Skip to content

close a vulnerability where HashMap::from_iter wasn't being randomized #15257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 2, 2014
Merged

close a vulnerability where HashMap::from_iter wasn't being randomized #15257

merged 3 commits into from
Jul 2, 2014

Conversation

erickt
Copy link
Contributor

@erickt erickt commented Jun 29, 2014

While HashMap::new and HashMap::with_capacity were being initialized with a random SipHasher, it turns out that HashMap::from_iter was just using the default instance of SipHasher, which wasn't randomized. This closes that bug, and also inlines some important methods.

@alexcrichton
Copy link
Member

I've been thinking of doing something like this for the facade to allow insertion of HashMap into libcollections instead of libstd.

The one final piece of the puzzle would be to parameterize HashMap::new()'s with H: Default rather than lock it down to RandomizedSipHasher. Would it be possible to add that as part of this commit as well? (it doesn't have to be done as part of this PR)

@erickt
Copy link
Contributor Author

erickt commented Jun 29, 2014

I just tried that, and it's going to result is us having to explicitly declare hashmap types. For example this snippet needs an explicit type:

pub fn require_unique_names(diagnostic: &SpanHandler, metas: &[Gc<MetaItem>]) {
    let mut set: HashSet<InternedString> = HashSet::new();
    for meta in metas.iter() {
        let name = meta.name();

        if !set.insert(name.clone()) {
            diagnostic.span_fatal(meta.span,
                                  format!("duplicate meta item `{}`",
                                          name).as_slice());
        }
    }
}

Which is a bit unfortunate. Would it be easier to have an explicit generic HashMap type in libcollections, and a thin wrapper for it in libstd that uses this randomized hasher? Although really the best option would be to allow type HashMap<K, V> = collections::HashMap::<K, V, RandomizedSipHasher> to pass static methods onto the type alias.

@alexcrichton
Copy link
Member

Hm, that is indeed unfortunate. I was hoping for something like this:

// src/libstd/collections/hashmap.rs
pub type HashMap<K, V, H = RandomizedSipHasher> = core_collections::HashMap::<K, V, H>;

The key part being that the std::collections::HashMap type still has overridable hashers without having to go through libcollections to get that.

I suppose if you can define methods on type aliases it may work out as you could have impl HashMap in libstd with a fn new, but that's becoming quite a stretch. Sounds like there's definitely some more design work to do here.

alexcrichton
alexcrichton reviewed Jun 30, 2014
View reviewed changes
src/libstd/collections/mod.rs
@@ -23,5 +23,6 @@ pub use core_collections::{priority_queue, ringbuf, smallintmap, treemap, trie};
pub use self::hashmap::{HashMap, HashSet};
pub use self::lru_cache::LruCache;

pub mod hash;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is available at std::hash, so why export it here?

erickt added 2 commits June 30, 2014 06:57
@erickt
std: make sure HashMap from_iter uses random initialization by default
8284ef6 
It turns out that HashMap's from_iter implementation was being
initialized without the sip keys being randomized. This adds
a custom default hasher that should avoid this potential vulnerability.
@erickt
std: micro optimize Hash{Map,Set}::{new,with_capacity}
c1ff089
@erickt
Copy link
Contributor Author

erickt commented Jun 30, 2014

@alexcrichton: I updated the PR to remove libstd::collections::hash.

alexcrichton
alexcrichton reviewed Jun 30, 2014
View reviewed changes
src/libstd/hash.rs
// option. This file may not be copied, modified, or distributed
// except according to those terms.

//! Generic hashing support.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's a nice doc-comment in collections::hash which sadly won't get included like this, perhaps it could be moved over to this module instead?

@erickt
Copy link
Contributor Author

erickt commented Jul 1, 2014

@alexcrichton: updated to include the documentation.

bors added a commit that referenced this pull request Jul 2, 2014
@bors
auto merge of #15257 : erickt/rust/hashmap, r=alexcrichton
7c4d8e9 
While `HashMap::new` and `HashMap::with_capacity` were being initialized with a random `SipHasher`, it turns out that `HashMap::from_iter` was just using the default instance of `SipHasher`, which wasn't randomized. This closes that bug, and also inlines some important methods.
@bors bors closed this Jul 2, 2014
@bors bors merged commit d90b71c into rust-lang:master Jul 2, 2014
bors added a commit to rust-lang-ci/rust that referenced this pull request Jul 17, 2023
@bors
Auto merge of rust-lang#15257 - sebastiansturm:master, r=lnicola
cabe26c 
[lsp-server] Ignore 'Content-Length' case

this is a trivial PR meant to address issue rust-lang#15197: the 'Content-Length' header field should probably be treated as case-insensitive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@erickt @alexcrichton @bors