Heap Buffer Overflow may lead to potential remote code execution CVE-2023-41056
This commit is contained in:
parent
38c05066d1
commit
2a4788513d
2
.redis.metadata
Normal file
2
.redis.metadata
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
cd8190d9289d46be2b3a30dda14ffba8a92abbc8 redis-7.0.12.tar.gz
|
||||||
|
b2c7f2bee8e40fc6bd5385c25429fa537e2751c5 redis-doc-c7880ba.tar.gz
|
54
redis-CVE-2023-41056.patch
Normal file
54
redis-CVE-2023-41056.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Oran Agra <oran@redislabs.com>
|
||||||
|
Date: Sun, 7 Jan 2024 12:32:44 +0200
|
||||||
|
Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
|
||||||
|
|
||||||
|
#11766 introduced a bug in sdsResize where it could forget to update
|
||||||
|
the sds type in the sds header and then cause an overflow in sdsalloc.
|
||||||
|
it looks like the only implication of that is a possible assertion in HLL,
|
||||||
|
but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
|
||||||
|
---
|
||||||
|
src/sds.c | 30 ++++++++++++++++--------------
|
||||||
|
1 file changed, 16 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/sds.c b/src/sds.c
|
||||||
|
index 8e5863a3ab8e..71490d5b2522 100644
|
||||||
|
--- a/src/sds.c
|
||||||
|
+++ b/src/sds.c
|
||||||
|
@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
|
||||||
|
* type. */
|
||||||
|
int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
|
||||||
|
size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
|
||||||
|
- int alloc_already_optimal = 0;
|
||||||
|
- #if defined(USE_JEMALLOC)
|
||||||
|
- /* je_nallocx returns the expected allocation size for the newlen.
|
||||||
|
- * We aim to avoid calling realloc() when using Jemalloc if there is no
|
||||||
|
- * change in the allocation size, as it incurs a cost even if the
|
||||||
|
- * allocation size stays the same. */
|
||||||
|
- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
|
||||||
|
- #endif
|
||||||
|
-
|
||||||
|
- if (use_realloc && !alloc_already_optimal) {
|
||||||
|
- newsh = s_realloc(sh, newlen);
|
||||||
|
- if (newsh == NULL) return NULL;
|
||||||
|
- s = (char*)newsh+oldhdrlen;
|
||||||
|
- } else if (!alloc_already_optimal) {
|
||||||
|
+
|
||||||
|
+ if (use_realloc) {
|
||||||
|
+ int alloc_already_optimal = 0;
|
||||||
|
+ #if defined(USE_JEMALLOC)
|
||||||
|
+ /* je_nallocx returns the expected allocation size for the newlen.
|
||||||
|
+ * We aim to avoid calling realloc() when using Jemalloc if there is no
|
||||||
|
+ * change in the allocation size, as it incurs a cost even if the
|
||||||
|
+ * allocation size stays the same. */
|
||||||
|
+ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
|
||||||
|
+ #endif
|
||||||
|
+ if (!alloc_already_optimal) {
|
||||||
|
+ newsh = s_realloc(sh, newlen);
|
||||||
|
+ if (newsh == NULL) return NULL;
|
||||||
|
+ s = (char*)newsh+oldhdrlen;
|
||||||
|
+ }
|
||||||
|
+ } else {
|
||||||
|
newsh = s_malloc(newlen);
|
||||||
|
if (newsh == NULL) return NULL;
|
||||||
|
memcpy((char*)newsh+hdrlen, s, len);
|
10
redis.spec
10
redis.spec
@ -23,7 +23,7 @@
|
|||||||
|
|
||||||
Name: redis
|
Name: redis
|
||||||
Version: 7.0.12
|
Version: 7.0.12
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
Summary: A persistent key-value database
|
Summary: A persistent key-value database
|
||||||
# redis, hiredis: BSD-3-Clause
|
# redis, hiredis: BSD-3-Clause
|
||||||
# hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause
|
# hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause
|
||||||
@ -48,6 +48,9 @@ Source10: https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/
|
|||||||
Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
|
Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
|
||||||
Patch0002: 0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch
|
Patch0002: 0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch
|
||||||
|
|
||||||
|
# Security patches
|
||||||
|
Patch100: redis-CVE-2023-41056.patch
|
||||||
|
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
%if %{with tests}
|
%if %{with tests}
|
||||||
@ -134,6 +137,7 @@ administration and development.
|
|||||||
mv ../%{name}-doc-%{doc_commit} doc
|
mv ../%{name}-doc-%{doc_commit} doc
|
||||||
%patch -P0001 -p1
|
%patch -P0001 -p1
|
||||||
%patch -P0002 -p1
|
%patch -P0002 -p1
|
||||||
|
%patch -P100 -p1
|
||||||
|
|
||||||
mv deps/lua/COPYRIGHT COPYRIGHT-lua
|
mv deps/lua/COPYRIGHT COPYRIGHT-lua
|
||||||
mv deps/jemalloc/COPYING COPYING-jemalloc
|
mv deps/jemalloc/COPYING COPYING-jemalloc
|
||||||
@ -302,6 +306,10 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 6 2024 Remi Collet <rcollet@redhat.com> - 7.0.12-2
|
||||||
|
- Heap Buffer Overflow may lead to potential remote code execution
|
||||||
|
CVE-2023-41056
|
||||||
|
|
||||||
* Tue Jul 11 2023 Remi Collet <rcollet@redhat.com> - 7.0.12-1
|
* Tue Jul 11 2023 Remi Collet <rcollet@redhat.com> - 7.0.12-1
|
||||||
- rebase to 7.0.12 #2221899
|
- rebase to 7.0.12 #2221899
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user