diff options
| author | Vijay Anusuri <vanusuri@mvista.com> | 2025-10-16 15:40:19 +0530 |
|---|---|---|
| committer | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-10-17 10:51:27 +0200 |
| commit | e44b4561a9970612cc195ac613dcfea98222f416 (patch) | |
| tree | 3d731f3cff28589a675066d4654e67e5b376188a | |
| parent | abe7f83cc6316818b31d44022ad50fa94117300f (diff) | |
| download | meta-openembedded-e44b4561a9970612cc195ac613dcfea98222f416.tar.gz | |
redis: Fix CVE-2025-46819
Upstream-Status: Backport from https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
| -rw-r--r-- | meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch | 161 | ||||
| -rw-r--r-- | meta-oe/recipes-extended/redis/redis_7.0.13.bb | 1 |
2 files changed, 162 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch new file mode 100644 index 0000000000..8f30cce7df --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2025-46819.patch | |||
| @@ -0,0 +1,161 @@ | |||
| 1 | From 2802b52b554cb9f0f249a24474c9fba94e933dbb Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ozan Tezcan <ozantezcan@gmail.com> | ||
| 3 | Date: Mon, 23 Jun 2025 12:11:31 +0300 | ||
| 4 | Subject: [PATCH] LUA out-of-bound read (CVE-2025-46819) | ||
| 5 | |||
| 6 | Upstream-Status: Backport [https://github.com/redis/redis/commit/2802b52b554cb9f0f249a24474c9fba94e933dbb] | ||
| 7 | CVE: CVE-2025-46819 | ||
| 8 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 9 | --- | ||
| 10 | deps/lua/src/llex.c | 34 ++++++++++++++++++----------- | ||
| 11 | tests/unit/scripting.tcl | 47 ++++++++++++++++++++++++++++++++++++++++ | ||
| 12 | 2 files changed, 68 insertions(+), 13 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/deps/lua/src/llex.c b/deps/lua/src/llex.c | ||
| 15 | index 88c6790..efad709 100644 | ||
| 16 | --- a/deps/lua/src/llex.c | ||
| 17 | +++ b/deps/lua/src/llex.c | ||
| 18 | @@ -138,6 +138,7 @@ static void inclinenumber (LexState *ls) { | ||
| 19 | |||
| 20 | |||
| 21 | void luaX_setinput (lua_State *L, LexState *ls, ZIO *z, TString *source) { | ||
| 22 | + ls->t.token = 0; | ||
| 23 | ls->decpoint = '.'; | ||
| 24 | ls->L = L; | ||
| 25 | ls->lookahead.token = TK_EOS; /* no look-ahead token */ | ||
| 26 | @@ -206,9 +207,13 @@ static void read_numeral (LexState *ls, SemInfo *seminfo) { | ||
| 27 | trydecpoint(ls, seminfo); /* try to update decimal point separator */ | ||
| 28 | } | ||
| 29 | |||
| 30 | - | ||
| 31 | -static int skip_sep (LexState *ls) { | ||
| 32 | - int count = 0; | ||
| 33 | +/* | ||
| 34 | +** reads a sequence '[=*[' or ']=*]', leaving the last bracket. | ||
| 35 | +** If a sequence is well-formed, return its number of '='s + 2; otherwise, | ||
| 36 | +** return 1 if there is no '='s or 0 otherwise (an unfinished '[==...'). | ||
| 37 | +*/ | ||
| 38 | +static size_t skip_sep (LexState *ls) { | ||
| 39 | + size_t count = 0; | ||
| 40 | int s = ls->current; | ||
| 41 | lua_assert(s == '[' || s == ']'); | ||
| 42 | save_and_next(ls); | ||
| 43 | @@ -216,11 +221,13 @@ static int skip_sep (LexState *ls) { | ||
| 44 | save_and_next(ls); | ||
| 45 | count++; | ||
| 46 | } | ||
| 47 | - return (ls->current == s) ? count : (-count) - 1; | ||
| 48 | + return (ls->current == s) ? count + 2 | ||
| 49 | + : (count == 0) ? 1 | ||
| 50 | + : 0; | ||
| 51 | } | ||
| 52 | |||
| 53 | |||
| 54 | -static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) { | ||
| 55 | +static void read_long_string (LexState *ls, SemInfo *seminfo, size_t sep) { | ||
| 56 | int cont = 0; | ||
| 57 | (void)(cont); /* avoid warnings when `cont' is not used */ | ||
| 58 | save_and_next(ls); /* skip 2nd `[' */ | ||
| 59 | @@ -270,8 +277,8 @@ static void read_long_string (LexState *ls, SemInfo *seminfo, int sep) { | ||
| 60 | } | ||
| 61 | } endloop: | ||
| 62 | if (seminfo) | ||
| 63 | - seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + (2 + sep), | ||
| 64 | - luaZ_bufflen(ls->buff) - 2*(2 + sep)); | ||
| 65 | + seminfo->ts = luaX_newstring(ls, luaZ_buffer(ls->buff) + sep, | ||
| 66 | + luaZ_bufflen(ls->buff) - 2 * sep); | ||
| 67 | } | ||
| 68 | |||
| 69 | |||
| 70 | @@ -346,9 +353,9 @@ static int llex (LexState *ls, SemInfo *seminfo) { | ||
| 71 | /* else is a comment */ | ||
| 72 | next(ls); | ||
| 73 | if (ls->current == '[') { | ||
| 74 | - int sep = skip_sep(ls); | ||
| 75 | + size_t sep = skip_sep(ls); | ||
| 76 | luaZ_resetbuffer(ls->buff); /* `skip_sep' may dirty the buffer */ | ||
| 77 | - if (sep >= 0) { | ||
