2021 03:03:35 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 4781F387084C Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=panix.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=zackw@panix.com Received: from mail-ej1-f48.google.com (mail-ej1-f48.google.com [209.85.218.48]) by mailbackend.panix.com (Postfix) with ESMTPSA id 4DmHft56x5z1ZYf for ; Wed, 24 Feb 2021 22:03:34 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=panix.com; s=panix; t=1614222214; bh=f894r9aZ7lKS6sRjKeEzR6ACv8nXqwYt9oK0grfGw8c=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=KzsfCNnYG3Vg4+y5hCrDeQCsgN+nwD/8b+PIaBQeFCedO4iNIdYi6aPlgc3lLVQBV XvZcjQ7syV4P6WpjKUYx4M+PC7IspJzPOnTt4eC6o9a1c17F635eRrw5bi6+9xUV/c TjpIvo42xSAL6QOgQJg1Mjhpn7x8vWwWp8OCG0I8= Received: by mail-ej1-f48.google.com with SMTP id u20so6358840ejb.7 for ; Wed, 24 Feb 2021 19:03:34 -0800 (PST) X-Gm-Message-State: AOAM530Jx71g+VdzI/mfVxM1F+95wTrBbZiNRjFtq1ZmWQ3awAF19Li2 scd9ebmUIVKjgySAmy7r+8xcLiknYTNgMoZrlxU= X-Google-Smtp-Source: ABdhPJwQr5hvzO2q5nWIrzkKPM/wDNHGMcu7HjVhejvlDxopV7QZ1ngZRxrGpHx4lCV8siRboGeo3TU6Sq6jEwV1zqQ= X-Received: by 2002:a17:906:f74d:: with SMTP id jp13mr654570ejb.287.1614222213789; Wed, 24 Feb 2021 19:03:33 -0800 (PST) MIME-Version: 1.0 References: <2152f614-0003-8dcf-f5cd-2d12c4e77e28@gotplt.org> <72abad60-65ab-10e9-45fb-748fdcd310db@gotplt.org> In-Reply-To: <72abad60-65ab-10e9-45fb-748fdcd310db@gotplt.org> From: Zack Weinberg Date: Wed, 24 Feb 2021 22:03:21 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: 'trusted and reasonably structured' regular expressions To: Siddhesh Poyarekar Cc: Joseph Myers , Florian Weimer , Siddhesh Poyarekar via Libc-alpha Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.8 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, JMQ_SPF_NEUTRAL, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Feb 2021 03:03:37 -0000 On Wed, Feb 24, 2021 at 9:51 PM Siddhesh Poyarekar wrote: > ==== > Consequently, resource exhaustion issues which can be triggered only > with crafted patterns (either during compilation or execution) are not > treated as security bugs. (This does not mean we do not intend to fix > such issues as regular bugs if possible.) > ==== > > I'll change the following line in the security exception: > > ==== > However, during execution, crashes, infinite loops, buffer overflows and > reading past buffers (read-only buffer overruns), memory leaks and > other, similar bugs should be treated as security vulnerabilities, > assuming that the pattern is trusted and reasonably structured. > ==== > > to read as: > > ==== > However, crashes, infinite loops, buffer overflows and overreads, memory > leaks and other bugs resulting from the regex implementation relying on > undefined behavior should be treated as security vulnerabilities. > ==== Probably stack-busting recursion should be specifically called out as something we *don't* promise to be able to fix. I'd also suggest saying that "merely" quadratic or exponential backtracking behavior from e.g. /(x+x+)+y/ is different than a genuinely infinite loop. zw