!40 Fix CVE-2021-3470

From: @wang_yue111 Reviewed-by: @wangxiao65,@small_leek Signed-off-by: @small_leek
2021-04-07 14:54:03 +08:00 · 2021-04-07 14:54:03 +08:00 · da3261595c
commit da3261595c
parent d5b14def4f c0d03fe00e
2 changed files with 47 additions and 2 deletions
--- a/CVE-2021-3470.patch
+++ b/CVE-2021-3470.patch
@ -0,0 +1,39 @@
+From a714d2561b78985ec85f3056aac83c603cbaaa5f Mon Sep 17 00:00:00 2001
+From: wang_yue111 <648774160@qq.com>
+Date: Wed, 7 Apr 2021 10:00:53 +0800
+Subject: [PATCH] Fix wrong zmalloc_size() assumption. (#7963)
+
+When using a system with no malloc_usable_size(), zmalloc_size() assumed
+that the heap allocator always returns blocks that are long-padded.
+
+This may not always be the case, and will result with zmalloc_size()
+returning a size that is bigger than allocated. At least in one case
+this leads to out of bound write, process crash and a potential security
+vulnerability.
+
+Effectively this does not affect the vast majority of users, who use
+jemalloc or glibc.
+
+This problem along with a (different) fix was reported by Drew DeVault.
+
+---
+ src/zmalloc.c | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/src/zmalloc.c b/src/zmalloc.c
+index cc47f71..67b1b65 100644
+--- a/src/zmalloc.c
+++ b/src/zmalloc.c
+@@ -186,9 +186,6 @@ void *zrealloc(void *ptr, size_t size) {
+ size_t zmalloc_size(void *ptr) {
+     void *realptr = (char*)ptr-PREFIX_SIZE;
+     size_t size = *((size_t*)realptr);
+-    /* Assume at least that all the allocations are padded at sizeof(long) by
+-     * the underlying allocator. */
+-    if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1));
+     return size+PREFIX_SIZE;
+ }
+ #endif
+-- 
+2.23.0
+
--- a/redis.spec
+++ b/redis.spec
@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.11
-Release:        14
+Release:        15
 Summary:        A persistent key-value database
 License:        BSD and MIT
 URL:            https://redis.io
@ -20,6 +20,7 @@ Patch0006:      CVE-2019-10193.patch
 Patch0007:      modify-aarch64-architecture-jemalloc-page-size-from-4k-to-64k.patch
 Patch0008:      huawei-deps-jemalloc-support-riscv.patch
 Patch0009:      CVE-2021-21309.patch
+Patch0010:      CVE-2021-3470.patch
 BuildRequires:     systemd
 Requires:          /bin/awk
 Requires:          logrotate
@ -45,6 +46,8 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
 %endif
 %patch0008 -p1
 %patch0009 -p1
+%patch0010 -p1
+
 sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf
 sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf
 sed -i -e 's|^dir .*$|dir /var/lib/redis|g' redis.conf
@ -101,7 +104,10 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service

 %changelog
-* Wed 24 Mar 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-14
+* Wed Apr 07 2021 wangyue <wangyue92@huawei.com> - 4.0.11-15
+- Fix CVE-2021-3470
+
+* Wed Mar 24 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-14
 - change patch file in order src.rpm is same in aarch64 and x86_64
 
 * Thu Mar 11 2021 wangxiao <wangxiao65@huawei.com> - 4.0.11-13