redis: fix CVE-2024-31228

Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. References: https://security-tracker.debian.org/tracker/CVE-2024-31228 Upstream-patch: https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-01-31 12:50:59 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-02-09 07:55:14 -0800
commit: 42df84dcf334714336fe90fa92d59f7786802a39 (patch)
tree: 779d0ef04fcb731c0818957579f0256d3535c616
parent: 58aae3874f304e54446d37e5cb5aa24c47300f45 (diff)
download: meta-openembedded-42df84dcf334714336fe90fa92d59f7786802a39.tar.gz
4 files changed, 138 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch
new file mode 100644
index 0000000000..deb9033c60
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch
@@ -0,0 +1,68 @@
+From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 20:11:01 +0300
+Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
+CVE: CVE-2024-31228
+Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/util.c              | 9 ++++++---
+ tests/unit/keyspace.tcl | 6 ++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+diff --git a/src/util.c b/src/util.c
+index 8ce2c5f..3a4c9b0 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -51,8 +51,11 @@
+ 
+ /* Glob-style pattern matching. */
+ static int stringmatchlen_impl(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase, int *skipLongerMatches)
+        const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
+ {
+    /* Protection against abusive patterns. */
+    if (nesting > 1000) return 0;
+
+     while(patternLen && stringLen) {
+         switch(pattern[0]) {
+         case '*':
+@@ -64,7 +67,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+                 return 1; /* match */
+             while(stringLen) {
+                 if (stringmatchlen_impl(pattern+1, patternLen-1,
+-                            string, stringLen, nocase, skipLongerMatches))
+                            string, stringLen, nocase, skipLongerMatches, nesting+1))
+                     return 1; /* match */
+                 if (*skipLongerMatches)
+                     return 0; /* no match */
+@@ -186,7 +189,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+ int stringmatchlen(const char *pattern, int patternLen,
+         const char *string, int stringLen, int nocase) {
+     int skipLongerMatches = 0;
+-    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
+    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
+ }
+ 
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index 437f71f..988389f 100644
+--- a/tests/unit/keyspace.tcl
+++ b/tests/unit/keyspace.tcl
+@@ -495,4 +495,10 @@ start_server {tags {"keyspace"}} {
+         r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+         r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+     } {}
+
+    test {Regression for pattern matching very long nested loops} {
+        r flushdb
+        r SET [string repeat "a" 50000] 1
+        r KEYS [string repeat "*?" 50000]
+    } {}
+ }
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch
new file mode 100644
index 0000000000..d86e6c9e72
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch
@@ -0,0 +1,68 @@
+From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 20:11:01 +0300
+Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
+CVE: CVE-2024-31228
+Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/util.c              | 9 ++++++---
+ tests/unit/keyspace.tcl | 6 ++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+diff --git a/src/util.c b/src/util.c
+index e122a26..5763a2b 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -46,8 +46,11 @@
+ 
+ /* Glob-style pattern matching. */
+ static int stringmatchlen_impl(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase, int *skipLongerMatches)
+        const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
+ {
+    /* Protection against abusive patterns. */
+    if (nesting > 1000) return 0;
+
+     while(patternLen && stringLen) {
+         switch(pattern[0]) {
+         case '*':
+@@ -59,7 +62,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+                 return 1; /* match */
+             while(stringLen) {
+                 if (stringmatchlen_impl(pattern+1, patternLen-1,
+-                            string, stringLen, nocase, skipLongerMatches))
+                            string, stringLen, nocase, skipLongerMatches, nesting+1))
+                     return 1; /* match */
+                 if (*skipLongerMatches)
+                     return 0; /* no match */
+@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+ int stringmatchlen(const char *pattern, int patternLen,
+         const char *string, int stringLen, int nocase) {
+     int skipLongerMatches = 0;
+-    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
+    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
+ }
+ 
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index 92029a7..70bc252 100644
+--- a/tests/unit/keyspace.tcl
+++ b/tests/unit/keyspace.tcl
+@@ -485,4 +485,10 @@ start_server {tags {"keyspace"}} {
+         r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+         r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+     } {}
+
+    test {Regression for pattern matching very long nested loops} {
+        r flushdb
+        r SET [string repeat "a" 50000] 1
+        r KEYS [string repeat "*?" 50000]
+    } {}
+ }
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
index 52dcffedb8..bea98100a7 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://GNU_SOURCE.patch \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
           file://CVE-2023-45145.patch \
+           file://CVE-2024-31228.patch \
           "
 SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index 6a2a7ce966..249f002a1b 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://CVE-2023-41056.patch \
           file://CVE-2023-45145.patch \
           file://CVE-2024-31227.patch \
+           file://CVE-2024-31228.patch \
           "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
author	Divya Chellam <divya.chellam@windriver.com>	2025-01-31 12:50:59 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:55:14 -0800
commit	42df84dcf334714336fe90fa92d59f7786802a39 (patch)
tree	779d0ef04fcb731c0818957579f0256d3535c616
parent	58aae3874f304e54446d37e5cb5aa24c47300f45 (diff)
download	meta-openembedded-42df84dcf334714336fe90fa92d59f7786802a39.tar.gz

