This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/20616] New: Limit crypt rounds to avoid denial of service

From: "hanno at hboeck dot de" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Sat, 17 Sep 2016 08:07:13 +0000
Subject: [Bug libc/20616] New: Limit crypt rounds to avoid denial of service
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=20616

Bug ID: 20616
Summary: Limit crypt rounds to avoid denial of service
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: hanno at hboeck dot de
CC: drepper.fsp at gmail dot com
Target Milestone: ---

Created attachment 9514
--> https://sourceware.org/bugzilla/attachment.cgi?id=9514&action=edit
patch to avoid DoS in crypt function

There are situations where a user can control a password hash. A user could
exploit this and cause a DoS by selecting an insanely high rounds value for a
password hash.

The current maximum rounds number is 999999999 (a billion minus 1), which would
run several minutes on a modern machine. I don't think there is any valid use
case for this.

To avoid DoS I would propose to limit the number of rounds to a sane value.
It's a bit arbitrary which value to choose, in the attached patch I limit it to
9999999 (10 million minus 1), which runs 3/5 seconds (depending if sha256/512)
on my system. It seems like this is probably above all valid use cases, but
doesn't DoS too much. Also the original implementation would cap the rounds to
999999999 for all larger values [1], I changed that to return NULL for too
large values (to avoid having identical inputs generating different outputs for
different glibc versions). Patch attached, changes it for both sha256/512 in
the same way.

(P.S.: musl libc already does essentially the same that I'm proposing here [2])

[1] http://people.redhat.com/drepper/sha-crypt.html
[2]
http://git.musl-libc.org/cgit/musl/tree/src/crypt/crypt_sha256.c?id=5505f6afae9acf37ef565c68a07ca3df7b1ae2cb#n168

--
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug libc/20616] Limit crypt rounds to avoid denial of service
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]