Vim + Python = system DoS

mancha Fri, 05 Jun 2015 16:54:12 -0700

Hello.

Using Vim 7.4.691 to open Python files that contain large numbers can
effectively DoS a system via resource exhaustion (extreme CPU usage).


While loading the attached sample file (foo.py), one observes the
following call profile in Vim:

 59.57%  has_state_with_pos
 39.01%  sub_equal
  0.36%  addstate
  0.33%  nfa_regmatch
  0.23%  copy_pim
  0.19%  copy_sub
  0.10%  do_autocmd_event
  0.08%  match_follows
  0.01%  do_one_cmd

Reviewing NFA log files, it appears Vim's regex engine processes the
line "foo=104438..." for each of:

    Regexp is "\%(^\|\W\)\@<=\d*\.\d\+\%([eE][+-]\=\d\+\)\=[jJ]\=\>"
    Regexp is "\<\d\+\.\%([eE][+-]\=\d\+\)\=[jJ]\=\%(\W\|$\)\@="
    Regexp is "\<\d\+[eE][+-]\=\d\+[jJ]\=\>"
    Regexp is "\<\d\+[jJ]\>"
    Regexp is "\<\%([1-9]\d*\|0\)[Ll]\=\>"
    Regexp is "[uU]\=[rR]\z('''\|"""\)"
    Regexp is "[uU]\=[rR]\z(['"]\)"
    Regexp is "[uU]\=\z('''\|"""\)"
    Regexp is "[uU]\=\z(['"]\)"

Further, for each nine regexes above, Vim iterates len("foo=104438...")
times. Reginput taking on the values "foo=104438...", "oo=104438...",
"o=104438...", etc., successively.  

By the way, this isn't a hypothetical corner-case. It actually came up
while coding RSA analysis functions. In fact, the number in the attached
file is a lot smaller than the ones used in practice.

Many thanks.

--mancha

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

#!/usr/bin/env python

foo=1044388881413152506691752710716624382579964249047383780384233483283953907971557456848826811934997558340890106714439262837987573438185793607263236087851365277945956976543709998340361590134383718314428070011855946226376318839397712745672334684344586617496807908705803704071284048740118609114467977783598029006686938976881787785946905630190260940599579453432823469303026696443059025015972399867714215541693835559885291486318237914434496734087811872639496475100189041349008417061675093668333850551032972088269550769983616369411933015213796825837188091833656751221318492846368125550225998300412344784862595674492194617023806505913245610825731835380087608622102834270197698202313169017678006675195485079921636419370285375124784014907159135459982790513399611551794271106831134090584272884279791554849782954323534517065223269061394905987693002122963395687782878948440616007412945674919823050571642377154816321380631045902916136926708342856440730447899971901781465763473223850267253059899795996090799469201774624817718449867455659250178329070473119433165550807568221846571746373296884912819520317457002440926616910874148385078411929804522981857338977648103126085903001302413467189726673216491511131602920781738033436090243804708340403154190341

pgp_LKr56ykxI.pgp
Description: PGP signature

Vim + Python = system DoS

Raspunde prin e-mail lui