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch new file mode 100644 index 0000000000..deb9033c60 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch
@@ -0,0 +1,68 @@
		1	From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001
		2	From: Oran Agra <oran@redislabs.com>
		3	Date: Wed, 2 Oct 2024 20:11:01 +0300
		4	Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
		5
		6	CVE: CVE-2024-31228
		7
		8	Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0]
		9
		10	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		11	---
		12	src/util.c \| 9 ++++++---
		13	tests/unit/keyspace.tcl \| 6 ++++++
		14	2 files changed, 12 insertions(+), 3 deletions(-)
		15
		16	diff --git a/src/util.c b/src/util.c
		17	index 8ce2c5f..3a4c9b0 100644
		18	--- a/src/util.c
		19	+++ b/src/util.c
		20	@@ -51,8 +51,11 @@
		21
		22	/* Glob-style pattern matching. */
		23	static int stringmatchlen_impl(const char *pattern, int patternLen,
		24	- const char string, int stringLen, int nocase, int skipLongerMatches)
		25	+ const char string, int stringLen, int nocase, int skipLongerMatches, int nesting)
		26	{
		27	+ /* Protection against abusive patterns. */
		28	+ if (nesting > 1000) return 0;
		29	+
		30	while(patternLen && stringLen) {
		31	switch(pattern[0]) {
		32	case '*':
		33	@@ -64,7 +67,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
		34	return 1; /* match */
		35	while(stringLen) {
		36	if (stringmatchlen_impl(pattern+1, patternLen-1,
		37	- string, stringLen, nocase, skipLongerMatches))
		38	+ string, stringLen, nocase, skipLongerMatches, nesting+1))
		39	return 1; /* match */
		40	if (*skipLongerMatches)
		41	return 0; /* no match */
		42	@@ -186,7 +189,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
		43	int stringmatchlen(const char *pattern, int patternLen,
		44	const char *string, int stringLen, int nocase) {
		45	int skipLongerMatches = 0;
		46	- return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
		47	+ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
		48	}
		49
		50	int stringmatch(const char pattern, const char string, int nocase) {
		51	diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
		52	index 437f71f..988389f 100644
		53	--- a/tests/unit/keyspace.tcl
		54	+++ b/tests/unit/keyspace.tcl
		55	@@ -495,4 +495,10 @@ start_server {tags {"keyspace"}} {
		56	r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
		57	r KEYS "aaaaaaaaaaaaaaaaaaaab"
		58	} {}
		59	+
		60	+ test {Regression for pattern matching very long nested loops} {
		61	+ r flushdb
		62	+ r SET [string repeat "a" 50000] 1
		63	+ r KEYS [string repeat "*?" 50000]
		64	+ } {}
		65	}
		66	--
		67	2.40.0
		68


diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch new file mode 100644 index 0000000000..d86e6c9e72 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch
@@ -0,0 +1,68 @@
		1	From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001
		2	From: Oran Agra <oran@redislabs.com>
		3	Date: Wed, 2 Oct 2024 20:11:01 +0300
		4	Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
		5
		6	CVE: CVE-2024-31228
		7
		8	Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0]
		9
		10	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		11	---
		12	src/util.c \| 9 ++++++---
		13	tests/unit/keyspace.tcl \| 6 ++++++
		14	2 files changed, 12 insertions(+), 3 deletions(-)
		15
		16	diff --git a/src/util.c b/src/util.c
		17	index e122a26..5763a2b 100644
		18	--- a/src/util.c
		19	+++ b/src/util.c
		20	@@ -46,8 +46,11 @@
		21
		22	/* Glob-style pattern matching. */
		23	static int stringmatchlen_impl(const char *pattern, int patternLen,
		24	- const char string, int stringLen, int nocase, int skipLongerMatches)
		25	+ const char string, int stringLen, int nocase, int skipLongerMatches, int nesting)
		26	{
		27	+ /* Protection against abusive patterns. */
		28	+ if (nesting > 1000) return 0;
		29	+
		30	while(patternLen && stringLen) {
		31	switch(pattern[0]) {
		32	case '*':
		33	@@ -59,7 +62,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
		34	return 1; /* match */
		35	while(stringLen) {
		36	if (stringmatchlen_impl(pattern+1, patternLen-1,
		37	- string, stringLen, nocase, skipLongerMatches))
		38	+ string, stringLen, nocase, skipLongerMatches, nesting+1))
		39	return 1; /* match */
		40	if (*skipLongerMatches)
		41	return 0; /* no match */
		42	@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
		43	int stringmatchlen(const char *pattern, int patternLen,
		44	const char *string, int stringLen, int nocase) {
		45	int skipLongerMatches = 0;
		46	- return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
		47	+ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
		48	}
		49
		50	int stringmatch(const char pattern, const char string, int nocase) {
		51	diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
		52	index 92029a7..70bc252 100644
		53	--- a/tests/unit/keyspace.tcl
		54	+++ b/tests/unit/keyspace.tcl
		55	@@ -485,4 +485,10 @@ start_server {tags {"keyspace"}} {
		56	r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
		57	r KEYS "aaaaaaaaaaaaaaaaaaaab"
		58	} {}
		59	+
		60	+ test {Regression for pattern matching very long nested loops} {
		61	+ r flushdb
		62	+ r SET [string repeat "a" 50000] 1
		63	+ r KEYS [string repeat "*?" 50000]
		64	+ } {}
		65	}
		66	--
		67	2.40.0
		68


diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb index 52dcffedb8..bea98100a7 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
17	file://GNU_SOURCE.patch \	17	file://GNU_SOURCE.patch \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
19	file://CVE-2023-45145.patch \	19	file://CVE-2023-45145.patch \
		20	file://CVE-2024-31228.patch \
20	"	21	"
21	SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"	22	SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
22		23


diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index 6a2a7ce966..249f002a1b 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -19,6 +19,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
19	file://CVE-2023-41056.patch \	19	file://CVE-2023-41056.patch \
20	file://CVE-2023-45145.patch \	20	file://CVE-2023-45145.patch \
21	file://CVE-2024-31227.patch \	21	file://CVE-2024-31227.patch \
		22	file://CVE-2024-31228.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"	24	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
24		25