Google Git
Sign in
go / go / ef2f3391da20e4aca689033045c0d00fddd0b190
commitef2f3391da20e4aca689033045c0d00fddd0b190[log] [tgz]
authorkhr@golang.org <khr@golang.org>Mon Apr 15 17:52:20 2024 -0700
committerKeith Randall <khr@golang.org>Fri Apr 19 17:38:07 2024 +0000
tree5bab32ea9a1f7bca26d60c6d987557a1fdfd9df8
parent2b82a4f488179a62a69dd318ea62f0624641ae63 [diff]
runtime: make it harder to find collisions in the 64-bit fallback hash

Currently the first argument to mix() can be set by an attacker, as it
is just the input bytes xored by some constants. That lets an attacker
set the value being multipled by to 0. That can lead to lots of
collisions. To fix, xor the first argument with the process-wide seed,
so the magic collision-generating value isn't a constant known to the
attacker.  (Maybe there's a timing attack that could figure out the
process-wide seed, but that's a much harder attack.)

Fixes #66841

Change-Id: I33e073c78355d1cee08660de52074e6ccc38b426
Reviewed-on: https://go-review.googlesource.com/c/go/+/579115
Reviewed-by: M Zhuo <mengzhuo1203@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Keith Randall <khr@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
2 files changed
tree: 5bab32ea9a1f7bca26d60c6d987557a1fdfd9df8
  1. .github/
  2. api/
  3. doc/
  4. lib/
  5. misc/
  6. src/
  7. test/
  8. .gitattributes
  9. .gitignore
  10. codereview.cfg
  11. CONTRIBUTING.md
  12. go.env
  13. LICENSE
  14. PATENTS
  15. README.md
  16. SECURITY.md
README.md

The Go Programming Language

Go is an open source programming language that makes it easy to build simple, reliable, and efficient software.

Gopher image Gopher image by Renee French, licensed under Creative Commons 4.0 Attributions license.

Our canonical Git repository is located at https://go.googlesource.com/go. There is a mirror of the repository at https://github.com/golang/go.

Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.

Download and Install

Binary Distributions

Official binary distributions are available at https://go.dev/dl/.

After downloading a binary release, visit https://go.dev/doc/install for installation instructions.

Install From Source

If a binary distribution is not available for your combination of operating system and architecture, visit https://go.dev/doc/install/source for source installation instructions.

Contributing

Go is the work of thousands of contributors. We appreciate your help!

To contribute, please read the contribution guidelines at https://go.dev/doc/contribute.

Note that the Go project uses the issue tracker for bug reports and proposals only. See https://go.dev/wiki/Questions for a list of places to ask questions about the Go language.