| 78 | + if (sep >= 2) { | ||
| 79 | read_long_string(ls, NULL, sep); /* long comment */ | ||
| 80 | luaZ_resetbuffer(ls->buff); | ||
| 81 | continue; | ||
| 82 | @@ -360,13 +367,14 @@ static int llex (LexState *ls, SemInfo *seminfo) { | ||
| 83 | continue; | ||
| 84 | } | ||
| 85 | case '[': { | ||
| 86 | - int sep = skip_sep(ls); | ||
| 87 | - if (sep >= 0) { | ||
| 88 | + size_t sep = skip_sep(ls); | ||
| 89 | + if (sep >= 2) { | ||
| 90 | read_long_string(ls, seminfo, sep); | ||
| 91 | return TK_STRING; | ||
| 92 | } | ||
| 93 | - else if (sep == -1) return '['; | ||
| 94 | - else luaX_lexerror(ls, "invalid long string delimiter", TK_STRING); | ||
| 95 | + else if (sep == 0) /* '[=...' missing second bracket */ | ||
| 96 | + luaX_lexerror(ls, "invalid long string delimiter", TK_STRING); | ||
| 97 | + return '['; | ||
| 98 | } | ||
| 99 | case '=': { | ||
| 100 | next(ls); | ||
| 101 | diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl | ||
| 102 | index 58f2028..2ff0d44 100644 | ||
| 103 | --- a/tests/unit/scripting.tcl | ||
| 104 | +++ b/tests/unit/scripting.tcl | ||
| 105 | @@ -1070,6 +1070,53 @@ start_server {tags {"scripting"}} { | ||
| 106 | } {*Script attempted to access nonexistent global variable 'print'*} | ||
| 107 | } | ||
| 108 | |||
| 109 | +# start a new server to test the large-memory tests | ||
| 110 | +start_server {tags {"scripting external:skip large-memory"}} { | ||
| 111 | + | ||
| 112 | + test {EVAL - JSON string encoding a string larger than 2GB} { | ||
| 113 | + run_script { | ||
| 114 | + local s = string.rep("a", 1024 * 1024 * 1024) | ||
| 115 | + return #cjson.encode(s..s..s) | ||
| 116 | + } 0 | ||
| 117 | + } {3221225474} ;# length includes two double quotes at both ends | ||
| 118 | + | ||
| 119 | + test {EVAL - Test long escape sequences for strings} { | ||
| 120 | + run_script { | ||
| 121 | + -- Generate 1gb '==...==' separator | ||
| 122 | + local s = string.rep('=', 1024 * 1024) | ||
| 123 | + local t = {} for i=1,1024 do t[i] = s end | ||
| 124 | + local sep = table.concat(t) | ||
| 125 | + collectgarbage('collect') | ||
| 126 | + | ||
| 127 | + local code = table.concat({'return [',sep,'[x]',sep,']'}) | ||
| 128 | + collectgarbage('collect') | ||
| 129 | + | ||
| 130 | + -- Load the code and run it. Script will return the string length. | ||
| 131 | + -- Escape sequence: [=....=[ to ]=...=] will be ignored | ||
| 132 | + -- Actual string is a single character: 'x'. Script will return 1 | ||
| 133 | + local func = loadstring(code) | ||
| 134 | + return #func() | ||
| 135 | + } 0 | ||
| 136 | + } {1} | ||
| 137 | + | ||
| 138 | + test {EVAL - Lua can parse string with too many new lines} { | ||
| 139 | + # Create a long string consisting only of newline characters. When Lua | ||
| 140 | + # fails to parse a string, it typically includes a snippet like | ||
| 141 | + # "... near ..." in the error message to indicate the last recognizable | ||
| 142 | + # token. In this test, since the input contains only newlines, there | ||
| 143 | + # should be no identifiable token, so the error message should contain | ||
| 144 | + # only the actual error, without a near clause. | ||
| 145 | + | ||
| 146 | + run_script { | ||
| 147 | + local s = string.rep('\n', 1024 * 1024) | ||
| 148 | + local t = {} for i=1,2048 do t[#t+1] = s end | ||
| 149 | + local lines = table.concat(t) | ||
| 150 | + local fn, err = loadstring(lines) | ||
| 151 | + return err | ||
| 152 | + } 0 | ||
| 153 | + } {*chunk has too many lines} | ||
| 154 | +} | ||
| 155 | + | ||
| 156 | # Start a new server to test lua-enable-deprecated-api config | ||
| 157 | foreach enabled {no yes} { | ||
| 158 | start_server [subst {tags {"scripting external:skip"} overrides {lua-enable-deprecated-api $enabled}}] { | ||
| 159 | -- | ||
| 160 | 2.25.1 | ||
| 161 | |||
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index be4e90564d..295dc0e429 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb | |||
| @@ -29,6 +29,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ | |||
| 29 | file://CVE-2025-48367.patch \ | 29 | file://CVE-2025-48367.patch \ |
| 30 | file://CVE-2025-46817.patch \ | 30 | file://CVE-2025-46817.patch \ |
| 31 | file://CVE-2025-46818.patch \ | 31 | file://CVE-2025-46818.patch \ |
| 32 | file://CVE-2025-46819.patch \ | ||
| 32 | " | 33 | " |
| 33 | SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673" | 34 | SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673" |
| 34 | 35 | ||
