packages/redis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2021-3470

Browse Source
This commit is contained in:
wang_yue111 2021-04-07 10:07:33 +08:00
parent d5b14def4f
commit c0d03fe00e
2 changed files with 47 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
CVE-2021-3470.patch Normal file
View File

@ -0,0 +1,39 @@
From a714d2561b78985ec85f3056aac83c603cbaaa5f Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Wed, 7 Apr 2021 10:00:53 +0800
Subject: [PATCH] Fix wrong zmalloc_size() assumption. (#7963)
When using a system with no malloc_usable_size(), zmalloc_size() assumed
that the heap allocator always returns blocks that are long-padded.
This may not always be the case, and will result with zmalloc_size()
returning a size that is bigger than allocated. At least in one case
this leads to out of bound write, process crash and a potential security
vulnerability.
Effectively this does not affect the vast majority of users, who use
jemalloc or glibc.
This problem along with a (different) fix was reported by Drew DeVault.
---
src/zmalloc.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/zmalloc.c b/src/zmalloc.c
index cc47f71..67b1b65 100644
--- a/src/zmalloc.c
+++ b/src/zmalloc.c
@@ -186,9 +186,6 @@ void *zrealloc(void *ptr, size_t size) {
size_t zmalloc_size(void *ptr) {
void *realptr = (char*)ptr-PREFIX_SIZE;
size_t size = *((size_t*)realptr);
- /* Assume at least that all the allocations are padded at sizeof(long) by
- * the underlying allocator. */
- if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1));
return size+PREFIX_SIZE;
}
#endif
--
2.23.0

10
redis.spec
View File

@ -1,6 +1,6 @@
Name: redis Name: redis
Version: 4.0.11 Version: 4.0.11
Release: 14 Release: 15
Summary: A persistent key-value database Summary: A persistent key-value database
License: BSD and MIT License: BSD and MIT
URL: https://redis.io URL: https://redis.io
@ -20,6 +20,7 @@ Patch0006: CVE-2019-10193.patch
Patch0007: modify-aarch64-architecture-jemalloc-page-size-from-4k-to-64k.patch Patch0007: modify-aarch64-architecture-jemalloc-page-size-from-4k-to-64k.patch
Patch0008: huawei-deps-jemalloc-support-riscv.patch Patch0008: huawei-deps-jemalloc-support-riscv.patch
Patch0009: CVE-2021-21309.patch Patch0009: CVE-2021-21309.patch
Patch0010: CVE-2021-3470.patch
BuildRequires: systemd BuildRequires: systemd
Requires: /bin/awk Requires: /bin/awk
Requires: logrotate Requires: logrotate
@ -45,6 +46,8 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
%endif %endif
%patch0008 -p1 %patch0008 -p1
%patch0009 -p1 %patch0009 -p1
%patch0010 -p1
sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf
sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf
sed -i -e 's|^dir .*$|dir /var/lib/redis|g' redis.conf sed -i -e 's|^dir .*$|dir /var/lib/redis|g' redis.conf
@ -101,7 +104,10 @@ exit 0
%{_unitdir}/%{name}-sentinel.service %{_unitdir}/%{name}-sentinel.service
%changelog %changelog
* Wed 24 Mar 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-14 * Wed Apr 07 2021 wangyue <wangyue92@huawei.com> - 4.0.11-15
- Fix CVE-2021-3470
* Wed Mar 24 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-14
- change patch file in order src.rpm is same in aarch64 and x86_64 - change patch file in order src.rpm is same in aarch64 and x86_64
* Thu Mar 11 2021 wangxiao <wangxiao65@huawei.com> - 4.0.11-13 * Thu Mar 11 2021 wangxiao <wangxiao65@huawei.com> - 4.0.11-13