diff options
Diffstat (limited to 'meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch')
-rw-r--r-- | meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch b/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch new file mode 100644 index 0000000000..0cfc12b3d9 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch @@ -0,0 +1,148 @@ +From 6ce827254484fd850240549c98c74bca77980cc0 Mon Sep 17 00:00:00 2001 +From: "meir@redislabs.com" <meir@redislabs.com> +Date: Sun, 13 Jun 2021 14:27:18 +0300 +Subject: [PATCH] Fix invalid memory write on lua stack overflow + {CVE-2021-32626} +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When LUA call our C code, by default, the LUA stack has room for 20 +elements. In most cases, this is more than enough but sometimes it's not +and the caller must verify the LUA stack size before he pushes elements. + +On 3 places in the code, there was no verification of the LUA stack size. +On specific inputs this missing verification could have lead to invalid +memory write: +1. On 'luaReplyToRedisReply', one might return a nested reply that will + explode the LUA stack. +2. On 'redisProtocolToLuaType', the Redis reply might be deep enough + to explode the LUA stack (notice that currently there is no such + command in Redis that returns such a nested reply, but modules might + do it) +3. On 'ldbRedis', one might give a command with enough arguments to + explode the LUA stack (all the arguments will be pushed to the LUA + stack) + +This commit is solving all those 3 issues by calling 'lua_checkstack' and +verify that there is enough room in the LUA stack to push elements. In +case 'lua_checkstack' returns an error (there is not enough room in the +LUA stack and it's not possible to increase the stack), we will do the +following: +1. On 'luaReplyToRedisReply', we will return an error to the user. +2. On 'redisProtocolToLuaType' we will exit with panic (we assume this + scenario is rare because it can only happen with a module). +3. On 'ldbRedis', we return an error. + +CVE: CVE-2021-32626 +Upstream-Status: Backport[https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/scripting.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +diff --git a/src/scripting.c b/src/scripting.c +index 299e608..81c88fb 100644 +--- a/src/scripting.c ++++ b/src/scripting.c +@@ -128,6 +128,16 @@ void sha1hex(char *digest, char *script, size_t len) { + */ + + char *redisProtocolToLuaType(lua_State *lua, char* reply) { ++ ++ if (!lua_checkstack(lua, 5)) { ++ /* ++ * Increase the Lua stack if needed, to make sure there is enough room ++ * to push 5 elements to the stack. On failure, exit with panic. ++ * Notice that we need, in the worst case, 5 elements because redisProtocolToLuaType_Aggregate ++ * might push 5 elements to the Lua stack.*/ ++ serverPanic("lua stack limit reach when parsing redis.call reply"); ++ } ++ + char *p = reply; + + switch(*p) { +@@ -220,6 +230,11 @@ char *redisProtocolToLuaType_Aggregate(lua_State *lua, char *reply, int atype) { + if (atype == '%') { + p = redisProtocolToLuaType(lua,p); + } else { ++ if (!lua_checkstack(lua, 1)) { ++ /* Notice that here we need to check the stack again because the recursive ++ * call to redisProtocolToLuaType might have use the room allocated in the stack */ ++ serverPanic("lua stack limit reach when parsing redis.call reply"); ++ } + lua_pushboolean(lua,1); + } + lua_settable(lua,-3); +@@ -339,6 +354,17 @@ void luaSortArray(lua_State *lua) { + /* Reply to client 'c' converting the top element in the Lua stack to a + * Redis reply. As a side effect the element is consumed from the stack. */ + void luaReplyToRedisReply(client *c, lua_State *lua) { ++ ++ if (!lua_checkstack(lua, 4)) { ++ /* Increase the Lua stack if needed to make sure there is enough room ++ * to push 4 elements to the stack. On failure, return error. ++ * Notice that we need, in the worst case, 4 elements because returning a map might ++ * require push 4 elements to the Lua stack.*/ ++ addReplyErrorFormat(c, "reached lua stack limit"); ++ lua_pop(lua,1); // pop the element from the stack ++ return; ++ } ++ + int t = lua_type(lua,-1); + + switch(t) { +@@ -362,6 +388,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) { + * field. */ + + /* Handle error reply. */ ++ // we took care of the stack size on function start + lua_pushstring(lua,"err"); + lua_gettable(lua,-2); + t = lua_type(lua,-1); +@@ -404,6 +431,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) { + if (t == LUA_TTABLE) { + int maplen = 0; + void *replylen = addReplyDeferredLen(c); ++ /* we took care of the stack size on function start */ + lua_pushnil(lua); /* Use nil to start iteration. */ + while (lua_next(lua,-2)) { + /* Stack now: table, key, value */ +@@ -426,6 +454,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) { + if (t == LUA_TTABLE) { + int setlen = 0; + void *replylen = addReplyDeferredLen(c); ++ /* we took care of the stack size on function start */ + lua_pushnil(lua); /* Use nil to start iteration. */ + while (lua_next(lua,-2)) { + /* Stack now: table, key, true */ +@@ -445,6 +474,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) { + void *replylen = addReplyDeferredLen(c); + int j = 1, mbulklen = 0; + while(1) { ++ /* we took care of the stack size on function start */ + lua_pushnumber(lua,j++); + lua_gettable(lua,-2); + t = lua_type(lua,-1); +@@ -2546,6 +2576,17 @@ void ldbEval(lua_State *lua, sds *argv, int argc) { + void ldbRedis(lua_State *lua, sds *argv, int argc) { + int j, saved_rc = server.lua_replicate_commands; + ++ if (!lua_checkstack(lua, argc + 1)) { ++ /* Increase the Lua stack if needed to make sure there is enough room ++ * to push 'argc + 1' elements to the stack. On failure, return error. ++ * Notice that we need, in worst case, 'argc + 1' elements because we push all the arguments ++ * given by the user (without the first argument) and we also push the 'redis' global table and ++ * 'redis.call' function so: ++ * (1 (redis table)) + (1 (redis.call function)) + (argc - 1 (all arguments without the first)) = argc + 1*/ ++ ldbLogRedisReply("max lua stack reached"); ++ return; ++ } ++ + lua_getglobal(lua,"redis"); + lua_pushstring(lua,"call"); + lua_gettable(lua,-2); /* Stack: redis, redis.call */ +-- +2.17.1 + |