diff --git a/[refs] b/[refs] index cffc6027b48..4f4a8070a46 100644 --- a/[refs] +++ b/[refs] @@ -40,6 +40,6 @@ refs/heads/dunfell-next: 85f8047c71047d93cf79a954142157f85079968d refs/heads/gatesgarth-next: f3f7a5f1a4713f145107bb043e0d14cb3a51c62f refs/heads/gatesgarth: f3f7a5f1a4713f145107bb043e0d14cb3a51c62f refs/heads/hardknott: d323115ecd437e397bd504758ba52988900f4747 -refs/heads/hardknott-next: b2c8972406a263fac9e8b8f3a41251b6d451ef10 +refs/heads/hardknott-next: acf5769aff4edb67b187d70ac339a6484e1cc527 refs/heads/kraj/dunfell: 7bd47ef6c98323c95a9e527129dca98c9a65ee08 refs/heads/jansa/master: de38849b30cf533705c7b42b28863bcd910c6dbf diff --git a/branches/hardknott-next/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch b/branches/hardknott-next/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch new file mode 100644 index 00000000000..6311a5db104 --- /dev/null +++ b/branches/hardknott-next/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch @@ -0,0 +1,61 @@ +From e9a1438ac4c52aa68dfa2a8324b6419356842116 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Tue, 1 Jun 2021 09:12:45 +0300 +Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-32625) (#9011) + +An integer overflow bug in Redis version 6.0 or newer can be exploited using the +STRALGO LCS command to corrupt the heap and potentially result with remote code +execution. This is a result of an incomplete fix by CVE-2021-29477. + +(cherry picked from commit 1ddecf1958924b178b76a31d989ef1e05af81964) + + +CVE: CVE-2021-32625 +Upstream-Status: Backport [e9a1438ac4c52aa68dfa2a8324b6419356842116] + +Signed-off-by: Tony Tascioglu +--- + src/t_string.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/t_string.c b/src/t_string.c +index 490d5983a..587d3aeb8 100644 +--- a/src/t_string.c ++++ b/src/t_string.c +@@ -797,6 +797,12 @@ void stralgoLCS(client *c) { + goto cleanup; + } + ++ /* Detect string truncation or later overflows. */ ++ if (sdslen(a) >= UINT32_MAX-1 || sdslen(b) >= UINT32_MAX-1) { ++ addReplyError(c, "String too long for LCS"); ++ goto cleanup; ++ } ++ + /* Compute the LCS using the vanilla dynamic programming technique of + * building a table of LCS(x,y) substrings. */ + uint32_t alen = sdslen(a); +@@ -805,9 +811,19 @@ void stralgoLCS(client *c) { + /* Setup an uint32_t array to store at LCS[i,j] the length of the + * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so + * we index it as LCS[j+(blen+1)*j] */ +- uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t)); + #define LCS(A,B) lcs[(B)+((A)*(blen+1))] + ++ /* Try to allocate the LCS table, and abort on overflow or insufficient memory. */ ++ unsigned long long lcssize = (unsigned long long)(alen+1)*(blen+1); /* Can't overflow due to the size limits above. */ ++ unsigned long long lcsalloc = lcssize * sizeof(uint32_t); ++ uint32_t *lcs = NULL; ++ if (lcsalloc < SIZE_MAX && lcsalloc / lcssize == sizeof(uint32_t)) ++ lcs = ztrymalloc(lcsalloc); ++ if (!lcs) { ++ addReplyError(c, "Insufficient memory"); ++ goto cleanup; ++ } ++ + /* Start building the LCS table. */ + for (uint32_t i = 0; i <= alen; i++) { + for (uint32_t j = 0; j <= blen; j++) { +-- +2.32.0 + diff --git a/branches/hardknott-next/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/branches/hardknott-next/meta-oe/recipes-extended/redis/redis_6.2.2.bb index a36c190af31..a9e6eaffaa2 100644 --- a/branches/hardknott-next/meta-oe/recipes-extended/redis/redis_6.2.2.bb +++ b/branches/hardknott-next/meta-oe/recipes-extended/redis/redis_6.2.2.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://fix-CVE-2021-29477.patch \ file://fix-CVE-2021-29478.patch \ + file://fix-CVE-2021-32625.patch \ " SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"