Limit regular expressions to 1024 characters each.

Avoids a problem with the fuzzer creating large regular expressions that blow up the glibc regcomp().
2022-02-12 09:33:02 -07:00
parent 63b2a62f8a
commit 33f54c853b
6 changed files with 26 additions and 6 deletions
--- a/docs/sudo_logsrvd.conf.man.in
+++ b/docs/sudo_logsrvd.conf.man.in
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "February 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "February 12, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -647,6 +647,7 @@ it will be matched in a case-insensitive manner.
 Multiple
 \fIpassprompt_regex\fR
 settings may be specified.
+Each regular expression is limited to 1024 characters.
 The default value is
 \(lq[Pp]assword[: ]*\(rq.
 .SS "eventlog"
--- a/docs/sudo_logsrvd.conf.mdoc.in
+++ b/docs/sudo_logsrvd.conf.mdoc.in
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd February 11, 2022
+.Dd February 12, 2022
 .Dt SUDO_LOGSRVD.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -577,6 +577,7 @@ it will be matched in a case-insensitive manner.
 Multiple
 .Em passprompt_regex
 settings may be specified.
+Each regular expression is limited to 1024 characters.
 The default value is
 .Dq [Pp]assword[: ]* .
 .El
--- a/docs/sudoers.man.in
+++ b/docs/sudoers.man.in
@@ -25,7 +25,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.TH "SUDOERS" "@mansectform@" "February 11, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "@mansectform@" "February 12, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -2170,6 +2170,9 @@ even possible to use wildcards for the path name and regular
 expressions for the arguments.
 It is not possible to use a single regular expression to match
 both the command and its arguments.
+Regular expressions in
+\fIsudoers\fR
+are limited to 1024 characters.
 .PP
 There is no need to escape
 \fIsudoers\fR
@@ -5427,6 +5430,7 @@ match password prompts in the terminal output.
 As an extension, if the regular expression begins with
 \(lq(?i)\(rq,
 it will be matched in a case-insensitive manner.
+Each regular expression is limited to 1024 characters.
 This option is only used when
 \fIlog_passwords\fR
 has been disabled.
--- a/docs/sudoers.mdoc.in
+++ b/docs/sudoers.mdoc.in
@@ -24,7 +24,7 @@
 .nr BA @BAMAN@
 .nr LC @LCMAN@
 .nr PS @PSMAN@
-.Dd February 11, 2022
+.Dd February 12, 2022
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2048,6 +2048,9 @@ even possible to use wildcards for the path name and regular
 expressions for the arguments.
 It is not possible to use a single regular expression to match
 both the command and its arguments.
+Regular expressions in
+.Em sudoers
+are limited to 1024 characters.
 .Pp
 There is no need to escape
 .Em sudoers
@@ -5065,6 +5068,7 @@ match password prompts in the terminal output.
 As an extension, if the regular expression begins with
 .Dq (?i) ,
 it will be matched in a case-insensitive manner.
+Each regular expression is limited to 1024 characters.
 This option is only used when
 .Em log_passwords
 has been disabled.
--- a/lib/util/regex.c
+++ b/lib/util/regex.c
@@ -98,6 +98,12 @@ sudo_regex_compile_v1(void *v, const char *pattern, const char **errstr)
    /* Some callers just want to check the validity of the pattern. */
    preg = v ? v : &rebuf;

+    /* Limit the length of regular expressions to avoid fuzzer issues. */
+    if (strlen(pattern) > 1024) {
+	*errstr = N_("regular expression too large");
+	debug_return_bool(false);
+    }
+
    /* Check for (?i) to enable case-insensitive matching. */
    cp = pattern[0] == '^' ? pattern + 1 : pattern;
    if (strncmp(cp, "(?i)", 4) == 0) {
--- a/po/sudo.pot
+++ b/po/sudo.pot
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: sudo 1.9.10\n"
 "Report-Msgid-Bugs-To: https://bugzilla.sudo.ws\n"
-"POT-Creation-Date: 2022-02-11 18:33-0700\n"
+"POT-Creation-Date: 2022-02-12 09:31-0700\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -67,7 +67,7 @@ msgid "%s: %s"
 msgstr ""

 #: lib/util/aix.c:272 lib/util/gidlist.c:66 lib/util/json.c:55
-#: lib/util/json.c:184 lib/util/regex.c:107 lib/util/regex.c:115
+#: lib/util/json.c:184 lib/util/regex.c:113 lib/util/regex.c:121
 #: lib/util/sudo_conf.c:219 lib/util/sudo_conf.c:304 lib/util/sudo_conf.c:381
 #: lib/util/sudo_conf.c:665 src/conversation.c:81 src/exec_intercept.c:100
 #: src/exec_intercept.c:330 src/exec_intercept.c:354 src/exec_intercept.c:377
@@ -129,6 +129,10 @@ msgstr ""
 msgid "unable to mkdir %.*s"
 msgstr ""

+#: lib/util/regex.c:103
+msgid "regular expression too large"
+msgstr ""
+
 #: lib/util/strsignal.c:50
 msgid "Unknown signal"
 msgstr ""