NotificationsYou must be signed in to change notification settings
Fork6
Star31

Commit98f27aa

committed

Fix assorted security-grade bugs in the regex engine. All of these problems

are shared with Tcl, since it's their code to begin with, and the patcheshave been copied from Tcl 8.5.0. Problems:CVE-2007-4769: Inadequate check on the range of backref numbers allowscrash due to out-of-bounds read.CVE-2007-4772: Infinite loop in regex optimizer for pattern '($|^)*'.CVE-2007-6067: Very slow optimizer cleanup for regex with a large NFArepresentation, as well as crash if we encounter an out-of-memory conditionduring NFA construction.Part of the response toCVE-2007-6067 is to put a limit on the number ofstates in the NFA representation of a regex. This seems needed even thoughthe within-the-code problems have been corrected, since otherwise the codecould try to use very large amounts of memory for a suitably-crafted regex,leading to potential DOS by driving the system into swap, activating a kernelOOM killer, etc.Although there are certainly plenty of ways to drive the system into effectiveDOS with poorly-written SQL queries, these problems seem worth treating assecurity issues because many applications might accept regex search patternsfrom untrustworthy sources.Thanks to Will Drewry of Google for reporting these problems. Patches by WillDrewry and Tom Lane.Security:CVE-2007-4769,CVE-2007-4772,CVE-2007-6067

1 parent8af31d5 commit98f27aaCopy full SHA for 98f27aa

File tree

6 files changed

+143

-21

lines changed

src
- backend/regex
- include/regex

6 files changed

+143

-21

lines changed

`‎src/backend/regex/regc_color.c`

Lines changed: 15 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF`
`29`	`29`	`* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
`30`	`30`	`*`
`31`		`- * $PostgreSQL: pgsql/src/backend/regex/regc_color.c,v 1.7 2007/11/15 21:14:37 momjian Exp $`
	`31`	`+ * $PostgreSQL: pgsql/src/backend/regex/regc_color.c,v 1.8 2008/01/03 20:47:55 tgl Exp $`
`32`	`32`	`*`
`33`	`33`	`*`
`34`	`34`	`* Note that there are some incestuous relationships between this code and`
`@@ -569,12 +569,9 @@ okcolors(struct nfa * nfa,`
`569`	`569`	`while ((a=cd->arcs)!=NULL)`
`570`	`570`	`{`
`571`	`571`	`assert(a->co==co);`
`572`		`-/* uncolorchain(cm, a); */`
`573`		`-cd->arcs=a->colorchain;`
	`572`	`+uncolorchain(cm,a);`
`574`	`573`	`a->co=sco;`
`575`		`-/* colorchain(cm, a); */`
`576`		`-a->colorchain=scd->arcs;`
`577`		`-scd->arcs=a;`
	`574`	`+colorchain(cm,a);`
`578`	`575`	`}`
`579`	`576`	`freecolor(cm,co);`
`580`	`577`	`}`
`@@ -604,7 +601,10 @@ colorchain(struct colormap * cm,`
`604`	`601`	`{`
`605`	`602`	`structcolordesc*cd=&cm->cd[a->co];`
`606`	`603`
	`604`	`+if (cd->arcs!=NULL)`
	`605`	`+cd->arcs->colorchainRev=a;`
`607`	`606`	`a->colorchain=cd->arcs;`
	`607`	`+a->colorchainRev=NULL;`
`608`	`608`	`cd->arcs=a;`
`609`	`609`	`}`
`610`	`610`
`@@ -616,19 +616,22 @@ uncolorchain(struct colormap * cm,`
`616`	`616`	`structarc*a)`
`617`	`617`	`{`
`618`	`618`	`structcolordesc*cd=&cm->cd[a->co];`
`619`		`-structarc*aa;`
	`619`	`+structarc*aa=a->colorchainRev;`
`620`	`620`
`621`		`-aa=cd->arcs;`
`622`		`-if (aa==a)/* easy case */`
	`621`	`+if (aa==NULL)`
	`622`	`+{`
	`623`	`+assert(cd->arcs==a);`
`623`	`624`	`cd->arcs=a->colorchain;`
	`625`	`+}`
`624`	`626`	`else`
`625`	`627`	`{`
`626`		`-for (;aa!=NULL&&aa->colorchain!=a;aa=aa->colorchain)`
`627`		`-continue;`
`628`		`-assert(aa!=NULL);`
	`628`	`+assert(aa->colorchain==a);`
`629`	`629`	`aa->colorchain=a->colorchain;`
`630`	`630`	`}`
	`631`	`+if (a->colorchain!=NULL)`
	`632`	`+a->colorchain->colorchainRev=aa;`
`631`	`633`	`a->colorchain=NULL;/* paranoia */`
	`634`	`+a->colorchainRev=NULL;`
`632`	`635`	`}`
`633`	`636`
`634`	`637`	`/*`

