!45 [sync] PR-40: core: fix use-after-free for text multigets
From: @openeuler-sync-bot Reviewed-by: @starlet-dx Signed-off-by: @starlet-dx
This commit is contained in:
openeuler-ci-bot
Gitee
commit
415e664373
35
fix-use-after-free-for-text-multigets.patch
Normal file
35
fix-use-after-free-for-text-multigets.patch
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
From 7af02b0c875a36c61875a332dda582375014cf44 Mon Sep 17 00:00:00 2001
|
||||||
|
From: dormando <dormando@rydia.net>
|
||||||
|
Date: Tue, 11 Jan 2022 23:46:32 -0800
|
||||||
|
Subject: [PATCH] core: fix use-after-free for text multigets
|
||||||
|
|
||||||
|
Reported in #849 - this fixes copying a read buffer after freeing the
|
||||||
|
original read buffer.
|
||||||
|
|
||||||
|
This didn't matter for years since the cache code didn't touch the
|
||||||
|
buffer, but recently it can reuse the first 8 bytes as a pointer to the
|
||||||
|
internal freelist. Thus in some situations where large reads happen the
|
||||||
|
command can get corrupted, returning an unhelpful "ERROR" to the end
|
||||||
|
user.
|
||||||
|
|
||||||
|
---
|
||||||
|
memcached.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/memcached.c b/memcached.c
|
||||||
|
index 8bbdccd..2b68ca6 100644
|
||||||
|
--- a/memcached.c
|
||||||
|
+++ b/memcached.c
|
||||||
|
@@ -440,8 +440,8 @@ bool rbuf_switch_to_malloc(conn *c) {
|
||||||
|
if (!tmp)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
- do_cache_free(c->thread->rbuf_cache, c->rbuf);
|
||||||
|
memcpy(tmp, c->rcurr, c->rbytes);
|
||||||
|
+ do_cache_free(c->thread->rbuf_cache, c->rbuf);
|
||||||
|
|
||||||
|
c->rcurr = c->rbuf = tmp;
|
||||||
|
c->rsize = size;
|
||||||
|
--
|
||||||
|
2.27.0
|
||||||
|
|
||||||
@ -7,7 +7,7 @@
|
|||||||
|
|
||||||
Name: memcached
|
Name: memcached
|
||||||
Version: 1.6.12
|
Version: 1.6.12
|
||||||
Release: 3
|
Release: 4
|
||||||
Epoch: 0
|
Epoch: 0
|
||||||
Summary: A high-performance, distributed memory object caching system
|
Summary: A high-performance, distributed memory object caching system
|
||||||
License: GPL-2.0+
|
License: GPL-2.0+
|
||||||
@ -18,6 +18,7 @@ Source2: memcached.sysconfig
|
|||||||
|
|
||||||
Patch0001: memcached-unit.patch
|
Patch0001: memcached-unit.patch
|
||||||
Patch0002: fix-meta-delete.patch
|
Patch0002: fix-meta-delete.patch
|
||||||
|
Patch0003: fix-use-after-free-for-text-multigets.patch
|
||||||
|
|
||||||
BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness)
|
BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness)
|
||||||
BuildRequires: selinux-policy-devel libevent-devel make gcc
|
BuildRequires: selinux-policy-devel libevent-devel make gcc
|
||||||
@ -64,6 +65,7 @@ optimised for use with this version of memcached.
|
|||||||
%setup -q -b 1
|
%setup -q -b 1
|
||||||
%patch1 -p1 -b .unit
|
%patch1 -p1 -b .unit
|
||||||
%patch2 -p1 -b .delete
|
%patch2 -p1 -b .delete
|
||||||
|
%patch3 -p1 -b .multigets
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure \
|
%configure \
|
||||||
@ -146,6 +148,9 @@ fi
|
|||||||
%{_mandir}/man1/memcached.1*
|
%{_mandir}/man1/memcached.1*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 06 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-4
|
||||||
|
- core: fix use-after-free for text multigets
|
||||||
|
|
||||||
* Fri May 31 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-3
|
* Fri May 31 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-3
|
||||||
- meta: fix meta delete
|
- meta: fix meta delete
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user