1 files changed, 148 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch b/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch
new file mode 100644
index 0000000000..0cfc12b3d9
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch
@@ -0,0 +1,148 @@
+From 6ce827254484fd850240549c98c74bca77980cc0 Mon Sep 17 00:00:00 2001
+From: "meir@redislabs.com" <meir@redislabs.com>
+Date: Sun, 13 Jun 2021 14:27:18 +0300
+Subject: [PATCH] Fix invalid memory write on lua stack overflow
+ {CVE-2021-32626}
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When LUA call our C code, by default, the LUA stack has room for 20
+elements. In most cases, this is more than enough but sometimes it's not
+and the caller must verify the LUA stack size before he pushes elements.
+
+On 3 places in the code, there was no verification of the LUA stack size.
+On specific inputs this missing verification could have lead to invalid
+memory write:
+1. On 'luaReplyToRedisReply', one might return a nested reply that will
+   explode the LUA stack.
+2. On 'redisProtocolToLuaType', the Redis reply might be deep enough
+   to explode the LUA stack (notice that currently there is no such
+   command in Redis that returns such a nested reply, but modules might
+   do it)
+3. On 'ldbRedis', one might give a command with enough arguments to
+   explode the LUA stack (all the arguments will be pushed to the LUA
+   stack)
+
+This commit is solving all those 3 issues by calling 'lua_checkstack' and
+verify that there is enough room in the LUA stack to push elements. In
+case 'lua_checkstack' returns an error (there is not enough room in the
+LUA stack and it's not possible to increase the stack), we will do the
+following:
+1. On 'luaReplyToRedisReply', we will return an error to the user.
+2. On 'redisProtocolToLuaType' we will exit with panic (we assume this
+   scenario is rare because it can only happen with a module).
+3. On 'ldbRedis', we return an error.
+
+CVE: CVE-2021-32626
+Upstream-Status: Backport[https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ src/scripting.c | 41 +++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 41 insertions(+)
+
+diff --git a/src/scripting.c b/src/scripting.c
+index 299e608..81c88fb 100644
+--- a/src/scripting.c
++++ b/src/scripting.c
+@@ -128,6 +128,16 @@ void sha1hex(char *digest, char *script, size_t len) {
+  */
+ 
+ char *redisProtocolToLuaType(lua_State *lua, char* reply) {
++
++    if (!lua_checkstack(lua, 5)) {
++        /*
++         * Increase the Lua stack if needed, to make sure there is enough room
++         * to push 5 elements to the stack. On failure, exit with panic.
++         * Notice that we need, in the worst case, 5 elements because redisProtocolToLuaType_Aggregate
++         * might push 5 elements to the Lua stack.*/
++        serverPanic("lua stack limit reach when parsing redis.call reply");
++    }
++
+     char *p = reply;
+ 
+     switch(*p) {
+@@ -220,6 +230,11 @@ char *redisProtocolToLuaType_Aggregate(lua_State *lua, char *reply, int atype) {
+             if (atype == '%') {
+                 p = redisProtocolToLuaType(lua,p);
+             } else {
++                if (!lua_checkstack(lua, 1)) {
++                    /* Notice that here we need to check the stack again because the recursive
++                     * call to redisProtocolToLuaType might have use the room allocated in the stack */
++                    serverPanic("lua stack limit reach when parsing redis.call reply");
++                }
+                 lua_pushboolean(lua,1);
+             }
+             lua_settable(lua,-3);
+@@ -339,6 +354,17 @@ void luaSortArray(lua_State *lua) {
+ /* Reply to client 'c' converting the top element in the Lua stack to a
+  * Redis reply. As a side effect the element is consumed from the stack.  */
+ void luaReplyToRedisReply(client *c, lua_State *lua) {
++
++    if (!lua_checkstack(lua, 4)) {
++        /* Increase the Lua stack if needed to make sure there is enough room
++         * to push 4 elements to the stack. On failure, return error.
++         * Notice that we need, in the worst case, 4 elements because returning a map might
++         * require push 4 elements to the Lua stack.*/
++        addReplyErrorFormat(c, "reached lua stack limit");
++        lua_pop(lua,1); // pop the element from the stack
++        return;
++    }
++
+     int t = lua_type(lua,-1);
+ 
+     switch(t) {
+@@ -362,6 +388,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
+          * field. */
+ 
+         /* Handle error reply. */
++        // we took care of the stack size on function start
+         lua_pushstring(lua,"err");
+         lua_gettable(lua,-2);
+         t = lua_type(lua,-1);
+@@ -404,6 +431,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
+         if (t == LUA_TTABLE) {
+             int maplen = 0;
+             void *replylen = addReplyDeferredLen(c);
++            /* we took care of the stack size on function start */
+             lua_pushnil(lua); /* Use nil to start iteration. */
+             while (lua_next(lua,-2)) {
+                 /* Stack now: table, key, value */
+@@ -426,6 +454,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
+         if (t == LUA_TTABLE) {
+             int setlen = 0;
+             void *replylen = addReplyDeferredLen(c);
++            /* we took care of the stack size on function start */
+             lua_pushnil(lua); /* Use nil to start iteration. */
+             while (lua_next(lua,-2)) {
+                 /* Stack now: table, key, true */
+@@ -445,6 +474,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
+         void *replylen = addReplyDeferredLen(c);
+         int j = 1, mbulklen = 0;
+         while(1) {
++            /* we took care of the stack size on function start */
+             lua_pushnumber(lua,j++);
+             lua_gettable(lua,-2);
+             t = lua_type(lua,-1);
+@@ -2546,6 +2576,17 @@ void ldbEval(lua_State *lua, sds *argv, int argc) {
+ void ldbRedis(lua_State *lua, sds *argv, int argc) {
+     int j, saved_rc = server.lua_replicate_commands;
+ 
++    if (!lua_checkstack(lua, argc + 1)) {
++        /* Increase the Lua stack if needed to make sure there is enough room
++         * to push 'argc + 1' elements to the stack. On failure, return error.
++         * Notice that we need, in worst case, 'argc + 1' elements because we push all the arguments
++         * given by the user (without the first argument) and we also push the 'redis' global table and
++         * 'redis.call' function so:
++         * (1 (redis table)) + (1 (redis.call function)) + (argc - 1 (all arguments without the first)) = argc + 1*/
++        ldbLogRedisReply("max lua stack reached");
++        return;
++    }
++
+     lua_getglobal(lua,"redis");
+     lua_pushstring(lua,"call");
+     lua_gettable(lua,-2);       /* Stack: redis, redis.call */
+-- 
+2.17.1
+