diff options
Diffstat (limited to 'meta-oe/recipes-extended/redis/redis/CVE-2021-32687.patch')
-rw-r--r-- | meta-oe/recipes-extended/redis/redis/CVE-2021-32687.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2021-32687.patch b/meta-oe/recipes-extended/redis/redis/CVE-2021-32687.patch new file mode 100644 index 0000000000..fe04e67f30 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2021-32687.patch @@ -0,0 +1,67 @@ +From a40ee258accdaf56c23950a6371307ca1aa69f06 Mon Sep 17 00:00:00 2001 +From: Oran Agra <oran@redislabs.com> +Date: Sun, 26 Sep 2021 15:42:17 +0300 +Subject: [PATCH] Fix Integer overflow issue with intsets (CVE-2021-32687) + +The vulnerability involves changing the default set-max-intset-entries +configuration parameter to a very large value and constructing specially +crafted commands to manipulate sets + +CVE: CVE-2021-32687 +Upstream-Status: Backport[https://github.com/redis/redis/commit/a30d367a71b7017581cf1ca104242a3c644dec0f] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + src/intset.c | 3 ++- + src/rdb.c | 4 +++- + src/t_set.c | 5 ++++- + 3 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/intset.c b/src/intset.c +index 9ba1389..e366851 100644 +--- a/src/intset.c ++++ b/src/intset.c +@@ -104,7 +104,8 @@ intset *intsetNew(void) { + + /* Resize the intset */ + static intset *intsetResize(intset *is, uint32_t len) { +- uint32_t size = len*intrev32ifbe(is->encoding); ++ uint64_t size = (uint64_t)len*intrev32ifbe(is->encoding); ++ assert(size <= SIZE_MAX - sizeof(intset)); + is = zrealloc(is,sizeof(intset)+size); + return is; + } +diff --git a/src/rdb.c b/src/rdb.c +index 6f2f516..37b1e0b 100644 +--- a/src/rdb.c ++++ b/src/rdb.c +@@ -1562,7 +1562,9 @@ robj *rdbLoadObject(int rdbtype, rio *rdb, sds key) { + if ((len = rdbLoadLen(rdb,NULL)) == RDB_LENERR) return NULL; + + /* Use a regular set when there are too many entries. */ +- if (len > server.set_max_intset_entries) { ++ size_t max_entries = server.set_max_intset_entries; ++ if (max_entries >= 1<<30) max_entries = 1<<30; ++ if (len > max_entries) { + o = createSetObject(); + /* It's faster to expand the dict to the right size asap in order + * to avoid rehashing */ +diff --git a/src/t_set.c b/src/t_set.c +index b655b71..d50a05a 100644 +--- a/src/t_set.c ++++ b/src/t_set.c +@@ -66,7 +66,10 @@ int setTypeAdd(robj *subject, sds value) { + if (success) { + /* Convert to regular set when the intset contains + * too many entries. */ +- if (intsetLen(subject->ptr) > server.set_max_intset_entries) ++ size_t max_entries = server.set_max_intset_entries; ++ /* limit to 1G entries due to intset internals. */ ++ if (max_entries >= 1<<30) max_entries = 1<<30; ++ if (intsetLen(subject->ptr) > max_entries) + setTypeConvert(subject,OBJ_ENCODING_HT); + return 1; + } +-- +2.17.1 + |