Heap Buffer Overflow may lead to potential remote code execution CVE-2023-41056
This commit is contained in:
parent
38c05066d1
commit
2a4788513d
2
.redis.metadata
Normal file
2
.redis.metadata
Normal file
@ -0,0 +1,2 @@
|
||||
cd8190d9289d46be2b3a30dda14ffba8a92abbc8 redis-7.0.12.tar.gz
|
||||
b2c7f2bee8e40fc6bd5385c25429fa537e2751c5 redis-doc-c7880ba.tar.gz
|
54
redis-CVE-2023-41056.patch
Normal file
54
redis-CVE-2023-41056.patch
Normal file
@ -0,0 +1,54 @@
|
||||
From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
|
||||
From: Oran Agra <oran@redislabs.com>
|
||||
Date: Sun, 7 Jan 2024 12:32:44 +0200
|
||||
Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
|
||||
|
||||
#11766 introduced a bug in sdsResize where it could forget to update
|
||||
the sds type in the sds header and then cause an overflow in sdsalloc.
|
||||
it looks like the only implication of that is a possible assertion in HLL,
|
||||
but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
|
||||
---
|
||||
src/sds.c | 30 ++++++++++++++++--------------
|
||||
1 file changed, 16 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/sds.c b/src/sds.c
|
||||
index 8e5863a3ab8e..71490d5b2522 100644
|
||||
--- a/src/sds.c
|
||||
+++ b/src/sds.c
|
||||
@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
|
||||
* type. */
|
||||
int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
|
||||
size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
|
||||
- int alloc_already_optimal = 0;
|
||||
- #if defined(USE_JEMALLOC)
|
||||
- /* je_nallocx returns the expected allocation size for the newlen.
|
||||
- * We aim to avoid calling realloc() when using Jemalloc if there is no
|
||||
- * change in the allocation size, as it incurs a cost even if the
|
||||
- * allocation size stays the same. */
|
||||
- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
|
||||
- #endif
|
||||
-
|
||||
- if (use_realloc && !alloc_already_optimal) {
|
||||
- newsh = s_realloc(sh, newlen);
|
||||
- if (newsh == NULL) return NULL;
|
||||
- s = (char*)newsh+oldhdrlen;
|
||||
- } else if (!alloc_already_optimal) {
|
||||
+
|
||||
+ if (use_realloc) {
|
||||
+ int alloc_already_optimal = 0;
|
||||
+ #if defined(USE_JEMALLOC)
|
||||
+ /* je_nallocx returns the expected allocation size for the newlen.
|
||||
+ * We aim to avoid calling realloc() when using Jemalloc if there is no
|
||||
+ * change in the allocation size, as it incurs a cost even if the
|
||||
+ * allocation size stays the same. */
|
||||
+ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
|
||||
+ #endif
|
||||
+ if (!alloc_already_optimal) {
|
||||
+ newsh = s_realloc(sh, newlen);
|
||||
+ if (newsh == NULL) return NULL;
|
||||
+ s = (char*)newsh+oldhdrlen;
|
||||
+ }
|
||||
+ } else {
|
||||
newsh = s_malloc(newlen);
|
||||
if (newsh == NULL) return NULL;
|
||||
memcpy((char*)newsh+hdrlen, s, len);
|
10
redis.spec
10
redis.spec
@ -23,7 +23,7 @@
|
||||
|
||||
Name: redis
|
||||
Version: 7.0.12
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: A persistent key-value database
|
||||
# redis, hiredis: BSD-3-Clause
|
||||
# hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause
|
||||
@ -48,6 +48,9 @@ Source10: https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/
|
||||
Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
|
||||
Patch0002: 0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch
|
||||
|
||||
# Security patches
|
||||
Patch100: redis-CVE-2023-41056.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
%if %{with tests}
|
||||
@ -134,6 +137,7 @@ administration and development.
|
||||
mv ../%{name}-doc-%{doc_commit} doc
|
||||
%patch -P0001 -p1
|
||||
%patch -P0002 -p1
|
||||
%patch -P100 -p1
|
||||
|
||||
mv deps/lua/COPYRIGHT COPYRIGHT-lua
|
||||
mv deps/jemalloc/COPYING COPYING-jemalloc
|
||||
@ -302,6 +306,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Tue Feb 6 2024 Remi Collet <rcollet@redhat.com> - 7.0.12-2
|
||||
- Heap Buffer Overflow may lead to potential remote code execution
|
||||
CVE-2023-41056
|
||||
|
||||
* Tue Jul 11 2023 Remi Collet <rcollet@redhat.com> - 7.0.12-1
|
||||
- rebase to 7.0.12 #2221899
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user