import CS redis-7.0.12-2.module_el9+978+267ab8ff

This commit is contained in:
eabdullin 2024-03-28 14:22:13 +00:00
parent e1e3d66796
commit 5548e657ae
2 changed files with 63 additions and 1 deletions

View File

@ -0,0 +1,54 @@
From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Sun, 7 Jan 2024 12:32:44 +0200
Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
#11766 introduced a bug in sdsResize where it could forget to update
the sds type in the sds header and then cause an overflow in sdsalloc.
it looks like the only implication of that is a possible assertion in HLL,
but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
---
src/sds.c | 30 ++++++++++++++++--------------
1 file changed, 16 insertions(+), 14 deletions(-)
diff --git a/src/sds.c b/src/sds.c
index 8e5863a3ab8e..71490d5b2522 100644
--- a/src/sds.c
+++ b/src/sds.c
@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
* type. */
int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
- int alloc_already_optimal = 0;
- #if defined(USE_JEMALLOC)
- /* je_nallocx returns the expected allocation size for the newlen.
- * We aim to avoid calling realloc() when using Jemalloc if there is no
- * change in the allocation size, as it incurs a cost even if the
- * allocation size stays the same. */
- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
- #endif
-
- if (use_realloc && !alloc_already_optimal) {
- newsh = s_realloc(sh, newlen);
- if (newsh == NULL) return NULL;
- s = (char*)newsh+oldhdrlen;
- } else if (!alloc_already_optimal) {
+
+ if (use_realloc) {
+ int alloc_already_optimal = 0;
+ #if defined(USE_JEMALLOC)
+ /* je_nallocx returns the expected allocation size for the newlen.
+ * We aim to avoid calling realloc() when using Jemalloc if there is no
+ * change in the allocation size, as it incurs a cost even if the
+ * allocation size stays the same. */
+ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
+ #endif
+ if (!alloc_already_optimal) {
+ newsh = s_realloc(sh, newlen);
+ if (newsh == NULL) return NULL;
+ s = (char*)newsh+oldhdrlen;
+ }
+ } else {
newsh = s_malloc(newlen);
if (newsh == NULL) return NULL;
memcpy((char*)newsh+hdrlen, s, len);

View File

@ -23,7 +23,7 @@
Name: redis
Version: 7.0.12
Release: 1%{?dist}
Release: 2%{?dist}
Summary: A persistent key-value database
# redis, hiredis: BSD-3-Clause
# hdrhistogram, jemalloc, lzf, linenoise: BSD-2-Clause
@ -48,6 +48,9 @@ Source10: https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/
Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
Patch0002: 0002-deps-jemalloc-Do-not-force-building-in-gnu99-mode.patch
# Security patches
Patch100: redis-CVE-2023-41056.patch
BuildRequires: make
BuildRequires: gcc
%if %{with tests}
@ -134,6 +137,7 @@ administration and development.
mv ../%{name}-doc-%{doc_commit} doc
%patch -P0001 -p1
%patch -P0002 -p1
%patch -P100 -p1
mv deps/lua/COPYRIGHT COPYRIGHT-lua
mv deps/jemalloc/COPYING COPYING-jemalloc
@ -302,6 +306,10 @@ fi
%changelog
* Tue Feb 6 2024 Remi Collet <rcollet@redhat.com> - 7.0.12-2
- Heap Buffer Overflow may lead to potential remote code execution
CVE-2023-41056
* Tue Jul 11 2023 Remi Collet <rcollet@redhat.com> - 7.0.12-1
- rebase to 7.0.12 #2221899