aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch')
-rw-r--r--meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch68
1 files changed, 68 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch b/meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch
new file mode 100644
index 0000000000..ec6e2fbd5b
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch
@@ -0,0 +1,68 @@
+From 4b1de5438ad9ef2236c379f2f78feb9f1fd9796e Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 4 Oct 2021 12:10:17 +0300
+Subject: [PATCH] Fix redis-cli / redis-sential overflow on some platforms
+ (CVE-2021-32762) (#9587)
+
+The redis-cli command line tool and redis-sentinel service may be vulnerable
+to integer overflow when parsing specially crafted large multi-bulk network
+replies. This is a result of a vulnerability in the underlying hiredis
+library which does not perform an overflow check before calling the calloc()
+heap allocation function.
+
+This issue only impacts systems with heap allocators that do not perform their
+own overflow checks. Most modern systems do and are therefore not likely to
+be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator
+which is also not vulnerable.
+
+Co-authored-by: Yossi Gottlieb <yossigo@gmail.com>
+
+CVE: CVE-2021-32762
+Upstream-Status: Backport[https://github.com/redis/redis/commit/0215324a66af949be39b34be2d55143232c1cb71]
+
+Signed-off-by: Changqing Li <changqing.li@windriver.com>
+---
+ deps/hiredis/hiredis.c | 1 +
+ deps/hiredis/test.c | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+)
+
+diff --git a/deps/hiredis/hiredis.c b/deps/hiredis/hiredis.c
+index 51f22a6..990f619 100644
+--- a/deps/hiredis/hiredis.c
++++ b/deps/hiredis/hiredis.c
+@@ -174,6 +174,7 @@ static void *createArrayObject(const redisReadTask *task, size_t elements) {
+ return NULL;
+
+ if (elements > 0) {
++ if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL; /* Don't overflow */
+ r->element = hi_calloc(elements,sizeof(redisReply*));
+ if (r->element == NULL) {
+ freeReplyObject(r);
+diff --git a/deps/hiredis/test.c b/deps/hiredis/test.c
+index 8295367..bdff74e 100644
+--- a/deps/hiredis/test.c
++++ b/deps/hiredis/test.c
+@@ -498,6 +498,20 @@ static void test_reply_reader(void) {
+ freeReplyObject(reply);
+ redisReaderFree(reader);
+
++ test("Multi-bulk never overflows regardless of maxelements: ");
++ size_t bad_mbulk_len = (SIZE_MAX / sizeof(void *)) + 3;
++ char bad_mbulk_reply[100];
++ snprintf(bad_mbulk_reply, sizeof(bad_mbulk_reply), "*%llu\r\n+asdf\r\n",
++ (unsigned long long) bad_mbulk_len);
++
++ reader = redisReaderCreate();
++ reader->maxelements = 0; /* Don't rely on default limit */
++ redisReaderFeed(reader, bad_mbulk_reply, strlen(bad_mbulk_reply));
++ ret = redisReaderGetReply(reader,&reply);
++ test_cond(ret == REDIS_ERR && strcasecmp(reader->errstr, "Out of memory") == 0);
++ freeReplyObject(reply);
++ redisReaderFree(reader);
++
+ #if LLONG_MAX > SIZE_MAX
+ test("Set error when array > SIZE_MAX: ");
+ reader = redisReaderCreate();
+--
+2.17.1
+
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-04-30 10:45:43 +0000