Bug 1269110 - php: hash table collisions CPU usage DoS
php: hash table collisions CPU usage DoS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1269112
Blocks: 1269113
  Show dependency treegraph
Reported: 2015-10-06 07:27 EDT by Martin Prpič
Modified: 2018-01-29 05:47 EST (History)
15 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-08-03 03:16:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
PHP Bug Tracker 70644 None None None 2015-12-17 16:01 EST

  None (edit)
Description Martin Prpič 2015-10-06 07:27:55 EDT
Brian M. Carlson reported the following flaw in PHP:

PHP uses the DJB "times 33" hash to hash strings in its hash tables, without the use of any secret key. Hash values are therefore the same between multiple invocations. As a result, it's trivial to precompute a set of values that all hash to the same bucket and cause positively abysmal performance.

If a script accepts untrusted hash keys, such as from JSON input, it is subject to a DoS attack. PHP implemented the max_input_vars option, but this is not effective in the general case, especially in the era of JSON-laden POST requests. Perl, Python, and Ruby have all addressed their CVEs properly, but PHP has not and as a result is still vulnerable.

Original report:


Additional information:

Comment 1 Martin Prpič 2015-10-06 07:31:03 EDT
Created php tracking bugs for this issue:

Affects: fedora-all [bug 1269112]
Comment 2 Tomas Hoger 2015-12-17 16:01:11 EST
Upstream bug report:


Ways to fix this issue are still being investigated.
Comment 3 Huzaifa S. Sidhpurwala 2016-08-03 03:16:45 EDT
There is no activity on this upstream and it seems unlikely that it will be picked up any soon. Upstream strongly suggests validating all inputs via the PHP application before loading them into such data structures. (such as hash tables).

Note You need to log in before you can comment on or make changes to this bug.