Skip to content

Security: Prevent DoS from hashmap collisions #1748

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
turnidge opened this issue Feb 17, 2012 · 15 comments
Closed

Security: Prevent DoS from hashmap collisions #1748

turnidge opened this issue Feb 17, 2012 · 15 comments
Labels
area-meta Cross-cutting, high-level issues (for tracking many other implementation issues, ...). closed-stale Closed as the issue or PR is assumed stale type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) type-security

Comments

@turnidge
Copy link
Contributor

DoS using hashmap collisions
dart/runtime/vm/object.cc
6156 hash_ += ch;
6157 hash_ += hash_ << 10;
6158 hash_ ^= hash_ >> 6;
hash(attacker-supplied data) can be predicted
if hashmap is used on attacker-supplied keys, attacker can cause O(n^2) operations on the hashmap
background: http://www.youtube.com/watch?v=R2Cq3CLI6H8
solution: follow-up with Erik / apply same counter measures as V8
@iposva-google
Copy link
Contributor

Added Security label.

@iposva-google
Copy link
Contributor

One suggestion: We could use a random field per hash map which is used to randomize the hash value before use.

Added this to the M1 milestone.

@DartBot
Copy link

DartBot commented Jul 19, 2012

This comment was originally written by groeber...@google.com

Hi, was there any work done on this matter?
Cheers
FElix

@turnidge
Copy link
Contributor Author

Set owner to @lexprfuncall.

@turnidge
Copy link
Contributor Author

Removed this from the M1 milestone.
Added this to the M2 milestone.

@iposva-google
Copy link
Contributor

Removed this from the M2 milestone.
Added this to the M3 milestone.

@iposva-google
Copy link
Contributor

Removed the owner.

@iposva-google
Copy link
Contributor

Removed this from the M3 milestone.
Added this to the M4 milestone.

@larsbak
Copy link

larsbak commented May 28, 2013

Removed this from the M4 milestone.
Added this to the M5 milestone.

@iposva-google
Copy link
Contributor

Removed Priority-Medium label.
Added Priority-Unassigned label.

@iposva-google
Copy link
Contributor

Removed this from the M5 milestone.

@kevmoo
Copy link
Member

kevmoo commented Jun 12, 2014

Issue #7 has been merged into this issue.

cc @lrhn.

@kevmoo
Copy link
Member

kevmoo commented Jun 12, 2014

Marked this as being blocked by #19399, #19400.

@turnidge turnidge added Type-Defect area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. type-security labels Jun 12, 2014
@iposva-google iposva-google added area-meta Cross-cutting, high-level issues (for tracking many other implementation issues, ...). and removed area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. priority-unassigned labels Dec 8, 2015
@kevmoo kevmoo added type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) and removed Type-Defect labels Mar 1, 2016
@munificent munificent added area-meta Cross-cutting, high-level issues (for tracking many other implementation issues, ...). and removed area-meta Cross-cutting, high-level issues (for tracking many other implementation issues, ...). area-multi labels Jun 22, 2018
@gnprice
Copy link
Contributor

gnprice commented Oct 7, 2024

This appears to be an umbrella issue for two issues that are now closed (/cc @lrhn who just closed #19399). Should this one also be closed?

@lrhn
Copy link
Member

lrhn commented Oct 9, 2024

Yup.

@lrhn lrhn closed this as not planned Won't fix, can't repro, duplicate, stale Oct 9, 2024
@lrhn lrhn added the closed-stale Closed as the issue or PR is assumed stale label Oct 9, 2024
copybara-service bot pushed a commit that referenced this issue Apr 9, 2025
@devoncarew
[deps] rev core, ecosystem, http, test, tools, webdev
eef9248 
Revisions updated by `dart tools/rev_sdk_deps.dart`.

core (https://github.com/dart-lang/core/compare/7a80178..af37fe5):
  af37fe54  2025-04-04  Lasse R.H. Nielsen  Adds `[Heap]PriorityQueue.of` constructor. (dart-lang/core#734)
  635dfa32  2025-04-03  Kevin Moore  [collection] explicitly make BoolList abstract interface (dart-lang/core#875)

ecosystem (https://github.com/dart-lang/ecosystem/compare/391a80c..7f6f1c1):
  7f6f1c1  2025-04-09  Daco Harkes  [firehose] Fix dart_apitool invocations with pub workspaces (dart-lang/ecosystem#355)
  0eb0349  2025-04-07  Moritz  Fix tagging in publishing workflow (again) (dart-lang/ecosystem#353)
  1ee8568  2025-04-07  Moritz  Update README.md (dart-lang/ecosystem#352)

http (https://github.com/dart-lang/http/compare/6fabf06..e4ddd3e):
  e4ddd3e  2025-04-07  Moritz  Merge pull request `#1750` from dart-lang/fixTags
  42b42e3  2025-04-07  Moritz  Fix tags
  54bf0f7  2025-04-07  Moritz  Merge pull request `#1748` from dart-lang/fixPublish
  84adca0  2025-04-04  Moritz  Merge pull request `#1432` from dart-lang/fixHealth
  8534a69  2025-04-04  Moritz  Remove ignore breaking
  b80436a  2025-04-04  Moritz  allow underscore
  949cd87  2025-04-04  Moritz  Fix publishing workflow
  996c5d1  2024-12-17  Moritz  ignore only for breaking changes
  e5321f7  2024-12-17  Moritz  Update .github/workflows/health.yaml
  f902d8a  2024-12-17  Moritz  typo
  35f6e9a  2024-12-17  Moritz  exclude websocket
  ca8caee  2024-12-17  Moritz  Ignore http
  621401e  2024-12-17  Moritz  remove ignore license
  ce20b2a  2024-12-17  Moritz  Fix health workflow

test (https://github.com/dart-lang/test/compare/c1fa1e6..8643fbf):
  8643fbf3  2025-04-09  Ömer Sinan Ağacan  Migrate from deprecated `dart:js`, `dart:js_util`, `package:js_util` to `dart:js_interop` (dart-lang/test#2478)

tools (https://github.com/dart-lang/tools/compare/b963bbf..d74f9e1):
  d74f9e13  2025-04-08  Loïc Sharma  [UA] Add a Flutter event for plugins injected into an iOS/macOS project. (dart-lang/tools#2062)
  f34228f8  2025-04-08  Kevin Moore  [graphs] fix readme CI badge (dart-lang/tools#2068)
  0102cd63  2025-04-08  Kevin Moore  [markdown] fix crash test (dart-lang/tools#2067)

webdev (https://github.com/dart-lang/webdev/compare/697f2f7..c8b1cfa):
  c8b1cfa9  2025-04-07  Srujan Gaddam  [dwds] Split hot reload callback into 2, disable breakpoints in changed files, and publish 24.3.10 (dart-lang/webdev#2606)
  8d8413f5  2025-04-04  Wdestroier  Support custom hostname and TLS options (dart-lang/webdev#2588)

Change-Id: Idbad02c2087ceb3c7d0f7efcf0721f4806475e8e
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/421542
Reviewed-by: Konstantin Shcheglov <scheglov@google.com>
Auto-Submit: Devon Carew <devoncarew@google.com>
Commit-Queue: Konstantin Shcheglov <scheglov@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-meta Cross-cutting, high-level issues (for tracking many other implementation issues, ...). closed-stale Closed as the issue or PR is assumed stale type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) type-security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@kevmoo @gnprice @munificent @turnidge @lrhn @iposva-google @larsbak @DartBot