lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

On 25 December 2015 at 23:48, Vitaly Magerya <> wrote:
> Hi, folks. Some time ago Lua (5.2+) hash tables started using a
> semi-random hash seed; this was a measure introduced to mitigate
> DoS attacks based on hash collisions. Currently both Lua 5.3.2
> and 5.2.4 compute this seed from a 'time(NULL)' call combined
> with addresses of various functions and variables (in hope that
> ASLR will randomize those).
> The problem for me is that FreeBSD has no ASLR at the moment,
> and the hash seed only changes as often as 'time(NULL)': once
> per second. This makes it hard, for example, to run microbenchmarks:
> performance of some code pieces jumps once per second, so to
> average that out I'm forced to wait minutes.
> Basically what I would like to see is a better randomness source
> than 'time(NULL)'. Now, there where discussions [1] about using
> 'arc4random()' for this task (if the system supports that), and
> it seems that source code is structured to allow for this, i.e.
> see 'src/lstate.c':
>     /*
>     ** a macro to help the creation of a unique random seed when a state is
>     ** created; the seed is used to randomize hashes.
>     */
>     #if !defined(luai_makeseed)
>     #include <time.h>
>     #define luai_makeseed()         cast(unsigned int, time(NULL))
>     #endif
> So, the first question I have is: do you folks plan to use a
> kernel-provided randomness source like 'arc4random()' (under
> *BSD) or 'getrandom()' (under Linux)?
> The second question is: would you approve if FreeBSD package of
> Lua was to patch 'luai_makeseed' into 'arc4random()'? I'm asking
> this because I've been using such a patch locally for a while,
> but FreeBSD Lua maintainers would like your approval before
> adding it to the ports collection.
> [1]

It would seem reasonable to me for the lua 'freebsd' Makefile target
to pass something like this in SYSCFLAGS:

    -D'luai_makeseed()=cast(unsigned int, arc4random())'