Heap Buffer Overflow may lead to potential remote code execution CVE-2023-41056

This commit is contained in:
Remi Collet 2024-02-06 11:36:05 +01:00 committed by root
parent 38c05066d1
commit 2a4788513d
3 changed files with 65 additions and 1 deletions

2
.redis.metadata Normal file
View File

@ -0,0 +1,2 @@
cd8190d9289d46be2b3a30dda14ffba8a92abbc8 redis-7.0.12.tar.gz
b2c7f2bee8e40fc6bd5385c25429fa537e2751c5 redis-doc-c7880ba.tar.gz

View File

@ -0,0 +1,54 @@
From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Sun, 7 Jan 2024 12:32:44 +0200
Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
#11766 introduced a bug in sdsResize where it could forget to update
the sds type in the sds header and then cause an overflow in sdsalloc.
it looks like the only implication of that is a possible assertion in HLL,
but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
---
src/sds.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/src/sds.c b/src/sds.c
index 8e5863a3ab8e..71490d5b2522 100644
--- a/src/sds.c
+++ b/src/sds.c
@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
* type. */
int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
- int alloc_already_optimal = 0;
- #if defined(USE_JEMALLOC)
- /* je_nallocx returns the expected allocation size for the newlen.
- * We aim to avoid calling realloc() when using Jemalloc if there is no
- * change in the allocation size, as it incurs a cost even if the
- * allocation size stays the same. */
- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
- #endif
-
- if (use_realloc && !alloc_already_optimal) {
- newsh = s_realloc(sh, newlen);
- if (newsh == NULL) return NULL;
- s = (char*)newsh+oldhdrlen;
- } else if (!alloc_already_optimal) {
+
+ if (use_realloc) {
+ int alloc_already_optimal = 0;
+ #if defined(USE_JEMALLOC)
+ /* je_nallocx returns the expected allocation size for the newlen.
+ * We aim to avoid calling realloc() when using Jemalloc if there is no
+ * change in the allocation size, as it incurs a cost even if the
+ * allocation size stays the same. */
+ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
+ #endif
+ if (!alloc_already_optimal) {
+ newsh = s_realloc(sh, newlen);
+ if (newsh == NULL) return NULL;
+ s = (char*)newsh+oldhdrlen;
+ }
+ } else {
newsh = s_malloc(newlen);
if (newsh == NULL) return NULL;
memcpy((char*)newsh+hdrlen, s, len);

View File

@ -23,7 +23,7 @@
Name: redis
Version: 7.0.12
Release: 1%{?dist}
Release: 2%{?dist}
Summary: A persistent key-value database
# redis, hiredis: BSD-3-Clause
# hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause
@ -48,6 +48,9 @@ Source10: https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/
Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
Patch0002: 0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch
# Security patches
Patch100: redis-CVE-2023-41056.patch
BuildRequires: make
BuildRequires: gcc
%if %{with tests}
@ -134,6 +137,7 @@ administration and development.
mv ../%{name}-doc-%{doc_commit} doc
%patch -P0001 -p1
%patch -P0002 -p1
%patch -P100 -p1
mv deps/lua/COPYRIGHT COPYRIGHT-lua
mv deps/jemalloc/COPYING COPYING-jemalloc
@ -302,6 +306,10 @@ fi
%changelog
* Tue Feb 6 2024 Remi Collet <rcollet@redhat.com> - 7.0.12-2
- Heap Buffer Overflow may lead to potential remote code execution
CVE-2023-41056
* Tue Jul 11 2023 Remi Collet <rcollet@redhat.com> - 7.0.12-1
- rebase to 7.0.12 #2221899