!45 [sync] PR-40: core: fix use-after-free for text multigets

From: @openeuler-sync-bot Reviewed-by: @starlet-dx Signed-off-by: @starlet-dx
2024-06-11 09:46:00 +00:00 · 2024-06-11 09:46:00 +00:00 · 415e664373
commit 415e664373
parent 2e8e1f92e9 002de6bfc9
2 changed files with 41 additions and 1 deletions
--- a/fix-use-after-free-for-text-multigets.patch
+++ b/fix-use-after-free-for-text-multigets.patch
@ -0,0 +1,35 @@
+From 7af02b0c875a36c61875a332dda582375014cf44 Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Tue, 11 Jan 2022 23:46:32 -0800
+Subject: [PATCH] core: fix use-after-free for text multigets
+
+Reported in #849 - this fixes copying a read buffer after freeing the
+original read buffer.
+
+This didn't matter for years since the cache code didn't touch the
+buffer, but recently it can reuse the first 8 bytes as a pointer to the
+internal freelist. Thus in some situations where large reads happen the
+command can get corrupted, returning an unhelpful "ERROR" to the end
+user.
+
+---
+ memcached.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/memcached.c b/memcached.c
+index 8bbdccd..2b68ca6 100644
+--- a/memcached.c
+++ b/memcached.c
+@@ -440,8 +440,8 @@ bool rbuf_switch_to_malloc(conn *c) {
+     if (!tmp)
+         return false;
+ 
+-    do_cache_free(c->thread->rbuf_cache, c->rbuf);
+     memcpy(tmp, c->rcurr, c->rbytes);
+    do_cache_free(c->thread->rbuf_cache, c->rbuf);
+ 
+     c->rcurr = c->rbuf = tmp;
+     c->rsize = size;
+-- 
+2.27.0
+
--- a/memcached.spec
+++ b/memcached.spec
@ -7,7 +7,7 @@

 Name:          memcached
 Version:       1.6.12
-Release:       3
+Release:       4
 Epoch:         0
 Summary:       A high-performance, distributed memory object caching system
 License:       GPL-2.0+
@ -18,6 +18,7 @@ Source2:       memcached.sysconfig

 Patch0001:     memcached-unit.patch
 Patch0002:     fix-meta-delete.patch
+Patch0003:     fix-use-after-free-for-text-multigets.patch

 BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness)
 BuildRequires: selinux-policy-devel libevent-devel make gcc
@ -64,6 +65,7 @@ optimised for use with this version of memcached.
 %setup -q -b 1
 %patch1 -p1 -b .unit
 %patch2 -p1 -b .delete
+%patch3 -p1 -b .multigets

 %build
 %configure \
@ -146,6 +148,9 @@ fi
 %{_mandir}/man1/memcached.1*

 %changelog
+* Thu Jun 06 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-4
+- core: fix use-after-free for text multigets
+
 * Fri May 31 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-3
 - meta: fix meta delete