Bug 580605 (CVE-2010-1158) - CVE-2010-1158 Perl: Stack overflow by processing a certain regular expression
Summary: CVE-2010-1158 Perl: Stack overflow by processing a certain regular expression
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2010-1158
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.gentoo.org/show_bug.cgi?i...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-08 15:47 UTC by Jan Lieskovsky
Modified: 2021-11-12 20:05 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-22 17:59:40 UTC
Embargoed:


Attachments (Terms of Use)

Description Jan Lieskovsky 2010-04-08 15:47:47 UTC
Bruce Merry reported:
  [1] http://bugs.gentoo.org/show_bug.cgi?id=313565

an integer overflow, leading to stack overflow in the way
Perl regular expression engine processed certain regular
expression(s). Remote attacker could use this flaw to cause 
a denial of service (crash of an application, using the
Perl regular expression engine).

Public PoC from [1]:
--------------------
  perl -e 'if ((("a " x 100000) . "a\n") =~ /\A\S+(?: \S+)*\n\z/) {}'

Comment 2 Tomas Hoger 2010-04-22 17:59:40 UTC
This is not an integer overflow, rather an expected behaviour / limitation of the perl's regular expression engine.  Regular expression matching function is called recursively for certain types of patterns (where subexpression using quantifier is nested inside another quantified expression), where long input can result in deep recursion and exhaustion of all stack memory (i.e. impact is limited to crash).  Amount of stack memory available to perl interpreter influences the size of input that must be provided to trigger the crash.  Alternatively, expression can be modified to avoid quantification nesting, or program modified to limit size of input passed to regular expression engine.

This problem was addressed in perl 5.10, as noted in perl5100delta man page:

  Engine de-recursivised

  The regular expression engine is no longer recursive, meaning that patterns
  that used to overflow the stack will either die with useful explanations, or
  run to completion, which, since they were able to blow the stack before, will
  likely take a very long time to happen. If you were experiencing the
  occasional stack overflow (or segfault) and upgrade to discover that now perl
  apparently hangs instead, look for a degenerate regex. (Dave Mitchell)

This is a significant change to regex engine with possible trade-offs.  As the risk of such change than the security impact of this flaw, there is no plan to backport this fix to already released products using older perl versions.

Comment 3 Tomas Hoger 2010-04-22 18:02:59 UTC
Commit de-recursivising regex engine:
  http://perl5.git.perl.org/perl.git/commitdiff/95b2444054

I've not checked what other previous patches it may depend on, or what other additional fixes may be required.


Note You need to log in before you can comment on or make changes to this bug.