Skip Menu |

This queue is for tickets about the mod_perl CPAN distribution.

Report information
The Basics
Id: 83916
Status: resolved
Priority: 0/
Queue: mod_perl
People
Owner: Nobody in particular
Requestors: zefram [...] fysh.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Mar 13 07:36:18 2013 zefram [...] fysh.org - Ticket created
Subject: test update for perl 5.16.3
Date: Wed, 13 Mar 2013 11:35:57 +0000
To: bug-mod_perl [...] rt.cpan.org
From: Zefram <zefram [...] fysh.org>
Perl 5.16.3's fix for a rehash-based DoS makes it more difficult to invoke the workaround for the old hash collision attack, which breaks mod_perl's t/perl/hash_attack.t. Attached patch updates. -zefram

Message body is not shown because sender requested not to inline it.

  Wed Mar 13 09:36:41 2013 shay [...] cpan.org - Correspondence added
Hopefully this is already addressed by http://svn.apache.org/viewvc?view=revision&revision=1455340 ?
  Wed Mar 13 09:36:43 2013 The RT System itself - Status changed from 'new' to 'open'
  Fri Mar 15 05:21:30 2013 shay [...] cpan.org - Correspondence added
On Wed Mar 13 09:36:41 2013, SHAY wrote: Show quoted text
> Hopefully this is already addressed by > > http://svn.apache.org/viewvc?view=revision&revision=1455340 > > ?
I would be very grateful if you had any time to have a look at Hugo's patch for the test failure which I already applied to SVN. There is a report of it not having fixed the test failure on a Debian system using perl-5.10.1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702821 Do you have insight into why it might have still failed? I have asked them to try your patch instead to see if it is any better for them.
  Fri Mar 15 09:57:38 2013 zefram [...] fysh.org - Correspondence added
Subject: Re: [rt.cpan.org #83916] test update for perl 5.16.3
Date: Fri, 15 Mar 2013 13:57:12 +0000
To: Steve Hay via RT <bug-mod_perl [...] rt.cpan.org>
From: Zefram <zefram [...] fysh.org>
Steve Hay via RT wrote: Show quoted text
>Do you have insight into why it might have still failed?
I can reproduce the failure with a Debian stable perl 5.10.1. The problem is that 5.10.1's hash logic won't perform a split as a result of an insertion that used a new bucket. Because your version of the attack pads using arbitrary keys, and because the prior part of the attack has concentrated keys in one bucket, it's especially likely that any particular padding key will hit a previously-unused bucket. As you pad to the power of two plus one (not just to the power of two as the debug message claims), you have two padding insertions that have the chance to trigger a split. Depending on the keys already in the stash, there's a substantial chance that they'll both get fresh buckets and so fail to trigger a split. You can see this happen if you extend the "debug sprintf ..." trace output into the padding loop. My patch avoids this failure in two ways, one of them intentional. The intentional one is that, rather than assuming that the split will occur at a particular number of keys, it looks at the number of buckets in use and keeps padding until it observes that a split has actually occurred. I wasn't thinking about 5.10; this logic just avoids that entire class of failure modes based on faulty understanding of the core's splitting logic. The accidental aspect is that, because my patch continues the hash collision attack rather than using arbitrary keys, the padding never hits a fresh bucket, and so on 5.10 is always eligible to cause a split. The necessary ingredients for a better patch are the larger $bits from your patch and the bucket-count logic from my patch. Once you're looking at the bucket count, it's insignificant whether the padding keys are part of the hash collision; my patch was overkill in that respect. Attached are a revised patch and the test program that I used in investigating the issue. -zefram

Message body is not shown because sender requested not to inline it.

Message body is not shown because sender requested not to inline it.

  Fri Mar 15 13:50:10 2013 shay [...] cpan.org - Correspondence added
On Fri Mar 15 09:57:38 2013, zefram@fysh.org wrote: Show quoted text
> Steve Hay via RT wrote:
> >Do you have insight into why it might have still failed?
[...] Show quoted text
> > Attached are a revised patch and the test program that I used in > investigating the issue. >
Many thanks for taking the time to look at this and provide a very thorough explanation. I will look at your patch over the weekend, although I must confess that much of this is beyond my understanding (note that "my patch", as noted previously, is actually by Hugo van der Sanden, from the perl5-security list). I will also test it with various relevant perl versions and get the Debian bug reporter to try it too, and hopefully apply it soon if all goes well.
  Sun Mar 17 22:13:33 2013 shay [...] cpan.org - Correspondence added
Thanks again for the patch. Now committed to the mod_perl trunk as revision 1457619 after testing here on Windows 7 using Perls 5.8.1, 5.8.2 (VC++ 6.0), 5.10.1, 5.12.5 (VC++ 2008), 5.14.2, 5.16.3, 5.17.5, 5.17.6 and 5.17.9 (VC++ 2010). I also had a thumbs up from the Debian guys using 5.10.1 (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702821#73).
  Sun Mar 17 22:13:34 2013 shay [...] cpan.org - Status changed from 'open' to 'resolved'