author | Petr Sumbera <petr.sumbera@oracle.com> |
Thu, 19 Mar 2015 06:58:47 -0700 | |
branch | s11-update |
changeset 4018 | 51079c09956d |
permissions | -rw-r--r-- |
4018
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
1 |
Patch origin: upstream |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
2 |
Patch status: will be part of next version |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
3 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
4 |
Synthesis of: |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
5 |
http://svn.apache.org/viewvc?view=revision&revision=1455340 |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
6 |
http://svn.apache.org/viewvc?view=revision&revision=1457619 |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
7 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
8 |
See also: |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
9 |
https://rt.cpan.org/Public/Bug/Display.html?id=83916 |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
10 |
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702821 |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
11 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
12 |
--- a/t/response/TestPerl/hash_attack.pm 2013-03-15 13:35:14.000000000 +0000 |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
13 |
+++ b/t/response/TestPerl/hash_attack.pm 2013-03-15 13:38:29.000000000 +0000 |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
14 |
@@ -5,10 +5,11 @@ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
15 |
# and fixup handlers in this test). Moreover it must not fail to find |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
16 |
# that entry on the subsequent requests. |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
17 |
# |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
18 |
-# the hash attack is detected when HV_MAX_LENGTH_BEFORE_SPLIT keys |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
19 |
-# find themselves in the same hash bucket, in which case starting from |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
20 |
-# 5.8.2 the hash will rehash all its keys using a random hash seed |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
21 |
-# (PL_new_hash_seed, set in mod_perl or via PERL_HASH_SEED environment |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
22 |
+# the hash attack is detected when HV_MAX_LENGTH_BEFORE_REHASH keys find |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
23 |
+# themselves in the same hash bucket on splitting (which happens when the |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
24 |
+# number of keys crosses the threshold of a power of 2), in which case |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
25 |
+# starting from 5.8.2 the hash will rehash all its keys using a random hash |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
26 |
+# seed (PL_new_hash_seed, set in mod_perl or via PERL_HASH_SEED environment |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
27 |
# variable) |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
28 |
# |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
29 |
# Prior to the attack condition hashes use the PL_hash_seed, which is |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
30 |
@@ -29,7 +30,7 @@ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
31 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
32 |
use constant MASK_U32 => 2**32; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
33 |
use constant HASH_SEED => 0; # 5.8.2: always zero before the rehashing |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
34 |
-use constant THRESHOLD => 14; #define HV_MAX_LENGTH_BEFORE_SPLIT |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
35 |
+use constant THRESHOLD => 14; #define HV_MAX_LENGTH_BEFORE_(SPLIT|REHASH) |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
36 |
use constant START => "a"; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
37 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
38 |
# create conditions which will trigger a rehash on the current stash |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
39 |
@@ -57,6 +58,8 @@ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
40 |
return Apache2::Const::OK; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
41 |
} |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
42 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
43 |
+sub buckets { scalar(%{$_[0]}) =~ m#/([0-9]+)\z# ? 0+$1 : 8 } |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
44 |
+ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
45 |
sub attack { |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
46 |
my $stash = shift; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
47 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
48 |
@@ -74,9 +77,9 @@ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
49 |
my $bits = $keys ? log($keys)/log(2) : 0; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
50 |
$bits = $min_bits if $min_bits > $bits; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
51 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
52 |
- $bits = int($bits) < $bits ? int($bits) + 1 : int($bits); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
53 |
- # need to add 2 bits to cover the internal split cases |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
54 |
- $bits += 2; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
55 |
+ $bits = ceil($bits); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
56 |
+ # need to add 3 bits to cover the internal split cases |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
57 |
+ $bits += 3; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
58 |
my $mask = 2**$bits-1; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
59 |
debug "mask: $mask ($bits)"; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
60 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
61 |
@@ -90,7 +93,7 @@ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
62 |
next unless ($h & $mask) == 0; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
63 |
$c++; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
64 |
$stash->{$s}++; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
65 |
- debug sprintf "%2d: %5s, %10s, %s", $c, $s, $h, scalar(%$stash); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
66 |
+ debug sprintf "%2d: %5s, %08x %s", $c, $s, $h, scalar(%$stash); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
67 |
push @keys, $s; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
68 |
debug "The hash collision attack has been successful" |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
69 |
if Internals::HvREHASH(%$stash); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
70 |
@@ -98,6 +101,24 @@ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
71 |
$s++; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
72 |
} |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
73 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
74 |
+ # If the rehash hasn't been triggered yet, it's being delayed until the |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
75 |
+ # next bucket split. Add keys until a split occurs. |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
76 |
+ unless (Internals::HvREHASH(%$stash)) { |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
77 |
+ debug "Will add padding keys until hash split"; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
78 |
+ my $old_buckets = buckets($stash); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
79 |
+ while (buckets($stash) == $old_buckets) { |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
80 |
+ next if exists $stash->{$s}; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
81 |
+ $h = hash($s); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
82 |
+ $c++; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
83 |
+ $stash->{$s}++; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
84 |
+ debug sprintf "%2d: %5s, %08x %s", $c, $s, $h, scalar(%$stash); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
85 |
+ push @keys, $s; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
86 |
+ debug "The hash collision attack has been successful" |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
87 |
+ if Internals::HvREHASH(%$stash); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
88 |
+ $s++; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
89 |
+ } |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
90 |
+ } |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
91 |
+ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
92 |
# this verifies that the attack was mounted successfully. If |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
93 |
# HvREHASH is on it is. Otherwise the sequence wasn't successful. |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
94 |
die "Failed to mount the hash collision attack" |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
95 |
@@ -108,6 +129,12 @@ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
96 |
return @keys; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
97 |
} |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
98 |
|
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
99 |
+# least integer >= n |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
100 |
+sub ceil { |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
101 |
+ my $value = shift; |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
102 |
+ return int($value) < $value ? int($value) + 1 : int($value); |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
103 |
+} |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
104 |
+ |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
105 |
# trying to provide the fastest equivalent of C macro's PERL_HASH in |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
106 |
# Perl - the main complication is that the C macro uses U32 integer |
51079c09956d
19780770 Apache 2.4 needs some third party modules too
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
107 |
# (unsigned int), which we can't do it Perl (it can do I32, with 'use |