https://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112017-03-28T16:36:18ZRuby Issue Tracking SystemRuby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639232017-03-28T16:36:18Znormalperson (Eric Wong)normalperson@yhbt.net
<ul></ul><p><a href="mailto:chris@chrisseaton.com" class="email">chris@chrisseaton.com</a> wrote:</p>
<blockquote>
<p>Bug <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Symbol#hash is deterministic on 2.3 (Closed)" href="https://redmine.ruby-lang.org/issues/13376">#13376</a>: Symbol#hash is deterministic on 2.3<br>
<a href="https://bugs.ruby-lang.org/issues/13376" class="external">https://bugs.ruby-lang.org/issues/13376</a></p>
</blockquote>
<p>I think I broke this in:</p>
<p>commit 14470aa6dbf4d99bc8e0484e1334c2c6d5e68fc3 / r51582<br>
("hash.c: improve integer/fixnum hashing")</p>
<p>and nobu fixed this in:</p>
<p>commit a49f6016ea48a40865c91137b33ff9115e4071fd / r56992<br>
("switching hash removal")</p>
<p>Which was too big to backport... I will come up with a 2.3-only fix.</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639252017-03-28T17:00:03Znormalperson (Eric Wong)normalperson@yhbt.net
<ul><li><strong>File</strong> <a href="/attachments/6455">0001-hash.c-any_hash-make-static-symbol-hash-non-determin.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/6455/0001-hash.c-any_hash-make-static-symbol-hash-non-determin.patch">0001-hash.c-any_hash-make-static-symbol-hash-non-determin.patch</a> added</li><li><strong>Backport</strong> changed from <i>2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN</i> to <i>2.2: UNKNOWN, 2.3: REQUIRED, 2.4: UNKNOWN</i></li></ul><p>Here is a 2.3-only patch.</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639262017-03-28T17:14:54ZAnonymous
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Closed</i></li></ul><p>Applied in changeset trunk|r58200.</p>
<hr>
<p>test/ruby/test_symbol.rb: new test for nondeterminism</p>
<p>We need to ensure hashes for static symbols remain<br>
non-deterministic to avoid DoS attacks. This is currently the<br>
case since 2.4+, but was not for the 2.3 series.</p>
<ul>
<li>test/ruby/test_symbol.rb (test_hash_nondeterministic): new test<br>
<a href="/issues/13376">[ruby-core:80430]</a> [Bug <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: Symbol#hash is deterministic on 2.3 (Closed)" href="https://redmine.ruby-lang.org/issues/13376">#13376</a>]</li>
</ul> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639272017-03-28T17:22:08Znormalperson (Eric Wong)normalperson@yhbt.net
<ul></ul><p>I also committed r58200 to trunk to prevent us from hitting<br>
this, again. We should ensure other classes don't suffer this<br>
fate, too, will check other cases later (or if other people send<br>
patches).</p>
<p>/me goes back to hibernation</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639282017-03-28T18:02:17ZEregon (Benoit Daloze)
<ul></ul><p>For information, <a href="https://github.com/ruby/spec/pull/393" class="external">https://github.com/ruby/spec/pull/393</a> is adding such tests in ruby/spec<br>
for Object, Integer, Float, String, Symbol, Array and Hash.<br>
That's how the bug was discovered.</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639302017-03-28T21:31:31Znagachika (Tomoyuki Chikanaga)nagachika00@gmail.com
<ul><li><strong>Backport</strong> changed from <i>2.2: UNKNOWN, 2.3: REQUIRED, 2.4: UNKNOWN</i> to <i>2.2: UNKNOWN, 2.3: DONE, 2.4: UNKNOWN</i></li></ul><p>Thank you Chris for your report. And thank you Eric creating a patch for ruby_2_3!</p>
<p>I backported r58200 with Eric's patch into ruby_2_3 branch at r58203.</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639792017-03-29T14:09:11Zdarix (Marcus Rückert)darix@opensu.se
<ul></ul><p>should this receive a new CVE?<br>
should this released be soon as 2.3.4?</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639812017-03-29T14:21:30Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul></ul><p>Accepting huge requests which could exhaust memory with too may symbols <em>at once</em> would be rarely possible in 2.3.</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639822017-03-29T14:27:10ZEregon (Benoit Daloze)
<ul></ul><p>nobu (Nobuyoshi Nakada) wrote:</p>
<blockquote>
<p>Accepting huge requests which could exhaust memory with too may symbols <em>at once</em> would be rarely possible in 2.3.</p>
</blockquote>
<p>CVE-2011-4815 is about hash collisions, which indeed seems possible if a user can control Symbol keys inserted into a Hash in 2.3.</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639832017-03-29T14:35:40Zusa (Usaku NAKAMURA)usa@garbagecollect.jp
<ul></ul><p>I've fixed it.<br>
nagachika-san, please apply this patch:</p>
<pre><code class="diff syntaxhl" data-language="diff"><span class="gh">Index: hash.c
===================================================================
</span><span class="gd">--- hash.c (revision 58210)
</span><span class="gi">+++ hash.c (working copy)
</span><span class="p">@@ -168,7 +168,7 @@</span> any_hash(VALUE a, st_index_t (*other_func)(VALUE))
}
out:
hnum <<= 1;
<span class="gd">- return (st_index_t)RSHIFT(hnum, 1);
</span><span class="gi">+ return (long)RSHIFT(hnum, 1);
</span> }
static st_index_t
</code></pre> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=639852017-03-29T14:59:09Znagachika (Tomoyuki Chikanaga)nagachika00@gmail.com
<ul></ul><p>Thank you usa-san. I'll merge your patch soon.<br>
I'd like to make v2_3_4 tag after confirming the result of CI on vc12-x64.</p> Ruby master - Bug #13376: Symbol#hash is deterministic on 2.3https://redmine.ruby-lang.org/issues/13376?journal_id=645822017-04-30T12:12:03Zusa (Usaku NAKAMURA)usa@garbagecollect.jp
<ul><li><strong>Backport</strong> changed from <i>2.2: UNKNOWN, 2.3: DONE, 2.4: UNKNOWN</i> to <i>2.2: DONTNEED, 2.3: DONE, 2.4: UNKNOWN</i></li></ul>