Advisories list

[advisory]
id = "HSEC-2023-0007"
cwe = [1284, 789]
keywords = ["toml", "parser", "dos"]

[[affected]]
package = "base"
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
[[affected.versions]]
# it was introduced earlier, but this is the earliest version on Hackage
introduced = "3.0.3.1"

[[affected]]
package = "toml-reader"
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
[[affected.versions]]
introduced = "0.1.0.0"
fixed = "0.2.0.0"

[[references]]
type = "REPORT"
url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23538"
[[references]]
type = "REPORT"
url = "https://github.com/brandonchinn178/toml-reader/issues/8"
[[references]]
type = "FIX"
url = "https://github.com/brandonchinn178/toml-reader/pull/9"

readFloat: memory exhaustion with large exponent

Numeric.readFloat takes time and memory linear in the size of the number denoted by the input string. In particular, processing a number expressed in scientific notation with a very large exponent could cause a denial of service. The slowdown is observable on a modern machine running GHC 9.4.4:

ghci> import qualified Numeric
ghci> Numeric.readFloat "1e1000000"    -- near instantaneous
[(Infinity,"")]
ghci> Numeric.readFloat "1e10000000"   -- perceptible pause
[(Infinity,"")]
ghci> Numeric.readFloat "1e100000000"  -- ~ 3 seconds
[(Infinity,"")]
ghci> Numeric.readFloat "1e1000000000" -- ~ 35 seconds
[(Infinity,"")]

In base

Numeric.readFloat is defined for all RealFrac a => a:

readFloat :: RealFrac a => ReadS a

The RealFrac type class does not express any bounds on the size of values representable in the types for which instances exist, so bounds checking is not possible (in this generic function). readFloat uses to Text.Read.Lex.numberToRational which, among other things, calculates 10 ^ exponent, which seems to take linear time and memory.

Mitigation: use read. The Read instances for Float and Double perform bounds checks on the exponent, via Text.Read.Lex.numberToRangedRational.

In toml-reader

The issue was detected in toml-reader version 0.1.0.0, and mitigated in version 0.2.0.0 by immediately returning Infinity when the exponent is large enough that there's no reason to process it.