redis: fix CVE-2023-41056

Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15 and 7.2.4. Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-41056 Upstream-patch: https://github.com/redis/redis/commit/e351099e1119fb89496be578f5232c61ce300224 Signed-off-by: Divya Chellam <divya.chellam@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Divya Chellam <divya.chellam@windriver.com> 2025-01-31 12:50:56 +0000
committer: Armin Kuster <akuster808@gmail.com> 2025-02-09 07:55:05 -0800
commit: 6bd4846b0bb266618b02be650c6cdd4b2a4f6b7b (patch)
tree: a46fff030c702de1e7afdb637ae283ac02843f7f
parent: 2a486ee7cdd88887a671c442db7c632f851a4c97 (diff)
download: meta-openembedded-6bd4846b0bb266618b02be650c6cdd4b2a4f6b7b.tar.gz
2 files changed, 64 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch
new file mode 100644
index 0000000000..036e62c8f0
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch
@@ -0,0 +1,63 @@
+From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Sun, 7 Jan 2024 12:32:44 +0200
+Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
+#11766 introduced a bug in sdsResize where it could forget to update
+the sds type in the sds header and then cause an overflow in sdsalloc.
+it looks like the only implication of that is a possible assertion in HLL,
+but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
+CVE: CVE-2023-41056
+Upstream-Status: Backport [https://github.com/redis/redis/commit/e351099e1119fb89496be578f5232c61ce300224]
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/sds.c | 30 ++++++++++++++++--------------
+ 1 file changed, 16 insertions(+), 14 deletions(-)
+diff --git a/src/sds.c b/src/sds.c
+index 8e5863a..71490d5 100644
+--- a/src/sds.c
+++ b/src/sds.c
+@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
+      * type. */
+     int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
+     size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
+-    int alloc_already_optimal = 0;
+-    #if defined(USE_JEMALLOC)
+-        /* je_nallocx returns the expected allocation size for the newlen.
+-         * We aim to avoid calling realloc() when using Jemalloc if there is no
+-         * change in the allocation size, as it incurs a cost even if the
+-         * allocation size stays the same. */
+-        alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
+-    #endif
+-
+-    if (use_realloc && !alloc_already_optimal) {
+-        newsh = s_realloc(sh, newlen);
+-        if (newsh == NULL) return NULL;
+-        s = (char*)newsh+oldhdrlen;
+-    } else if (!alloc_already_optimal) {
+
+    if (use_realloc) {
+        int alloc_already_optimal = 0;
+        #if defined(USE_JEMALLOC)
+            /* je_nallocx returns the expected allocation size for the newlen.
+             * We aim to avoid calling realloc() when using Jemalloc if there is no
+             * change in the allocation size, as it incurs a cost even if the
+             * allocation size stays the same. */
+            alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
+        #endif
+        if (!alloc_already_optimal) {
+            newsh = s_realloc(sh, newlen);
+            if (newsh == NULL) return NULL;
+            s = (char*)newsh+oldhdrlen;
+        }
+    } else {
+         newsh = s_malloc(newlen);
+         if (newsh == NULL) return NULL;
+         memcpy((char*)newsh+hdrlen, s, len);
+-- 
+2.40.0
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index e88ab4ddf5..dc5f9b7a89 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://0001-src-Do-not-reset-FINAL_LIBS.patch \
           file://GNU_SOURCE-7.patch \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
+           file://CVE-2023-41056.patch \
           "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
author	Divya Chellam <divya.chellam@windriver.com>	2025-01-31 12:50:56 +0000
committer	Armin Kuster <akuster808@gmail.com>	2025-02-09 07:55:05 -0800
commit	6bd4846b0bb266618b02be650c6cdd4b2a4f6b7b (patch)
tree	a46fff030c702de1e7afdb637ae283ac02843f7f
parent	2a486ee7cdd88887a671c442db7c632f851a4c97 (diff)
download	meta-openembedded-6bd4846b0bb266618b02be650c6cdd4b2a4f6b7b.tar.gz

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch new file mode 100644 index 0000000000..036e62c8f0 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch
@@ -0,0 +1,63 @@
		1	From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
		2	From: Oran Agra <oran@redislabs.com>
		3	Date: Sun, 7 Jan 2024 12:32:44 +0200
		4	Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
		5
		6	#11766 introduced a bug in sdsResize where it could forget to update
		7	the sds type in the sds header and then cause an overflow in sdsalloc.
		8	it looks like the only implication of that is a possible assertion in HLL,
		9	but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
		10
		11	CVE: CVE-2023-41056
		12
		13	Upstream-Status: Backport [https://github.com/redis/redis/commit/e351099e1119fb89496be578f5232c61ce300224]
		14
		15	Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
		16	---
		17	src/sds.c \| 30 ++++++++++++++++--------------
		18	1 file changed, 16 insertions(+), 14 deletions(-)
		19
		20	diff --git a/src/sds.c b/src/sds.c
		21	index 8e5863a..71490d5 100644
		22	--- a/src/sds.c
		23	+++ b/src/sds.c
		24	@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
		25	* type. */
		26	int use_realloc = (oldtype==type \|\| (type < oldtype && type > SDS_TYPE_8));
		27	size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
		28	- int alloc_already_optimal = 0;
		29	- #if defined(USE_JEMALLOC)
		30	- /* je_nallocx returns the expected allocation size for the newlen.
		31	- * We aim to avoid calling realloc() when using Jemalloc if there is no
		32	- * change in the allocation size, as it incurs a cost even if the
		33	- * allocation size stays the same. */
		34	- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
		35	- #endif
		36	-
		37	- if (use_realloc && !alloc_already_optimal) {
		38	- newsh = s_realloc(sh, newlen);
		39	- if (newsh == NULL) return NULL;
		40	- s = (char*)newsh+oldhdrlen;
		41	- } else if (!alloc_already_optimal) {
		42	+
		43	+ if (use_realloc) {
		44	+ int alloc_already_optimal = 0;
		45	+ #if defined(USE_JEMALLOC)
		46	+ /* je_nallocx returns the expected allocation size for the newlen.
		47	+ * We aim to avoid calling realloc() when using Jemalloc if there is no
		48	+ * change in the allocation size, as it incurs a cost even if the
		49	+ * allocation size stays the same. */
		50	+ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
		51	+ #endif
		52	+ if (!alloc_already_optimal) {
		53	+ newsh = s_realloc(sh, newlen);
		54	+ if (newsh == NULL) return NULL;
		55	+ s = (char*)newsh+oldhdrlen;
		56	+ }
		57	+ } else {
		58	newsh = s_malloc(newlen);
		59	if (newsh == NULL) return NULL;
		60	memcpy((char*)newsh+hdrlen, s, len);
		61	--
		62	2.40.0
		63


diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index e88ab4ddf5..dc5f9b7a89 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
16	file://0001-src-Do-not-reset-FINAL_LIBS.patch \	16	file://0001-src-Do-not-reset-FINAL_LIBS.patch \
17	file://GNU_SOURCE-7.patch \	17	file://GNU_SOURCE-7.patch \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
		19	file://CVE-2023-41056.patch \
19	"	20	"
20	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"	21	SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"
21		22