classification
Title: Hash collisions in IPv4Interface and IPv6Interface
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.10, Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5
process
Status: open Resolution: fixed
Dependencies: Superseder:
Assigned To: eric.smith Nosy List: Amir, Beuc, corona10, eric.smith, miss-islington, ned.deily, nnewram, rvteja92, svaddi, tapakund
Priority: normal Keywords: easy, patch

Created on 2020-06-17 13:11 by nnewram, last changed 2020-06-30 19:30 by ned.deily.

Pull Requests
URL Status Linked Edit
PR 20956 open svaddi, 2020-06-18 08:03
PR 21033 merged rvteja92, 2020-06-21 18:57
PR 21220 merged miss-islington, 2020-06-29 17:39
PR 21221 merged miss-islington, 2020-06-29 17:39
PR 21231 merged tapakund, 2020-06-30 07:52
PR 21232 merged tapakund, 2020-06-30 08:25
PR 21233 open tapakund, 2020-06-30 09:42
Messages (17)
msg371738 - (view) Author: martin wennberg (nnewram) Date: 2020-06-17 13:11
In the ipaddress library there exists two classes IPv4Interface, and IPv6Interface. These classes' hash functions will always return 32 and 64 respectively. If IPv4Interface or IPv6Interface objects then are put in a dictionary, on for example a server storing IPs, this will cause hash collisions, which in turn can lead to DOS.

The root of this is on line 1421 and 2095. On both lines, self._ip and self.network.network_address will both be same, and when xor is applied they will cancel eachother out, leaving return self._prefixlen .
Since self._prefixlen is a constant, 32 and 64 respectively, this will lead to a constant hash.

The fix is trivial, on line 1421, change to:
return hash((self._ip, self._prefixlen, int(self.network.network_address)))

and on line 2095, change to:
return hash((self._ip, self._prefixlen, int(self.network.network_address)))
msg371768 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2020-06-17 17:30
Good catch. Your approach seems like a good one.
msg371770 - (view) Author: martin wennberg (nnewram) Date: 2020-06-17 19:07
Forgot to add, this applies to all versions, 3.10, 3.9, 3.8, 3.7, 3.6, 3.5
msg371793 - (view) Author: Amir Mohamadi (Amir) * Date: 2020-06-18 07:58
Can I make a PR for this?
msg371794 - (view) Author: martin wennberg (nnewram) Date: 2020-06-18 08:03
Absolutely, go ahead Amir
msg371882 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2020-06-19 13:10
Changing versions to where the fix would be applied.
msg372030 - (view) Author: Ravi Teja P (rvteja92) * Date: 2020-06-22 03:45
Hi
I have raised a PR for this. But my PLA is yet to be updated (I have singed it).

But add the fix to the existing versions (3.8, 3.9 and 3.10), do I need to raise PR for each of those branches?
msg372031 - (view) Author: Amir Mohamadi (Amir) * Date: 2020-06-22 05:13
No @rvteja92, you don't need open multiple PRs, only make your changes on master branch. for more informations read this:
https://devguide.python.org/

And for the CLA sign it will take a while to be updated.
msg372515 - (view) Author: Ravi Teja P (rvteja92) * Date: 2020-06-28 12:47
Hi

My CLA has been approved. Can someone review the PR.
msg372606 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2020-06-29 17:39
New changeset b30ee26e366bf509b7538d79bfec6c6d38d53f28 by Ravi Teja P in branch 'master':
bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033)
https://github.com/python/cpython/commit/b30ee26e366bf509b7538d79bfec6c6d38d53f28
msg372611 - (view) Author: miss-islington (miss-islington) Date: 2020-06-29 18:12
New changeset dc8ce8ead182de46584cc1ed8a8c51d48240cbd5 by Miss Islington (bot) in branch '3.8':
bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033)
https://github.com/python/cpython/commit/dc8ce8ead182de46584cc1ed8a8c51d48240cbd5
msg372612 - (view) Author: miss-islington (miss-islington) Date: 2020-06-29 18:15
New changeset 9a646aa82dfa62d70ca2a99ada901ee6cf9f82bd by Miss Islington (bot) in branch '3.9':
bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033)
https://github.com/python/cpython/commit/9a646aa82dfa62d70ca2a99ada901ee6cf9f82bd
msg372677 - (view) Author: Eric V. Smith (eric.smith) * (Python committer) Date: 2020-06-30 11:01
Ned: what are your thoughts on backporting this as a security issue?

https://nvd.nist.gov/vuln/detail?vulnId=CVE-2020-14422
msg372679 - (view) Author: Dong-hee Na (corona10) * (Python committer) Date: 2020-06-30 11:05
> https://nvd.nist.gov/vuln/detail?vulnId=CVE-2020-14422

As Eric said, this issue is assigned a CVE-2020-14422.
I re-open PRs for 3.5 - 3.7 and waiting for other core developers guide.

I am +1 on merge this PRs as the security patch.
msg372695 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-06-30 14:41
A legitimate CVE should certainly be backported to all applicable releases, so, yes.  However, I think that it is important for the CVE to be mentioned in the NEWS blurbs for each commit.  So please update the NEWS items in each open PR to include the CVE. For master and 3.9 (if you hurry), you can update the original blurb file.  For 3.8, the blurb file is in the process of being merged into the blurb for the release; for it, wait until the v3.8.4rc1 has been merged back into the main cpython repo and then update the merged the blob, please.  Thanks!
msg372720 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-06-30 19:20
New changeset b98e7790c77a4378ec4b1c71b84138cb930b69b7 by Tapas Kundu in branch '3.7':
[3.7] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (GH-21231)
https://github.com/python/cpython/commit/b98e7790c77a4378ec4b1c71b84138cb930b69b7
msg372721 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2020-06-30 19:30
New changeset cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9 by Tapas Kundu in branch '3.6':
[3.6] bpo-41004: Resolve hash collisions for IPv4Interface and IPv6Interface (GH-21033) (GH-21232)
https://github.com/python/cpython/commit/cfc7ff8d05f7a949a88b8a8dd506fb5c1c30d3e9
History
Date User Action Args
2020-06-30 19:30:29ned.deilysetmessages: + msg372721
2020-06-30 19:20:25ned.deilysetmessages: + msg372720
2020-06-30 14:41:52ned.deilysetmessages: + msg372695
2020-06-30 11:05:26corona10setnosy: + corona10
messages: + msg372679
2020-06-30 11:02:48corona10setstatus: closed -> open
versions: + Python 3.5, Python 3.6, Python 3.7
2020-06-30 11:01:31eric.smithsetnosy: + ned.deily
messages: + msg372677
2020-06-30 09:42:10tapakundsetpull_requests: + pull_request20387
2020-06-30 08:25:02tapakundsetpull_requests: + pull_request20386
2020-06-30 07:52:57tapakundsetnosy: + tapakund

pull_requests: + pull_request20385
2020-06-29 18:18:36eric.smithsetstatus: open -> closed
assignee: eric.smith
resolution: fixed
stage: patch review -> resolved
2020-06-29 18:15:42miss-islingtonsetmessages: + msg372612
2020-06-29 18:12:59miss-islingtonsetmessages: + msg372611
2020-06-29 17:39:57miss-islingtonsetpull_requests: + pull_request20373
2020-06-29 17:39:49miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request20372
2020-06-29 17:39:36eric.smithsetmessages: + msg372606
2020-06-28 12:47:18rvteja92setmessages: + msg372515
2020-06-23 14:43:54Beucsetnosy: + Beuc
2020-06-22 05:13:36Amirsetmessages: + msg372031
2020-06-22 03:45:50rvteja92setmessages: + msg372030
2020-06-21 18:57:18rvteja92setnosy: + rvteja92
pull_requests: + pull_request20204
2020-06-19 13:10:54eric.smithsetmessages: + msg371882
versions: - Python 3.5, Python 3.6, Python 3.7
2020-06-18 08:03:09svaddisetkeywords: + patch
nosy: + svaddi

pull_requests: + pull_request20137
stage: patch review
2020-06-18 08:03:05nnewramsetmessages: + msg371794
2020-06-18 07:58:42Amirsetnosy: + Amir
messages: + msg371793
2020-06-17 19:07:20nnewramsetmessages: + msg371770
versions: + Python 3.5, Python 3.6, Python 3.7, Python 3.8, Python 3.9
2020-06-17 18:08:55nnewramsetversions: + Python 3.10, - Python 3.8
2020-06-17 17:31:45eric.smithsetkeywords: + easy
2020-06-17 17:30:06eric.smithsetnosy: + eric.smith
messages: + msg371768
2020-06-17 14:16:14nnewramsettype: security
2020-06-17 13:11:52nnewramcreate