From 4634c34db318d157c1f741855dba9757cc8de1fd Mon Sep 17 00:00:00 2001 From: nagachika Date: Tue, 28 Mar 2017 21:29:16 +0000 Subject: merge revision(s) 58200: [Backport #13376] * hash.c (any_hash): fix Symbol#hash to be nondeterministic. The patch was provided by Eric Wong. [ruby-core:80433] [Bug #13376] test/ruby/test_symbol.rb: new test for nondeterminism We need to ensure hashes for static symbols remain non-deterministic to avoid DoS attacks. This is currently the case since 2.4+, but was not for the 2.3 series. * test/ruby/test_symbol.rb (test_hash_nondeterministic): new test [ruby-core:80430] [Bug #13376] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58203 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 7 +++++++ hash.c | 1 + test/ruby/test_symbol.rb | 10 ++++++++++ version.h | 6 +++--- 4 files changed, 21 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 16e65f8b98..fdce669e44 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +Wed Mar 29 06:22:27 2017 CHIKANAGA Tomoyuki + + * hash.c (any_hash): fix Symbol#hash to be nondeterministic. + The patch was provided by Eric Wong. [ruby-core:80433] [Bug #13376] + + * test/ruby/test_symbol.rb: add test for above. + Tue Mar 28 00:38:39 2017 NAKAMURA Usaku * win32/win32.c (poll_child_status): rb_w32_wait_events_blocking() sets diff --git a/hash.c b/hash.c index 58a3d04023..d9826c4053 100644 --- a/hash.c +++ b/hash.c @@ -139,6 +139,7 @@ any_hash(VALUE a, st_index_t (*other_func)(VALUE)) if (a == Qundef) return 0; if (STATIC_SYM_P(a)) { hnum = a >> (RUBY_SPECIAL_SHIFT + ID_SCOPE_SHIFT); + hnum = rb_hash_start(hnum); goto out; } else if (FLONUM_P(a)) { diff --git a/test/ruby/test_symbol.rb b/test/ruby/test_symbol.rb index ce3b0d652f..34cd886141 100644 --- a/test/ruby/test_symbol.rb +++ b/test/ruby/test_symbol.rb @@ -411,4 +411,14 @@ class TestSymbol < Test::Unit::TestCase assert_equal str, str.to_sym.to_s assert_not_predicate(str, :frozen?, bug11721) end + + def test_hash_nondeterministic + ruby = EnvUtil.rubybin + refute_equal `#{ruby} -e 'puts :foo.hash'`, `#{ruby} -e 'puts :foo.hash'`, + '[ruby-core:80430] [Bug #13376]' + + sym = "dynsym_#{Random.rand(10000)}_#{Time.now}" + refute_equal `#{ruby} -e 'puts #{sym.inspect}.to_sym.hash'`, + `#{ruby} -e 'puts #{sym.inspect}.to_sym.hash'` + end end diff --git a/version.h b/version.h index 29116f98c8..709d03b0cb 100644 --- a/version.h +++ b/version.h @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.3.4" -#define RUBY_RELEASE_DATE "2017-03-28" -#define RUBY_PATCHLEVEL 299 +#define RUBY_RELEASE_DATE "2017-03-29" +#define RUBY_PATCHLEVEL 300 #define RUBY_RELEASE_YEAR 2017 #define RUBY_RELEASE_MONTH 3 -#define RUBY_RELEASE_DAY 28 +#define RUBY_RELEASE_DAY 29 #include "ruby/version.h" -- cgit v1.2.3 From 0ad168551355320c091045c0bb6d4b51798bbcc0 Mon Sep 17 00:00:00 2001 From: nagachika Date: Wed, 29 Mar 2017 15:00:45 +0000 Subject: * hash.c (any_hash): fix CI failure on L32LLP64 architecture. The patch was provided by usa. [ruby-core:80484] [Bug #13376] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@58213 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 5 +++++ hash.c | 2 +- version.h | 6 +++--- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index fdce669e44..593cdc3975 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +Wed Mar 29 23:47:31 2017 CHIKANAGA Tomoyuki + + * hash.c (any_hash): fix CI failure on L32LLP64 architecture. + The patch was provided by usa. [ruby-core:80484] [Bug #13376] + Wed Mar 29 06:22:27 2017 CHIKANAGA Tomoyuki * hash.c (any_hash): fix Symbol#hash to be nondeterministic. diff --git a/hash.c b/hash.c index d9826c4053..e418b99c1f 100644 --- a/hash.c +++ b/hash.c @@ -168,7 +168,7 @@ any_hash(VALUE a, st_index_t (*other_func)(VALUE)) } out: hnum <<= 1; - return (st_index_t)RSHIFT(hnum, 1); + return (long)RSHIFT(hnum, 1); } static st_index_t diff --git a/version.h b/version.h index 709d03b0cb..17b906b43c 100644 --- a/version.h +++ b/version.h @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.3.4" -#define RUBY_RELEASE_DATE "2017-03-29" -#define RUBY_PATCHLEVEL 300 +#define RUBY_RELEASE_DATE "2017-03-30" +#define RUBY_PATCHLEVEL 301 #define RUBY_RELEASE_YEAR 2017 #define RUBY_RELEASE_MONTH 3 -#define RUBY_RELEASE_DAY 29 +#define RUBY_RELEASE_DAY 30 #include "ruby/version.h" -- cgit v1.2.3