Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Feb 2017 14:24:58 -0300
From: Gustavo Grieco <>
To:, Agustin Mista <>
Subject: Multiple DoS parsing and executing extended regex expressions in GNU libc


We found a few extended regex expressions in GNU libc that will crash or
abort the execution of regcomp or regexec. For instance:


will immediately exhaust the stack calling calc_eclosure_iter in the
compilation. A small variation of this regex is:


will consume a very large amount of memory: it seems to eat 16GB in less
than a minute. It is also possible to exhaust the stack memory trying to

(((((((( ... repeated 15000 times

this issue is caused because regcomp will call the parse_expression,
parse_branch and parse_reg_exp functions over and over again.
Finally, the following regex will trigger an abort or invalid free when
regexec is called:


I don't think these issues can be used to execute arbitrary code, but it
seems quite easy to produce a DoS if a remote application is parsing
untrusted regex expressions.
In fact, we asked one of our students, Agustín Mista, to create a simple PoC
to show how to crash a proFTP server if you can write a .ftpaccess file.
You can find the script attached.

These issues were tested in GNU libc 2.19 (Ubuntu 14.04) and 2.24 (ArchLinux).

I think it should affect the last version of GNU libc as well. Can someone
confirm it?

I'm investigating how to submit these issues in the new CVE form...


Content of type "text/html" skipped

View attachment "PoC.hs" of type "text/x-haskell" (1087 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.