Re: Real-World Impact of Hash DoS in Lua

[Jerome Vuarand <jerome.vuarand@...>]

2012/1/25 Roberto Ierusalimschy <roberto@inf.puc-rio.br>:
>> OK.  Cool.  This is a showstopper for the company I am working with for
>> rolling out embedded Lua with nginx.  Is there anything I can do to help?
>
> what it is still missing now is how to create the initial per-state
> random seed. Suggestions included some address and arc4random. I am
> afraid that, for the backup ANSI implementation, we cannot do much
> better than something like this:
>
>  seed = (unsigned int)time() + (unsigned int)L;
>
> We can have better implementations for particular system. For instance,
> we can use arc4random if present, but how to detect it? Are there any
> other suggestions?

Well, if these needs for "randomization for increased security" are
gaining weight, maybe a secondary lua_newstate taking a seed argument
would solve the problem, that seed being used for all (present and
future) randomizations needs. All embeddings of Lua that want to be
secure would have to find a way to provide a secure seed. And for the
stock command line interpreter, you could use your time()-based
proposal, and eventually accept a command line option to use another
seed.

As for the actual method to pass the seed to the lua_newstate
function, if adding an argument is going the wrong way (adding a new
argument to newstate every time a problem arise), you can have
newstate accept a structure with several initialization options, the
allocator and the seed being the only fields for the moment, with the
possibility to extend that structure in the future:

typedef struct {
    lua_Alloc f;
    void* ud;
    int seed;
} lua_Init;

lua_State* lua_newstate2(lua_Init* init);