diff options
Diffstat (limited to 'meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch')
-rw-r--r-- | meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch b/meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch new file mode 100644 index 0000000000..ec6e2fbd5b --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2021-32762.patch @@ -0,0 +1,68 @@ +From 4b1de5438ad9ef2236c379f2f78feb9f1fd9796e Mon Sep 17 00:00:00 2001 +From: Oran Agra <oran@redislabs.com> +Date: Mon, 4 Oct 2021 12:10:17 +0300 +Subject: [PATCH] Fix redis-cli / redis-sential overflow on some platforms + (CVE-2021-32762) (#9587) + +The redis-cli command line tool and redis-sentinel service may be vulnerable +to integer overflow when parsing specially crafted large multi-bulk network +replies. This is a result of a vulnerability in the underlying hiredis +library which does not perform an overflow check before calling the calloc() +heap allocation function. + +This issue only impacts systems with heap allocators that do not perform their +own overflow checks. Most modern systems do and are therefore not likely to +be affected. Furthermore, by default redis-sentinel uses the jemalloc allocator +which is also not vulnerable. + +Co-authored-by: Yossi Gottlieb <yossigo@gmail.com> + +CVE: CVE-2021-32762 +Upstream-Status: Backport[https://github.com/redis/redis/commit/0215324a66af949be39b34be2d55143232c1cb71] + +Signed-off-by: Changqing Li <changqing.li@windriver.com> +--- + deps/hiredis/hiredis.c | 1 + + deps/hiredis/test.c | 14 ++++++++++++++ + 2 files changed, 15 insertions(+) + +diff --git a/deps/hiredis/hiredis.c b/deps/hiredis/hiredis.c +index 51f22a6..990f619 100644 +--- a/deps/hiredis/hiredis.c ++++ b/deps/hiredis/hiredis.c +@@ -174,6 +174,7 @@ static void *createArrayObject(const redisReadTask *task, size_t elements) { + return NULL; + + if (elements > 0) { ++ if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL; /* Don't overflow */ + r->element = hi_calloc(elements,sizeof(redisReply*)); + if (r->element == NULL) { + freeReplyObject(r); +diff --git a/deps/hiredis/test.c b/deps/hiredis/test.c +index 8295367..bdff74e 100644 +--- a/deps/hiredis/test.c ++++ b/deps/hiredis/test.c +@@ -498,6 +498,20 @@ static void test_reply_reader(void) { + freeReplyObject(reply); + redisReaderFree(reader); + ++ test("Multi-bulk never overflows regardless of maxelements: "); ++ size_t bad_mbulk_len = (SIZE_MAX / sizeof(void *)) + 3; ++ char bad_mbulk_reply[100]; ++ snprintf(bad_mbulk_reply, sizeof(bad_mbulk_reply), "*%llu\r\n+asdf\r\n", ++ (unsigned long long) bad_mbulk_len); ++ ++ reader = redisReaderCreate(); ++ reader->maxelements = 0; /* Don't rely on default limit */ ++ redisReaderFeed(reader, bad_mbulk_reply, strlen(bad_mbulk_reply)); ++ ret = redisReaderGetReply(reader,&reply); ++ test_cond(ret == REDIS_ERR && strcasecmp(reader->errstr, "Out of memory") == 0); ++ freeReplyObject(reply); ++ redisReaderFree(reader); ++ + #if LLONG_MAX > SIZE_MAX + test("Set error when array > SIZE_MAX: "); + reader = redisReaderCreate(); +-- +2.17.1 + |