1 files changed, 0 insertions, 148 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch b/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch
deleted file mode 100644
index 0cfc12b3d9..0000000000
--- a/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch
+++ /dev/null
@@ -1,148 +0,0 @@
-From 6ce827254484fd850240549c98c74bca77980cc0 Mon Sep 17 00:00:00 2001
-From: "meir@redislabs.com" <meir@redislabs.com>
-Date: Sun, 13 Jun 2021 14:27:18 +0300
-Subject: [PATCH] Fix invalid memory write on lua stack overflow
- {CVE-2021-32626}
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When LUA call our C code, by default, the LUA stack has room for 20
-elements. In most cases, this is more than enough but sometimes it's not
-and the caller must verify the LUA stack size before he pushes elements.
-
-On 3 places in the code, there was no verification of the LUA stack size.
-On specific inputs this missing verification could have lead to invalid
-memory write:
-1. On 'luaReplyToRedisReply', one might return a nested reply that will
-   explode the LUA stack.
-2. On 'redisProtocolToLuaType', the Redis reply might be deep enough
-   to explode the LUA stack (notice that currently there is no such
-   command in Redis that returns such a nested reply, but modules might
-   do it)
-3. On 'ldbRedis', one might give a command with enough arguments to
-   explode the LUA stack (all the arguments will be pushed to the LUA
-   stack)
-
-This commit is solving all those 3 issues by calling 'lua_checkstack' and
-verify that there is enough room in the LUA stack to push elements. In
-case 'lua_checkstack' returns an error (there is not enough room in the
-LUA stack and it's not possible to increase the stack), we will do the
-following:
-1. On 'luaReplyToRedisReply', we will return an error to the user.
-2. On 'redisProtocolToLuaType' we will exit with panic (we assume this
-   scenario is rare because it can only happen with a module).
-3. On 'ldbRedis', we return an error.
-
-CVE: CVE-2021-32626
-Upstream-Status: Backport[https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591]
-
-Signed-off-by: Changqing Li <changqing.li@windriver.com>
----
- src/scripting.c | 41 +++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 41 insertions(+)
-
-diff --git a/src/scripting.c b/src/scripting.c
-index 299e608..81c88fb 100644
---- a/src/scripting.c
-+++ b/src/scripting.c
-@@ -128,6 +128,16 @@ void sha1hex(char *digest, char *script, size_t len) {
-  */
- 
- char *redisProtocolToLuaType(lua_State *lua, char* reply) {
-+
-+    if (!lua_checkstack(lua, 5)) {
-+        /*
-+         * Increase the Lua stack if needed, to make sure there is enough room
-+         * to push 5 elements to the stack. On failure, exit with panic.
-+         * Notice that we need, in the worst case, 5 elements because redisProtocolToLuaType_Aggregate
-+         * might push 5 elements to the Lua stack.*/
-+        serverPanic("lua stack limit reach when parsing redis.call reply");
-+    }
-+
-     char *p = reply;
- 
-     switch(*p) {
-@@ -220,6 +230,11 @@ char *redisProtocolToLuaType_Aggregate(lua_State *lua, char *reply, int atype) {
-             if (atype == '%') {
-                 p = redisProtocolToLuaType(lua,p);
-             } else {
-+                if (!lua_checkstack(lua, 1)) {
-+                    /* Notice that here we need to check the stack again because the recursive
-+                     * call to redisProtocolToLuaType might have use the room allocated in the stack */
-+                    serverPanic("lua stack limit reach when parsing redis.call reply");
-+                }
-                 lua_pushboolean(lua,1);
-             }
-             lua_settable(lua,-3);
-@@ -339,6 +354,17 @@ void luaSortArray(lua_State *lua) {
- /* Reply to client 'c' converting the top element in the Lua stack to a
-  * Redis reply. As a side effect the element is consumed from the stack.  */
- void luaReplyToRedisReply(client *c, lua_State *lua) {
-+
-+    if (!lua_checkstack(lua, 4)) {
-+        /* Increase the Lua stack if needed to make sure there is enough room
-+         * to push 4 elements to the stack. On failure, return error.
-+         * Notice that we need, in the worst case, 4 elements because returning a map might
-+         * require push 4 elements to the Lua stack.*/
-+        addReplyErrorFormat(c, "reached lua stack limit");
-+        lua_pop(lua,1); // pop the element from the stack
-+        return;
-+    }
-+
-     int t = lua_type(lua,-1);
- 
-     switch(t) {
-@@ -362,6 +388,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
-          * field. */
- 
-         /* Handle error reply. */
-+        // we took care of the stack size on function start
-         lua_pushstring(lua,"err");
-         lua_gettable(lua,-2);
-         t = lua_type(lua,-1);
-@@ -404,6 +431,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
-         if (t == LUA_TTABLE) {
-             int maplen = 0;
-             void *replylen = addReplyDeferredLen(c);
-+            /* we took care of the stack size on function start */
-             lua_pushnil(lua); /* Use nil to start iteration. */
-             while (lua_next(lua,-2)) {
-                 /* Stack now: table, key, value */
-@@ -426,6 +454,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
-         if (t == LUA_TTABLE) {
-             int setlen = 0;
-             void *replylen = addReplyDeferredLen(c);
-+            /* we took care of the stack size on function start */
-             lua_pushnil(lua); /* Use nil to start iteration. */
-             while (lua_next(lua,-2)) {
-                 /* Stack now: table, key, true */
-@@ -445,6 +474,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
-         void *replylen = addReplyDeferredLen(c);
-         int j = 1, mbulklen = 0;
-         while(1) {
-+            /* we took care of the stack size on function start */
-             lua_pushnumber(lua,j++);
-             lua_gettable(lua,-2);
-             t = lua_type(lua,-1);
-@@ -2546,6 +2576,17 @@ void ldbEval(lua_State *lua, sds *argv, int argc) {
- void ldbRedis(lua_State *lua, sds *argv, int argc) {
-     int j, saved_rc = server.lua_replicate_commands;
- 
-+    if (!lua_checkstack(lua, argc + 1)) {
-+        /* Increase the Lua stack if needed to make sure there is enough room
-+         * to push 'argc + 1' elements to the stack. On failure, return error.
-+         * Notice that we need, in worst case, 'argc + 1' elements because we push all the arguments
-+         * given by the user (without the first argument) and we also push the 'redis' global table and
-+         * 'redis.call' function so:
-+         * (1 (redis table)) + (1 (redis.call function)) + (argc - 1 (all arguments without the first)) = argc + 1*/
-+        ldbLogRedisReply("max lua stack reached");
-+        return;
-+    }
-+
-     lua_getglobal(lua,"redis");
-     lua_pushstring(lua,"call");
-     lua_gettable(lua,-2);       /* Stack: redis, redis.call */
--- 
-2.17.1
-