diff options
Diffstat (limited to 'meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch')
-rw-r--r-- | meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch | 148 |
1 files changed, 0 insertions, 148 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch b/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch deleted file mode 100644 index 0cfc12b3d9..0000000000 --- a/meta-oe/recipes-extended/redis/redis/CVE-2021-32626.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 6ce827254484fd850240549c98c74bca77980cc0 Mon Sep 17 00:00:00 2001 -From: "meir@redislabs.com" <meir@redislabs.com> -Date: Sun, 13 Jun 2021 14:27:18 +0300 -Subject: [PATCH] Fix invalid memory write on lua stack overflow - {CVE-2021-32626} -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When LUA call our C code, by default, the LUA stack has room for 20 -elements. In most cases, this is more than enough but sometimes it's not -and the caller must verify the LUA stack size before he pushes elements. - -On 3 places in the code, there was no verification of the LUA stack size. -On specific inputs this missing verification could have lead to invalid -memory write: -1. On 'luaReplyToRedisReply', one might return a nested reply that will - explode the LUA stack. -2. On 'redisProtocolToLuaType', the Redis reply might be deep enough - to explode the LUA stack (notice that currently there is no such - command in Redis that returns such a nested reply, but modules might - do it) -3. On 'ldbRedis', one might give a command with enough arguments to - explode the LUA stack (all the arguments will be pushed to the LUA - stack) - -This commit is solving all those 3 issues by calling 'lua_checkstack' and -verify that there is enough room in the LUA stack to push elements. In -case 'lua_checkstack' returns an error (there is not enough room in the -LUA stack and it's not possible to increase the stack), we will do the -following: -1. On 'luaReplyToRedisReply', we will return an error to the user. -2. On 'redisProtocolToLuaType' we will exit with panic (we assume this - scenario is rare because it can only happen with a module). -3. On 'ldbRedis', we return an error. - -CVE: CVE-2021-32626 -Upstream-Status: Backport[https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591] - -Signed-off-by: Changqing Li <changqing.li@windriver.com> ---- - src/scripting.c | 41 +++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 41 insertions(+) - -diff --git a/src/scripting.c b/src/scripting.c -index 299e608..81c88fb 100644 ---- a/src/scripting.c -+++ b/src/scripting.c -@@ -128,6 +128,16 @@ void sha1hex(char *digest, char *script, size_t len) { - */ - - char *redisProtocolToLuaType(lua_State *lua, char* reply) { -+ -+ if (!lua_checkstack(lua, 5)) { -+ /* -+ * Increase the Lua stack if needed, to make sure there is enough room -+ * to push 5 elements to the stack. On failure, exit with panic. -+ * Notice that we need, in the worst case, 5 elements because redisProtocolToLuaType_Aggregate -+ * might push 5 elements to the Lua stack.*/ -+ serverPanic("lua stack limit reach when parsing redis.call reply"); -+ } -+ - char *p = reply; - - switch(*p) { -@@ -220,6 +230,11 @@ char *redisProtocolToLuaType_Aggregate(lua_State *lua, char *reply, int atype) { - if (atype == '%') { - p = redisProtocolToLuaType(lua,p); - } else { -+ if (!lua_checkstack(lua, 1)) { -+ /* Notice that here we need to check the stack again because the recursive -+ * call to redisProtocolToLuaType might have use the room allocated in the stack */ -+ serverPanic("lua stack limit reach when parsing redis.call reply"); -+ } - lua_pushboolean(lua,1); - } - lua_settable(lua,-3); -@@ -339,6 +354,17 @@ void luaSortArray(lua_State *lua) { - /* Reply to client 'c' converting the top element in the Lua stack to a - * Redis reply. As a side effect the element is consumed from the stack. */ - void luaReplyToRedisReply(client *c, lua_State *lua) { -+ -+ if (!lua_checkstack(lua, 4)) { -+ /* Increase the Lua stack if needed to make sure there is enough room -+ * to push 4 elements to the stack. On failure, return error. -+ * Notice that we need, in the worst case, 4 elements because returning a map might -+ * require push 4 elements to the Lua stack.*/ -+ addReplyErrorFormat(c, "reached lua stack limit"); -+ lua_pop(lua,1); // pop the element from the stack -+ return; -+ } -+ - int t = lua_type(lua,-1); - - switch(t) { -@@ -362,6 +388,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) { - * field. */ - - /* Handle error reply. */ -+ // we took care of the stack size on function start - lua_pushstring(lua,"err"); - lua_gettable(lua,-2); - t = lua_type(lua,-1); -@@ -404,6 +431,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) { - if (t == LUA_TTABLE) { - int maplen = 0; - void *replylen = addReplyDeferredLen(c); -+ /* we took care of the stack size on function start */ - lua_pushnil(lua); /* Use nil to start iteration. */ - while (lua_next(lua,-2)) { - /* Stack now: table, key, value */ -@@ -426,6 +454,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) { - if (t == LUA_TTABLE) { - int setlen = 0; - void *replylen = addReplyDeferredLen(c); -+ /* we took care of the stack size on function start */ - lua_pushnil(lua); /* Use nil to start iteration. */ - while (lua_next(lua,-2)) { - /* Stack now: table, key, true */ -@@ -445,6 +474,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) { - void *replylen = addReplyDeferredLen(c); - int j = 1, mbulklen = 0; - while(1) { -+ /* we took care of the stack size on function start */ - lua_pushnumber(lua,j++); - lua_gettable(lua,-2); - t = lua_type(lua,-1); -@@ -2546,6 +2576,17 @@ void ldbEval(lua_State *lua, sds *argv, int argc) { - void ldbRedis(lua_State *lua, sds *argv, int argc) { - int j, saved_rc = server.lua_replicate_commands; - -+ if (!lua_checkstack(lua, argc + 1)) { -+ /* Increase the Lua stack if needed to make sure there is enough room -+ * to push 'argc + 1' elements to the stack. On failure, return error. -+ * Notice that we need, in worst case, 'argc + 1' elements because we push all the arguments -+ * given by the user (without the first argument) and we also push the 'redis' global table and -+ * 'redis.call' function so: -+ * (1 (redis table)) + (1 (redis.call function)) + (argc - 1 (all arguments without the first)) = argc + 1*/ -+ ldbLogRedisReply("max lua stack reached"); -+ return; -+ } -+ - lua_getglobal(lua,"redis"); - lua_pushstring(lua,"call"); - lua_gettable(lua,-2); /* Stack: redis, redis.call */ --- -2.17.1 - |