commit 644bdcdb6ad3bfa95f03b660eb9f54037c5e683f Author: Petr Písař <ppisar@xxxxxxxxxx> Date: Tue Mar 5 13:30:37 2013 +0100 Fix CVE-2013-1667 perl-5.16.2-CVE-2013-1667.patch | 170 +++++++++++++++++++++++++++++++++++++++ perl.spec | 10 ++- 2 files changed, 179 insertions(+), 1 deletions(-) --- diff --git a/perl-5.16.2-CVE-2013-1667.patch b/perl-5.16.2-CVE-2013-1667.patch new file mode 100644 index 0000000..61ed14b --- /dev/null +++ b/perl-5.16.2-CVE-2013-1667.patch @@ -0,0 +1,170 @@ +From 6e79fe5714a72b1ef86dc890ff60746cdd19f854 Mon Sep 17 00:00:00 2001 +From: Yves Orton <demerphq@xxxxxxxxx> +Date: Tue, 12 Feb 2013 10:53:05 +0100 +Subject: [PATCH] Prevent premature hsplit() calls, and only trigger REHASH + after hsplit() + +Triggering a hsplit due to long chain length allows an attacker +to create a carefully chosen set of keys which can cause the hash +to use 2 * (2**32) * sizeof(void *) bytes ram. AKA a DOS via memory +exhaustion. Doing so also takes non trivial time. + +Eliminating this check, and only inspecting chain length after a +normal hsplit() (triggered when keys>buckets) prevents the attack +entirely, and makes such attacks relatively benign. +--- + ext/Hash-Util-FieldHash/t/10_hash.t | 18 ++++++++++++++++-- + hv.c | 35 ++++++++--------------------------- + t/op/hash.t | 20 +++++++++++++++++--- + 3 files changed, 41 insertions(+), 32 deletions(-) + +diff --git a/ext/Hash-Util-FieldHash/t/10_hash.t b/ext/Hash-Util-FieldHash/t/10_hash.t +index 2cfb4e8..d58f053 100644 +--- a/ext/Hash-Util-FieldHash/t/10_hash.t ++++ b/ext/Hash-Util-FieldHash/t/10_hash.t +@@ -38,15 +38,29 @@ use constant START => "a"; + + # some initial hash data + fieldhash my %h2; +-%h2 = map {$_ => 1} 'a'..'cc'; ++my $counter= "a"; ++$h2{$counter++}++ while $counter ne 'cd'; + + ok (!Internals::HvREHASH(%h2), + "starting with pre-populated non-pathological hash (rehash flag if off)"); + + my @keys = get_keys(\%h2); ++my $buckets= buckets(\%h2); + $h2{$_}++ for @keys; ++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split + ok (Internals::HvREHASH(%h2), +- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); ++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); ++ ++# returns the number of buckets in a hash ++sub buckets { ++ my $hr = shift; ++ my $keys_buckets= scalar(%$hr); ++ if ($keys_buckets=~m!/([0-9]+)\z!) { ++ return 0+$1; ++ } else { ++ return 8; ++ } ++} + + sub get_keys { + my $hr = shift; +diff --git a/hv.c b/hv.c +index 6b66251..a031703 100644 +--- a/hv.c ++++ b/hv.c +@@ -35,7 +35,8 @@ holds the key and hash value. + #define PERL_HASH_INTERNAL_ACCESS + #include "perl.h" + +-#define HV_MAX_LENGTH_BEFORE_SPLIT 14 ++#define HV_MAX_LENGTH_BEFORE_REHASH 14 ++#define SHOULD_DO_HSPLIT(xhv) ((xhv)->xhv_keys > (xhv)->xhv_max) /* HvTOTALKEYS(hv) > HvMAX(hv) */ + + static const char S_strtab_error[] + = "Cannot modify shared string table in hv_%s"; +@@ -798,29 +799,9 @@ Perl_hv_common(pTHX_ HV *hv, SV *keysv, const char *key, STRLEN klen, + if (masked_flags & HVhek_ENABLEHVKFLAGS) + HvHASKFLAGS_on(hv); + +- { +- const HE *counter = HeNEXT(entry); +- +- xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ +- if (!counter) { /* initial entry? */ +- } else if (xhv->xhv_keys > xhv->xhv_max) { +- /* Use only the old HvUSEDKEYS(hv) > HvMAX(hv) condition to limit +- bucket splits on a rehashed hash, as we're not going to +- split it again, and if someone is lucky (evil) enough to +- get all the keys in one list they could exhaust our memory +- as we repeatedly double the number of buckets on every +- entry. Linear search feels a less worse thing to do. */ +- hsplit(hv); +- } else if(!HvREHASH(hv)) { +- U32 n_links = 1; +- +- while ((counter = HeNEXT(counter))) +- n_links++; +- +- if (n_links > HV_MAX_LENGTH_BEFORE_SPLIT) { +- hsplit(hv); +- } +- } ++ xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ ++ if ( SHOULD_DO_HSPLIT(xhv) ) { ++ hsplit(hv); + } + + if (return_svp) { +@@ -1197,7 +1178,7 @@ S_hsplit(pTHX_ HV *hv) + + + /* Pick your policy for "hashing isn't working" here: */ +- if (longest_chain <= HV_MAX_LENGTH_BEFORE_SPLIT /* split worked? */ ++ if (longest_chain <= HV_MAX_LENGTH_BEFORE_REHASH /* split worked? */ + || HvREHASH(hv)) { + return; + } +@@ -2782,8 +2763,8 @@ S_share_hek_flags(pTHX_ const char *str, I32 len, register U32 hash, int flags) + + xhv->xhv_keys++; /* HvTOTALKEYS(hv)++ */ + if (!next) { /* initial entry? */ +- } else if (xhv->xhv_keys > xhv->xhv_max /* HvUSEDKEYS(hv) > HvMAX(hv) */) { +- hsplit(PL_strtab); ++ } else if ( SHOULD_DO_HSPLIT(xhv) ) { ++ hsplit(PL_strtab); + } + } + +diff --git a/t/op/hash.t b/t/op/hash.t +index ef757a3..97eb81b 100644 +--- a/t/op/hash.t ++++ b/t/op/hash.t +@@ -39,22 +39,36 @@ use constant THRESHOLD => 14; + use constant START => "a"; + + # some initial hash data +-my %h2 = map {$_ => 1} 'a'..'cc'; ++my %h2; ++my $counter= "a"; ++$h2{$counter++}++ while $counter ne 'cd'; + + ok (!Internals::HvREHASH(%h2), + "starting with pre-populated non-pathological hash (rehash flag if off)"); + + my @keys = get_keys(\%h2); ++my $buckets= buckets(\%h2); + $h2{$_}++ for @keys; ++$h2{$counter++}++ while buckets(\%h2) == $buckets; # force a split + ok (Internals::HvREHASH(%h2), +- scalar(@keys) . " colliding into the same bucket keys are triggering rehash"); ++ scalar(@keys) . " colliding into the same bucket keys are triggering rehash after split"); ++ ++# returns the number of buckets in a hash ++sub buckets { ++ my $hr = shift; ++ my $keys_buckets= scalar(%$hr); ++ if ($keys_buckets=~m!/([0-9]+)\z!) { ++ return 0+$1; ++ } else { ++ return 8; ++ } ++} + + sub get_keys { + my $hr = shift; + + # the minimum of bits required to mount the attack on a hash + my $min_bits = log(THRESHOLD)/log(2); +- + # if the hash has already been populated with a significant amount + # of entries the number of mask bits can be higher + my $keys = scalar keys %$hr; +-- +1.8.1.4 + diff --git a/perl.spec b/perl.spec index ea0736b..598b4e6 100644 --- a/perl.spec +++ b/perl.spec @@ -29,7 +29,7 @@ Name: perl Version: %{perl_version} # release number must be even higher, because dual-lived modules will be broken otherwise -Release: 239%{?dist} +Release: 240%{?dist} Epoch: %{perl_epoch} Summary: Practical Extraction and Report Language Group: Development/Languages @@ -115,6 +115,9 @@ Patch20: perl-5.17.6-Fix-misparsing-of-maketext-strings.patch # Add NAME heading into CPAN PODs, rhbz#908113, CPANRT#73396 Patch21: perl-5.16.2-cpan-CPAN-add-NAME-headings-in-modules-with-POD.patch +# Fix CVE-2013-1667, rhbz#918008 +Patch22: perl-5.16.2-CVE-2013-1667.patch + # Update some of the bundled modules # see http://fedoraproject.org/wiki/Perl/perl.spec for instructions @@ -1346,6 +1349,7 @@ tarball from perl.org. %patch19 -p1 %patch20 -p1 %patch21 -p1 +%patch22 -p1 #copy the example script cp -a %{SOURCE5} . @@ -1558,6 +1562,7 @@ pushd %{build_archlib}/CORE/ 'Fedora Patch19: Do not crash when vivifying $|' \ 'Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329)' \ 'Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396)' \ + 'Fedora Patch22: Fix DoS in rehashing code (CVE-2013-1667)' \ %{nil} rm patchlevel.bak @@ -2630,6 +2635,9 @@ sed \ # Old changelog entries are preserved in CVS. %changelog +* Tue Mar 05 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 4:5.16.2-240 +- Fix CVE-2013-1667 (DoS in rehashing code) (bug #918008) + * Mon Feb 18 2013 Petr Pisar <ppisar@xxxxxxxxxx> - 4:5.16.2-239 - Add NAME headings to CPAN modules (bug #908113) -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel