Bug 1269110

Summary: php: hash table collisions CPU usage DoS
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, fedora, jdetiber, jialiu, jkeck, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, rcollet, webstack-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-08-03 07:16:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1269112    
Bug Blocks: 1269113    

Description Martin Prpič 2015-10-06 11:27:55 UTC 
Brian M. Carlson reported the following flaw in PHP:

PHP uses the DJB "times 33" hash to hash strings in its hash tables, without the use of any secret key. Hash values are therefore the same between multiple invocations. As a result, it's trivial to precompute a set of values that all hash to the same bucket and cause positively abysmal performance.

If a script accepts untrusted hash keys, such as from JSON input, it is subject to a DoS attack. PHP implemented the max_input_vars option, but this is not effective in the general case, especially in the era of JSON-laden POST requests. Perl, Python, and Ruby have all addressed their CVEs properly, but PHP has not and as a result is still vulnerable.

Original report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800564

Additional information:

https://github.com/bk2204/php-hash-dos
Comment 1 Martin Prpič 2015-10-06 11:31:03 UTC 
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1269112]
Comment 2 Tomas Hoger 2015-12-17 21:01:11 UTC 
Upstream bug report:

https://bugs.php.net/bug.php?id=70644

Ways to fix this issue are still being investigated.
Comment 3 Huzaifa S. Sidhpurwala 2016-08-03 07:16:45 UTC 
There is no activity on this upstream and it seems unlikely that it will be picked up any soon. Upstream strongly suggests validating all inputs via the PHP application before loading them into such data structures. (such as hash tables).