packages/redis6
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!52 [sync] PR-45: upgrade to 6.2.7 for fix CVE-2022-24735 CVE-2022-24736 CVE-2021-29477 CVE-2021-32672

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @wuzeyi1 
Signed-off-by: @wuzeyi1
This commit is contained in:
openeuler-ci-bot 2022-08-05 09:03:42 +00:00 committed by Gitee
commit 0a5e8982dc
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 11 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
CVE-2021-32626.patch
View File

@ -1,140 +0,0 @@
From 666ed7facf4524bf6d19b11b20faa2cf93fdf591 Mon Sep 17 00:00:00 2001
From: "meir@redislabs.com" <meir@redislabs.com>
Date: Sun, 13 Jun 2021 14:27:18 +0300
Subject: [PATCH] Fix invalid memory write on lua stack overflow
{CVE-2021-32626}
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When LUA call our C code, by default, the LUA stack has room for 20
elements. In most cases, this is more than enough but sometimes it's not
and the caller must verify the LUA stack size before he pushes elements.
On 3 places in the code, there was no verification of the LUA stack size.
On specific inputs this missing verification could have lead to invalid
memory write:
1. On 'luaReplyToRedisReply', one might return a nested reply that will
explode the LUA stack.
2. On 'redisProtocolToLuaType', the Redis reply might be deep enough
   to explode the LUA stack (notice that currently there is no such
   command in Redis that returns such a nested reply, but modules might
   do it)
3. On 'ldbRedis', one might give a command with enough arguments to
   explode the LUA stack (all the arguments will be pushed to the LUA
   stack)
This commit is solving all those 3 issues by calling 'lua_checkstack' and
verify that there is enough room in the LUA stack to push elements. In
case 'lua_checkstack' returns an error (there is not enough room in the
LUA stack and it's not possible to increase the stack), we will do the
following:
1. On 'luaReplyToRedisReply', we will return an error to the user.
2. On 'redisProtocolToLuaType' we will exit with panic (we assume this
scenario is rare because it can only happen with a module).
3. On 'ldbRedis', we return an error.
---
src/scripting.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/src/scripting.c b/src/scripting.c
index dea5f516561e..afa6adb0c47e 100644
--- a/src/scripting.c
+++ b/src/scripting.c
@@ -128,6 +128,16 @@ void sha1hex(char *digest, char *script, size_t len) {
*/
char *redisProtocolToLuaType(lua_State *lua, char* reply) {
+
+ if (!lua_checkstack(lua, 5)) {
+ /*
+ * Increase the Lua stack if needed, to make sure there is enough room
+ * to push 5 elements to the stack. On failure, exit with panic.
+         * Notice that we need, in the worst case, 5 elements because redisProtocolToLuaType_Aggregate
+         * might push 5 elements to the Lua stack.*/
+ serverPanic("lua stack limit reach when parsing redis.call reply");
+ }
+
char *p = reply;
switch(*p) {
@@ -220,6 +230,11 @@ char *redisProtocolToLuaType_Aggregate(lua_State *lua, char *reply, int atype) {
if (atype == '%') {
p = redisProtocolToLuaType(lua,p);
} else {
+ if (!lua_checkstack(lua, 1)) {
+ /* Notice that here we need to check the stack again because the recursive
+ * call to redisProtocolToLuaType might have use the room allocated in the stack */
+ serverPanic("lua stack limit reach when parsing redis.call reply");
+ }
lua_pushboolean(lua,1);
}
lua_settable(lua,-3);
@@ -339,6 +354,17 @@ void luaSortArray(lua_State *lua) {
/* Reply to client 'c' converting the top element in the Lua stack to a
* Redis reply. As a side effect the element is consumed from the stack. */
void luaReplyToRedisReply(client *c, lua_State *lua) {
+
+ if (!lua_checkstack(lua, 4)) {
+ /* Increase the Lua stack if needed to make sure there is enough room
+ * to push 4 elements to the stack. On failure, return error.
+         * Notice that we need, in the worst case, 4 elements because returning a map might
+ * require push 4 elements to the Lua stack.*/
+ addReplyErrorFormat(c, "reached lua stack limit");
+ lua_pop(lua,1); // pop the element from the stack
+ return;
+ }
+
int t = lua_type(lua,-1);
switch(t) {
@@ -362,6 +388,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
* field. */
/* Handle error reply. */
+ // we took care of the stack size on function start
lua_pushstring(lua,"err");
lua_gettable(lua,-2);
t = lua_type(lua,-1);
@@ -407,6 +434,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
if (t == LUA_TTABLE) {
int maplen = 0;
void *replylen = addReplyDeferredLen(c);
+ /* we took care of the stack size on function start */
lua_pushnil(lua); /* Use nil to start iteration. */
while (lua_next(lua,-2)) {
/* Stack now: table, key, value */
@@ -429,6 +457,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
if (t == LUA_TTABLE) {
int setlen = 0;
void *replylen = addReplyDeferredLen(c);
+ /* we took care of the stack size on function start */
lua_pushnil(lua); /* Use nil to start iteration. */
while (lua_next(lua,-2)) {
/* Stack now: table, key, true */
@@ -448,6 +477,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
void *replylen = addReplyDeferredLen(c);
int j = 1, mbulklen = 0;
while(1) {
+ /* we took care of the stack size on function start */
lua_pushnumber(lua,j++);
lua_gettable(lua,-2);
t = lua_type(lua,-1);
@@ -2506,6 +2536,17 @@ void ldbEval(lua_State *lua, sds *argv, int argc) {
void ldbRedis(lua_State *lua, sds *argv, int argc) {
int j, saved_rc = server.lua_replicate_commands;
+ if (!lua_checkstack(lua, argc + 1)) {
+ /* Increase the Lua stack if needed to make sure there is enough room
+ * to push 'argc + 1' elements to the stack. On failure, return error.
+         * Notice that we need, in worst case, 'argc + 1' elements because we push all the arguments
+         * given by the user (without the first argument) and we also push the 'redis' global table and
+         * 'redis.call' function so:
+         * (1 (redis table)) + (1 (redis.call function)) + (argc - 1 (all arguments without the first)) = argc + 1*/
+ ldbLogRedisReply("max lua stack reached");
+ return;
+ }
+
lua_getglobal(lua,"redis");
lua_pushstring(lua,"call");
lua_gettable(lua,-2); /* Stack: redis, redis.call */

25
Modify-aarch64-architecture-jemalloc-page-size-from-from-4k-to-64k.patch
View File

@ -1,25 +1,12 @@
From 8c4c3730d69ea1e3352d35e18999d42dca4c07e5 Mon Sep 17 00:00:00 2001
From: lingsheng <lingsheng@huawei.com>
Date: Mon, 29 Mar 2021 17:37:06 +0800
Subject: [PATCH] Modify aarch64 architecture jemalloc page size from 4k to 64k
---
deps/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deps/Makefile b/deps/Makefile
index eb35c1e..2ba6ae3 100644
--- a/deps/Makefile
+++ b/deps/Makefile
@@ -81,7 +81,7 @@ JEMALLOC_LDFLAGS= $(LDFLAGS)
diff -Naru redis-6.2.7/deps/Makefile redis-6.2.7-new/deps/Makefile
--- redis-6.2.7/deps/Makefile 2022-04-27 21:31:52.000000000 +0800
+++ redis-6.2.7-new/deps/Makefile 2022-06-14 15:21:56.254108000 +0800
@@ -88,7 +88,7 @@
jemalloc: .make-prerequisites
@printf '%b %b\n' $(MAKECOLOR)MAKE$(ENDCOLOR) $(BINCOLOR)$@$(ENDCOLOR)
- cd jemalloc && ./configure --with-version=5.1.0-0-g0 --with-lg-quantum=3 --with-jemalloc-prefix=je_ --enable-cc-silence CFLAGS="$(JEMALLOC_CFLAGS)" LDFLAGS="$(JEMALLOC_LDFLAGS)"
+ cd jemalloc && ./configure --with-version=5.1.0-0-g0 --with-lg-quantum=3 --with-jemalloc-prefix=je_ --enable-cc-silence CFLAGS="$(JEMALLOC_CFLAGS)" LDFLAGS="$(JEMALLOC_LDFLAGS)" --with-lg-page=16
- cd jemalloc && ./configure --with-version=5.1.0-0-g0 --with-lg-quantum=3 --with-jemalloc-prefix=je_ CFLAGS="$(JEMALLOC_CFLAGS)" LDFLAGS="$(JEMALLOC_LDFLAGS)"
+ cd jemalloc && ./configure --with-version=5.1.0-0-g0 --with-lg-quantum=3 --with-jemalloc-prefix=je_ CFLAGS="$(JEMALLOC_CFLAGS)" LDFLAGS="$(JEMALLOC_LDFLAGS)" --with-lg-page=16
cd jemalloc && $(MAKE) CFLAGS="$(JEMALLOC_CFLAGS)" LDFLAGS="$(JEMALLOC_LDFLAGS)" lib/libjemalloc.a
.PHONY: jemalloc
--
2.23.0

BIN
redis-6.0.11.tar.gz
View File

Binary file not shown.

BIN
redis-6.2.7.tar.gz Normal file
View File

Binary file not shown.

9
redis6.spec
View File

@ -5,8 +5,8 @@
%global make_flags DEBUG="" V="echo" LDFLAGS="%{?__global_ldflags}" CFLAGS+="%{optflags} -fPIC" INSTALL="install -p" PREFIX=%{buildroot}%{_prefix} BUILD_WITH_SYSTEMD=yes BUILD_TLS=yes
%global Pname redis
Name: redis6
Version: 6.0.11
Release: 4
Version: 6.2.7
Release: 1
Summary: A persistent key-value database
License: BSD and MIT
URL: https://redis.io
@ -21,7 +21,6 @@ Source10: https://github.com/%{Pname}/%{Pname}-doc/archive/%{doc_comm
Patch0001: Modify-aarch64-architecture-jemalloc-page-size-from-from-4k-to-64k.patch
Patch0002: CVE-2021-32626.patch
BuildRequires: make gcc
%if %{with tests}
BuildRequires: procps-ng tcl
@ -80,7 +79,6 @@ tar -xvf %{SOURCE10}
%setup -n %{Pname}-%{version}
%ifarch aarch64
%patch0001 -p1
%patch0002 -p1
%endif
mv ../%{Pname}-doc-%{doc_commit} doc
mv deps/lua/COPYRIGHT COPYRIGHT-lua
@ -210,6 +208,9 @@ fi
%{_docdir}/%{Pname}
%changelog
* Wed Jun 15 2022 yangweidong <yangweidong9@huawei.com> - 6.2.7-1
- Fix CVE-2022-24735 CVE-2022-24736 CVE-2021-29477 CVE-2021-32672
* Thu Nov 04 2021 liwu <liwu13@huawei.com> - 6.0.11-4
- Fix CVE-2021-32626