`‎src/backend/regex/regc_lex.c`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF`
`29`	`29`	`* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
`30`	`30`	`*`
`31`		`- * $PostgreSQL: pgsql/src/backend/regex/regc_lex.c,v 1.6 2007/10/22 01:02:22 tgl Exp $`
	`31`	`+ * $PostgreSQL: pgsql/src/backend/regex/regc_lex.c,v 1.7 2008/01/03 20:47:55 tgl Exp $`
`32`	`32`	`*`
`33`	`33`	`*/`
`34`	`34`
`@@ -846,7 +846,7 @@ lexescape(struct vars * v)`
`846`	`846`	`if (ISERR())`
`847`	`847`	`FAILW(REG_EESCAPE);`
`848`	`848`	`/* ugly heuristic (first test is "exactly 1 digit?") */`
`849`		`-if (v->now-save==0\|\| (int)c <=v->nsubexp)`
	`849`	`+if (v->now-save==0\|\| ((int)c>0&& (int)c<=v->nsubexp))`
`850`	`850`	`{`
`851`	`851`	`NOTE(REG_UBACKREF);`
`852`	`852`	`RETV(BACKREF, (chr)c);`

`‎src/backend/regex/regc_nfa.c`

Lines changed: 108 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@`
`28`	`28`	`* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF`
`29`	`29`	`* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
`30`	`30`	`*`
`31`		`- * $PostgreSQL: pgsql/src/backend/regex/regc_nfa.c,v 1.4 2005/10/15 02:49:24 momjian Exp $`
	`31`	`+ * $PostgreSQL: pgsql/src/backend/regex/regc_nfa.c,v 1.5 2008/01/03 20:47:55 tgl Exp $`
`32`	`32`	`*`
`33`	`33`	`*`
`34`	`34`	`* One or two things that technically ought to be in here`
`@@ -60,11 +60,12 @@ newnfa(struct vars * v,`
`60`	`60`	`nfa->nstates=0;`
`61`	`61`	`nfa->cm=cm;`
`62`	`62`	`nfa->v=v;`
	`63`	`+nfa->size=0;`
`63`	`64`	`nfa->bos[0]=nfa->bos[1]=COLORLESS;`
`64`	`65`	`nfa->eos[0]=nfa->eos[1]=COLORLESS;`
	`66`	`+nfa->parent=parent;/* Precedes newfstate so parent is valid. */`
`65`	`67`	`nfa->post=newfstate(nfa,'@');/* number 0 */`
`66`	`68`	`nfa->pre=newfstate(nfa,'>');/* number 1 */`
`67`		`-nfa->parent=parent;`
`68`	`69`
`69`	`70`	`nfa->init=newstate(nfa);/* may become invalid later */`
`70`	`71`	`nfa->final=newstate(nfa);`
`@@ -88,6 +89,57 @@ newnfa(struct vars * v,`
`88`	`89`	`returnnfa;`
`89`	`90`	`}`
`90`	`91`
	`92`	`+/*`
	`93`	`+ * TooManyStates - checks if the max states exceeds the compile-time value`
	`94`	`+ */`
	`95`	`+staticint`
	`96`	`+TooManyStates(structnfa*nfa)`
	`97`	`+{`
	`98`	`+structnfa*parent=nfa->parent;`
	`99`	`+size_tsz=nfa->size;`
	`100`	`+`
	`101`	`+while (parent!=NULL)`
	`102`	`+{`
	`103`	`+sz=parent->size;`
	`104`	`+parent=parent->parent;`
	`105`	`+}`
	`106`	`+if (sz>REG_MAX_STATES)`
	`107`	`+return1;`
	`108`	`+return0;`
	`109`	`+}`
	`110`	`+`
	`111`	`+/*`
	`112`	`+ * IncrementSize - increases the tracked size of the NFA and its parents.`
	`113`	`+ */`
	`114`	`+staticvoid`
	`115`	`+IncrementSize(structnfa*nfa)`
	`116`	`+{`
	`117`	`+structnfa*parent=nfa->parent;`
	`118`	`+`
	`119`	`+nfa->size++;`
	`120`	`+while (parent!=NULL)`
	`121`	`+{`
	`122`	`+parent->size++;`
	`123`	`+parent=parent->parent;`
	`124`	`+}`
	`125`	`+}`
	`126`	`+`
	`127`	`+/*`
	`128`	`+ * DecrementSize - decreases the tracked size of the NFA and its parents.`
	`129`	`+ */`
	`130`	`+staticvoid`
	`131`	`+DecrementSize(structnfa*nfa)`
	`132`	`+{`
	`133`	`+structnfa*parent=nfa->parent;`
	`134`	`+`
	`135`	`+nfa->size--;`
	`136`	`+while (parent!=NULL)`
	`137`	`+{`
	`138`	`+parent->size--;`
	`139`	`+parent=parent->parent;`
	`140`	`+}`
	`141`	`+}`
	`142`	`+`
`91`	`143`	`/*`
`92`	`144`	`* freenfa - free an entire NFA`
`93`	`145`	`*/`
`@@ -122,6 +174,11 @@ newstate(struct nfa * nfa)`
`122`	`174`	`{`
`123`	`175`	`structstate*s;`
`124`	`176`
	`177`	`+if (TooManyStates(nfa))`
	`178`	`+{`
	`179`	`+NERR(REG_ETOOBIG);`
	`180`	`+returnNULL;`
	`181`	`+}`
`125`	`182`	`if (nfa->free!=NULL)`
`126`	`183`	`{`
`127`	`184`	`s=nfa->free;`
`@@ -158,6 +215,8 @@ newstate(struct nfa * nfa)`
`158`	`215`	`}`
`159`	`216`	`s->prev=nfa->slast;`
`160`	`217`	`nfa->slast=s;`
	`218`	`+/* track the current size and the parent size */`
	`219`	`+IncrementSize(nfa);`
`161`	`220`	`returns;`
`162`	`221`	`}`
`163`	`222`
`@@ -220,6 +279,7 @@ freestate(struct nfa * nfa,`
`220`	`279`	`s->prev=NULL;`
`221`	`280`	`s->next=nfa->free;/* don't delete it, put it on the free list */`
`222`	`281`	`nfa->free=s;`
	`282`	`+DecrementSize(nfa);`
`223`	`283`	`}`
`224`	`284`
`225`	`285`	`/*`
`@@ -633,6 +693,8 @@ duptraverse(struct nfa * nfa,`
`633`	`693`	`for (a=s->outs;a!=NULL&& !NISERR();a=a->outchain)`
`634`	`694`	`{`
`635`	`695`	`duptraverse(nfa,a->to, (structstate*)NULL);`
	`696`	`+if (NISERR())`
	`697`	`+break;`
`636`	`698`	`assert(a->to->tmp!=NULL);`
`637`	`699`	`cparc(nfa,a,s->tmp,a->to->tmp);`
`638`	`700`	`}`
`@@ -793,6 +855,25 @@ pull(struct nfa * nfa,`
`793`	`855`	`return1;`
`794`	`856`	`}`
`795`	`857`
	`858`	`+/*`
	`859`	`+ * DGP 2007-11-15: Cloning a state with a circular constraint on its list`
	`860`	`+ * of outs can lead to trouble [Tcl Bug 1810038], so get rid of them first.`
	`861`	`+ */`
	`862`	`+for (a=from->outs;a!=NULL;a=nexta)`
	`863`	`+{`
	`864`	`+nexta=a->outchain;`
	`865`	`+switch (a->type)`
	`866`	`+{`
	`867`	`+case'^':`
	`868`	`+case'$':`
	`869`	`+caseBEHIND:`
	`870`	`+caseAHEAD:`
	`871`	`+if (from==a->to)`
	`872`	`+freearc(nfa,a);`
	`873`	`+break;`
	`874`	`+}`
	`875`	`+}`
	`876`	`+`
`796`	`877`	`/* first, clone from state if necessary to avoid other outarcs */`
`797`	`878`	`if (from->nouts>1)`
`798`	`879`	`{`
`@@ -917,6 +998,29 @@ push(struct nfa * nfa,`
`917`	`998`	`return1;`
`918`	`999`	`}`
`919`	`1000`
	`1001`	`+/*`
	`1002`	`+ * DGP 2007-11-15: Here we duplicate the same protections as appear`
	`1003`	`+ * in pull() above to avoid troubles with cloning a state with a`
	`1004`	`+ * circular constraint on its list of ins. It is not clear whether`
	`1005`	`+ * this is necessary, or is protecting against a "can't happen".`
	`1006`	`+ * Any test case that actually leads to a freearc() call here would`
	`1007`	`+ * be a welcome addition to the test suite.`
	`1008`	`+ */`
	`1009`	`+for (a=to->ins;a!=NULL;a=nexta)`
	`1010`	`+{`
	`1011`	`+nexta=a->inchain;`
	`1012`	`+switch (a->type)`
	`1013`	`+{`
	`1014`	`+case'^':`
	`1015`	`+case'$':`
	`1016`	`+caseBEHIND:`
	`1017`	`+caseAHEAD:`
	`1018`	`+if (a->from==to)`
	`1019`	`+freearc(nfa,a);`
	`1020`	`+break;`
	`1021`	`+}`
	`1022`	`+}`
	`1023`	`+`
`920`	`1024`	`/* first, clone to state if necessary to avoid other inarcs */`
`921`	`1025`	`if (to->nins>1)`
`922`	`1026`	`{`
`@@ -1039,7 +1143,8 @@ fixempties(struct nfa * nfa,`
`1039`	`1143`	`do`
`1040`	`1144`	`{`
`1041`	`1145`	`progress=0;`
`1042`		`-for (s=nfa->states;s!=NULL&& !NISERR();s=nexts)`
	`1146`	`+for (s=nfa->states;s!=NULL&& !NISERR()&&`
	`1147`	`+s->no!=FREESTATE;s=nexts)`
`1043`	`1148`	`{`
`1044`	`1149`	`nexts=s->next;`
`1045`	`1150`	`for (a=s->outs;a!=NULL&& !NISERR();a=nexta)`

`‎src/include/regex/regerrs.h`

Lines changed: 5 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`/*`
`2`		`- * $PostgreSQL: pgsql/src/include/regex/regerrs.h,v 1.4 2007/02/01 19:10:29 momjian Exp $`
	`2`	`+ * $PostgreSQL: pgsql/src/include/regex/regerrs.h,v 1.5 2008/01/03 20:47:55 tgl Exp $`
`3`	`3`	`*/`
`4`	`4`
`5`	`5`	`{`
`@@ -73,3 +73,7 @@`
`73`	`73`	`{`
`74`	`74`	`REG_BADOPT,"REG_BADOPT","invalid embedded option"`
`75`	`75`	`},`
	`76`	`+`
	`77`	`+{`
	`78`	`+REG_ETOOBIG,"REG_ETOOBIG","nfa has too many states"`
	`79`	`+},`

`‎src/include/regex/regex.h`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,7 @@`
`29`	`29`	`* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF`
`30`	`30`	`* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
`31`	`31`	`*`
`32`		`- * $PostgreSQL: pgsql/src/include/regex/regex.h,v 1.28 2005/10/15 02:49:46 momjian Exp $`
	`32`	`+ * $PostgreSQL: pgsql/src/include/regex/regex.h,v 1.29 2008/01/03 20:47:55 tgl Exp $`
`33`	`33`	`*/`
`34`	`34`
`35`	`35`	`/*`
`@@ -151,6 +151,7 @@ typedef struct`
`151`	`151`	`#defineREG_INVARG16/* invalid argument to regex function */`
`152`	`152`	`#defineREG_MIXED17/* character widths of regex and string differ */`
`153`	`153`	`#defineREG_BADOPT18/* invalid embedded option */`
	`154`	`+#defineREG_ETOOBIG19/* nfa has too many states */`
`154`	`155`	`/* two specials for debugging and testing */`
`155`	`156`	`#defineREG_ATOI101/* convert error-code name to number */`
`156`	`157`	`#defineREG_ITOA102/* convert error-code number to name */`

`‎src/include/regex/regguts.h`

Lines changed: 11 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -27,7 +27,7 @@`
`27`	`27`	`* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF`
`28`	`28`	`* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.`
`29`	`29`	`*`
`30`		`- * $PostgreSQL: pgsql/src/include/regex/regguts.h,v 1.5 2005/10/15 02:49:46 momjian Exp $`
	`30`	`+ * $PostgreSQL: pgsql/src/include/regex/regguts.h,v 1.6 2008/01/03 20:47:55 tgl Exp $`
`31`	`31`	`*/`
`32`	`32`
`33`	`33`
`@@ -272,6 +272,7 @@ struct arc`
`272`	`272`	`#definefreechain outchain`
`273`	`273`	`structarcinchain;/ to's ins chain /`
`274`	`274`	`structarccolorchain;/ color's arc chain */`
	`275`	`+structarccolorchainRev;/ back-link in color's arc chain */`
`275`	`276`	`};`
`276`	`277`
`277`	`278`	`structarcbatch`
`@@ -311,6 +312,9 @@ struct nfa`
`311`	`312`	`structcolormapcm;/ the color map */`
`312`	`313`	`colorbos[2];/* colors, if any, assigned to BOS and BOL */`
`313`	`314`	`coloreos[2];/* colors, if any, assigned to EOS and EOL */`
	`315`	`+size_tsize;/* Current NFA size; differs from nstates as`
	`316`	`+ * it also counts the number of states created`
	`317`	`+ * by children of this state. */`
`314`	`318`	`structvarsv;/ simplifies compile error reporting */`
`315`	`319`	`structnfaparent;/ parent NFA, if any */`
`316`	`320`	`};`
`@@ -343,7 +347,12 @@ struct cnfa`
`343`	`347`	`#defineZAPCNFA(cnfa)((cnfa).nstates = 0)`
`344`	`348`	`#defineNULLCNFA(cnfa)((cnfa).nstates == 0)`
`345`	`349`
`346`		`-`
	`350`	`+/*`
	`351`	`+ * Used to limit the maximum NFA size to something sane. [Tcl Bug 1810264]`
	`352`	`+ */`
	`353`	`+#ifndefREG_MAX_STATES`
	`354`	`+#defineREG_MAX_STATES100000`
	`355`	`+#endif`
`347`	`356`
`348`	`357`	`/*`
`349`	`358`	`* subexpression tree`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit98f27aa

File tree

6 files changed

6 files changed

`‎src/backend/regex/regc_color.c`

`‎src/backend/regex/regc_lex.c`

`‎src/backend/regex/regc_nfa.c`

`‎src/include/regex/regerrs.h`

`‎src/include/regex/regex.h`

`‎src/include/regex/regguts.h`

0 commit comments