Date: Thu, 16 Apr 2015 12:11:13 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 199480] [patch] lang/lua52, lang/lua53: use 'arc4random()' instead of 'time()' for string hash seed Message-ID: <bug-199480-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=199480 Bug ID: 199480 Summary: [patch] lang/lua52, lang/lua53: use 'arc4random()' instead of 'time()' for string hash seed Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: lua@FreeBSD.org Reporter: vmagerya@gmail.com Assignee: lua@FreeBSD.org Flags: maintainer-feedback?(lua@FreeBSD.org) Keywords: patch Created attachment 155642 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=155642&action=edit lua-makeseed.diff When hashing strings into tables, Lua 5.2 uses a semi-random hash seed, which is obtained from a mixture of 'time()' and a few global addresses (in hope that ASLR would randomize those). See the 'makeseed' function in 'src/lstate.c' for how it's done. Since we don't have ASLR, the resulting seed depends only on time(), which means it can only change once a second, instead of at every execution. I think this randomization was meant as a way to prevent DoS attacks based on hash table collisions (I'm not sure if it's effective, since the random seed is only computed once at startup). In any case, the biggest effect this has for me is that performance of various code parts depends on the ordering of table keys (and thus, on the seed), but you only get one seed per second, so running microbenchmarks suddenly becomes a problem. Now, 'src/lstate.c' provides a way for us to supply a better seed: we just need to redefine 'luai_makeseed' (by default it's just a 'time()' call). The attached patch changes 'luai_makeseed' into an 'arc4random()' call for both lang/lua52 and lang/lua53 (lua51 doesn't seem to have an equivalent randomization). Note that defining __BSD_VISIBLE is only really needed for lua53, since it defines _XOPEN_SOURCE somewhere above, and without __BSD_VISIBLE 'arc4random' prototype is not visible with just a 'stdlib.h' include. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-199480-13>