Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

regexp/syntax: limit memory used by parsing regexps #55949

Closed
julieqiu opened this issue Sep 29, 2022 · 6 comments
Closed

regexp/syntax: limit memory used by parsing regexps #55949

julieqiu opened this issue Sep 29, 2022 · 6 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@julieqiu
Copy link
Member

julieqiu commented Sep 29, 2022

The parsed regexp representation is linear in the size of the input,
but in some cases the constant factor can be as high as 40,000,
making relatively small regexps consume much larger amounts of memory.

Each regexp being parsed is now limited to a 256 MB memory footprint.
Regular expressions whose representation would use more space than that
are now rejected. Normal use of regular expressions is unaffected.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

@julieqiu julieqiu added this to the Go1.19.2 milestone Sep 29, 2022
@julieqiu
Copy link
Member Author

@gopherbot please open backport issues.

@gopherbot
Copy link

Backport issue(s) opened: #55950 (for 1.18), #55951 (for 1.19).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@dmitshur
Copy link
Contributor

Moving to Go1.20 milestone. (Go1.19.2 now has #55951 backport issue.)

@dmitshur dmitshur modified the milestones: Go1.19.2, Go1.20 Sep 29, 2022
@dmitshur dmitshur added the NeedsFix The path to resolution is known, but the work has not been done. label Sep 29, 2022
@gopherbot
Copy link

Change https://go.dev/cl/438501 mentions this issue: [release-branch.go1.18] regexp: limit size of parsed regexps

@gopherbot
Copy link

Change https://go.dev/cl/438499 mentions this issue: [release-branch.go1.19] regexp: limit size of parsed regexps

gopherbot pushed a commit that referenced this issue Oct 4, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Updates #55949.
Fixes #55950.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438501
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot pushed a commit that referenced this issue Oct 4, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Updates #55949.
Fixes #55951.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438499
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@cagedmantis cagedmantis changed the title security: fix CVE-2022-41715 regexp/syntax: limit memory used by parsing regexps Oct 4, 2022
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Updates golang#55949.
Fixes golang#55951.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438499
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Updates golang#55949.
Fixes golang#55951.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438499
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
bradfitz pushed a commit to tailscale/go that referenced this issue Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Updates golang#55949.
Fixes golang#55951.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438499
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
@gopherbot
Copy link

Change https://go.dev/cl/439356 mentions this issue: regexp: limit size of parsed regexps

rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 13, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Updates golang#55949.
Fixes golang#55950.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438501
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 13, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Updates golang#55949.
Fixes golang#55950.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438501
Run-TryBot: Carlos Amedee <carlos@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 17, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Fixes golang#55949.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://go-review.googlesource.com/c/go/+/439356
Auto-Submit: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
wormi4ok added a commit to wormi4ok/packages that referenced this issue Oct 20, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
apparentlymart added a commit to hashicorp/terraform that referenced this issue Nov 1, 2022
This includes a small selection of security-related fixes which do not
urgently impact Terraform's behavior but do close some potential avenues
for unbounded resource usage or misbehavior with malicious input:

 - golang/go#54853
 - golang/go#55949
 - golang/go#56284
apparentlymart added a commit to hashicorp/terraform that referenced this issue Nov 2, 2022
This includes a small selection of security-related fixes which do not
urgently impact Terraform's behavior but do close some potential avenues
for unbounded resource usage or misbehavior with malicious input:

 - golang/go#54853
 - golang/go#55949
 - golang/go#56284
wormi4ok added a commit to wormi4ok/packages that referenced this issue Nov 14, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
1715173329 pushed a commit to immortalwrt/packages that referenced this issue Nov 15, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Lean-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Lean-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Lean-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940 pushed a commit to 1582130940/OpenWrt-Lean-Packages that referenced this issue Nov 16, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
BKPepe pushed a commit to openwrt/packages that referenced this issue Dec 3, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* #19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
stokito pushed a commit to stokito/packages that referenced this issue Dec 6, 2022
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
SibrenVasse pushed a commit to SibrenVasse/packages that referenced this issue Feb 26, 2023
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Mar 10, 2023
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
Lienol pushed a commit to Lienol/openwrt-packages that referenced this issue Mar 10, 2023
Includes fixes for security vulnerabilities:
 * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY
 * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances
 * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers
 * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters
 * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps

Addresses the build failure:
* openwrt/packages#19613

Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
(cherry picked from commit 0ad7a2f)
@golang golang locked and limited conversation to collaborators Oct 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
None yet
Development

No branches or pull requests

3 participants