regexp/syntax: limit memory used by parsing regexps #55949
Labels
Milestone
Comments
|
@gopherbot please open backport issues. |
This was referenced Sep 29, 2022
|
Backport issue(s) opened: #55950 (for 1.18), #55951 (for 1.19). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Moving to Go1.20 milestone. (Go1.19.2 now has #55951 backport issue.) |
dmitshur
added
the
NeedsFix
|
Change https://go.dev/cl/438501 mentions this issue: |
|
Change https://go.dev/cl/438499 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Oct 4, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates #55949. Fixes #55950. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438501 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot
pushed a commit
that referenced
this issue
Oct 4, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates #55949. Fixes #55951. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438499 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
cagedmantis
changed the title
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55951. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438499 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55951. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438499 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55951. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047 Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438499 Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Run-TryBot: Carlos Amedee <carlos@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
|
Change https://go.dev/cl/439356 mentions this issue: |
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 13, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55950. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438501 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 13, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55950. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136 TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Julie Qiu <julieqiu@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/438501 Run-TryBot: Carlos Amedee <carlos@golang.org> Reviewed-by: Carlos Amedee <carlos@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 17, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Fixes golang#55949. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://go-review.googlesource.com/c/go/+/439356 Auto-Submit: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Damien Neil <dneil@google.com>
wormi4ok
added a commit
to wormi4ok/packages
that referenced
this issue
Oct 20, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
apparentlymart
added a commit
to hashicorp/terraform
that referenced
this issue
Nov 1, 2022
This includes a small selection of security-related fixes which do not urgently impact Terraform's behavior but do close some potential avenues for unbounded resource usage or misbehavior with malicious input: - golang/go#54853 - golang/go#55949 - golang/go#56284
apparentlymart
added a commit
to hashicorp/terraform
that referenced
this issue
Nov 2, 2022
This includes a small selection of security-related fixes which do not urgently impact Terraform's behavior but do close some potential avenues for unbounded resource usage or misbehavior with malicious input: - golang/go#54853 - golang/go#55949 - golang/go#56284
wormi4ok
added a commit
to wormi4ok/packages
that referenced
this issue
Nov 14, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru>
1715173329
pushed a commit
to immortalwrt/packages
that referenced
this issue
Nov 15, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940
pushed a commit
to 1582130940/OpenWrt-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940
pushed a commit
to 1582130940/OpenWrt-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940
pushed a commit
to 1582130940/OpenWrt-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
1582130940
pushed a commit
to 1582130940/OpenWrt-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <s@petrashov.ru> Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
julieqiu commentedSep 29, 2022
•
edited by dmitshur
The parsed regexp representation is linear in the size of the input,
but in some cases the constant factor can be as high as 40,000,
making relatively small regexps consume much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB memory footprint.
Regular expressions whose representation would use more space than that
are now rejected. Normal use of regular expressions is unaffected.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
The text was updated successfully, but these errors were encountered: