regexp/syntax: limit memory used by parsing regexps #55949
Labels
FrozenDueToAge
NeedsFix
The path to resolution is known, but the work has not been done.
release-blocker
Security
Milestone
Comments
|
@gopherbot please open backport issues. |
This was referenced Sep 29, 2022
|
Backport issue(s) opened: #55950 (for 1.18), #55951 (for 1.19). Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases. |
|
Moving to Go1.20 milestone. (Go1.19.2 now has #55951 backport issue.) |
dmitshur
added
the
NeedsFix
|
Change https://go.dev/cl/438501 mentions this issue: |
|
Change https://go.dev/cl/438499 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Oct 4, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates #55949. Fixes #55950. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136 TryBot-Result: Security TryBots <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/438501 Run-TryBot: Carlos Amedee <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
gopherbot
pushed a commit
that referenced
this issue
Oct 4, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates #55949. Fixes #55951. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047 Reviewed-by: Julie Qiu <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/438499 Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
cagedmantis
changed the title
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55951. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047 Reviewed-by: Julie Qiu <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/438499 Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55951. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047 Reviewed-by: Julie Qiu <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/438499 Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
bradfitz
pushed a commit
to tailscale/go
that referenced
this issue
Oct 5, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55951. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047 Reviewed-by: Julie Qiu <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> TryBot-Result: Security TryBots <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/438499 Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> Run-TryBot: Carlos Amedee <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
|
Change https://go.dev/cl/439356 mentions this issue: |
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 13, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55950. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136 TryBot-Result: Security TryBots <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/438501 Run-TryBot: Carlos Amedee <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 13, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Updates golang#55949. Fixes golang#55950. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592136 TryBot-Result: Security TryBots <[email protected]> Reviewed-by: Damien Neil <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/go/+/438501 Run-TryBot: Carlos Amedee <[email protected]> Reviewed-by: Carlos Amedee <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Reviewed-by: Dmitri Shuralyov <[email protected]>
rcrozean
pushed a commit
to rcrozean/go
that referenced
this issue
Oct 17, 2022
Set a 128 MB limit on the amount of space used by []syntax.Inst in the compiled form corresponding to a given regexp. Also set a 128 MB limit on the rune storage in the *syntax.Regexp tree itself. Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue. Fixes CVE-2022-41715. Fixes golang#55949. Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b Reviewed-on: https://go-review.googlesource.com/c/go/+/439356 Auto-Submit: Roland Shoemaker <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]> Reviewed-by: Damien Neil <[email protected]>
wormi4ok
added a commit
to wormi4ok/packages
that referenced
this issue
Oct 20, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <[email protected]>
apparentlymart
added a commit
to hashicorp/terraform
that referenced
this issue
Nov 1, 2022
This includes a small selection of security-related fixes which do not urgently impact Terraform's behavior but do close some potential avenues for unbounded resource usage or misbehavior with malicious input: - golang/go#54853 - golang/go#55949 - golang/go#56284
apparentlymart
added a commit
to hashicorp/terraform
that referenced
this issue
Nov 2, 2022
This includes a small selection of security-related fixes which do not urgently impact Terraform's behavior but do close some potential avenues for unbounded resource usage or misbehavior with malicious input: - golang/go#54853 - golang/go#55949 - golang/go#56284
wormi4ok
added a commit
to wormi4ok/packages
that referenced
this issue
Nov 14, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <[email protected]>
1715173329
pushed a commit
to immortalwrt/packages
that referenced
this issue
Nov 15, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <[email protected]> Signed-off-by: Tianling Shen <[email protected]>
1582130940
pushed a commit
to 1582130940/OpenWrt-Lean-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <[email protected]> Signed-off-by: Tianling Shen <[email protected]>
1582130940
pushed a commit
to 1582130940/OpenWrt-Lean-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <[email protected]> Signed-off-by: Tianling Shen <[email protected]>
1582130940
pushed a commit
to 1582130940/OpenWrt-Lean-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <[email protected]> Signed-off-by: Tianling Shen <[email protected]>
1582130940
pushed a commit
to 1582130940/OpenWrt-Lean-Packages
that referenced
this issue
Nov 16, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <[email protected]> Signed-off-by: Tianling Shen <[email protected]>
BKPepe
pushed a commit
to openwrt/packages
that referenced
this issue
Dec 3, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * #19613 Signed-off-by: Stanislav Petrashov <[email protected]> (cherry picked from commit 0ad7a2f)
stokito
pushed a commit
to stokito/packages
that referenced
this issue
Dec 6, 2022
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <[email protected]>
SibrenVasse
pushed a commit
to SibrenVasse/packages
that referenced
this issue
Feb 26, 2023
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt#19613 Signed-off-by: Stanislav Petrashov <[email protected]> (cherry picked from commit 0ad7a2f)
Lienol
pushed a commit
to Lienol/openwrt-packages
that referenced
this issue
Mar 10, 2023
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <[email protected]> (cherry picked from commit 0ad7a2f)
Lienol
pushed a commit
to Lienol/openwrt-packages
that referenced
this issue
Mar 10, 2023
Includes fixes for security vulnerabilities: * [CVE-2022-27664](GHSA-69cg-p879-7622) net/http: handle server errors after sending GOAWAY * [CVE-2022-32190](golang/go#54385) net/url: JoinPath does not strip relative path components in all circumstances * [CVE-2022-2879](golang/go#54853) archive/tar: unbounded memory consumption when reading headers * [CVE-2022-2880](golang/go#54663) net/http/httputil: ReverseProxy should not forward unparseable query parameters * [CVE-2022-41715](golang/go#55949) regexp/syntax: limit memory used by parsing regexps Addresses the build failure: * openwrt/packages#19613 Signed-off-by: Stanislav Petrashov <[email protected]> (cherry picked from commit 0ad7a2f)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Uh oh!
There was an error while loading. Please reload this page.
The parsed regexp representation is linear in the size of the input,
but in some cases the constant factor can be as high as 40,000,
making relatively small regexps consume much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB memory footprint.
Regular expressions whose representation would use more space than that
are now rejected. Normal use of regular expressions is unaffected.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
The text was updated successfully, but these errors were encountered: