diff options
| author | Ankur Tyagi <ankur.tyagi85@gmail.com> | 2025-10-15 16:42:43 +1300 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@intel.com> | 2025-10-30 14:43:35 +0800 |
| commit | 9795c85f02fb79c73c74b67d968014c21441905a (patch) | |
| tree | b9d86f1ea46cb29479b4d993f7b2345e3dbadbb9 /meta-networking | |
| parent | bf656aa3259875fe15fe7dcf43b4488b7258855b (diff) | |
| download | meta-openembedded-9795c85f02fb79c73c74b67d968014c21441905a.tar.gz | |
memcached: patch CVE-2023-46852
Details https://nvd.nist.gov/vuln/detail/CVE-2023-46852
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Diffstat (limited to 'meta-networking')
| -rw-r--r-- | meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch | 71 | ||||
| -rw-r--r-- | meta-networking/recipes-support/memcached/memcached_1.6.17.bb | 1 |
2 files changed, 72 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch new file mode 100644 index 0000000000..2bb34af97a --- /dev/null +++ b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch | |||
| @@ -0,0 +1,71 @@ | |||
| 1 | From 44d8cfad2500881447cbfe2089bfd80b85ffcd7e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: dormando <dormando@rydia.net> | ||
| 3 | Date: Fri, 28 Jul 2023 10:32:16 -0700 | ||
| 4 | Subject: [PATCH] CVE-2023-46852 | ||
| 5 | |||
| 6 | proxy: fix buffer overflow with multiget syntax | ||
| 7 | |||
| 8 | "get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to | ||
| 9 | process multiget syntax. | ||
| 10 | |||
| 11 | To exploit this you must first pass the check in try_read_command_proxy: | ||
| 12 | - The request before the first newline must be less than 1024 bytes. | ||
| 13 | - If it is more than 1024 bytes there is a limit of 100 spaces. | ||
| 14 | - The key length is still checked at 250 bytes | ||
| 15 | - Meaning you have up to 772 spaces and then the key to create stack | ||
| 16 | corruption. | ||
| 17 | |||
| 18 | So the amount of data you can shove in here isn't unlimited. | ||
| 19 | |||
| 20 | The fix caps the amount of data pre-key to be reasonable. Something like | ||
| 21 | GAT needs space for a 32bit TTL which is at most going to be 15 bytes + | ||
| 22 | spaces, so we limit it to 20 bytes. | ||
| 23 | |||
| 24 | I hate hate hate hate hate the multiget syntax. hate it. | ||
| 25 | |||
| 26 | CVE: CVE-2023-46852 | ||
| 27 | Upstream-Status: Backport [https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767] | ||
| 28 | (cherry picked from commit 76a6c363c18cfe7b6a1524ae64202ac9db330767) | ||
| 29 | Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> | ||
| 30 | --- | ||
| 31 | proto_proxy.c | 16 ++++++++++++++-- | ||
| 32 | 1 file changed, 14 insertions(+), 2 deletions(-) | ||
| 33 | |||
| 34 | diff --git a/proto_proxy.c b/proto_proxy.c | ||
| 35 | index 3ee8c07..9bef26d 100644 | ||
| 36 | --- a/proto_proxy.c | ||
| 37 | +++ b/proto_proxy.c | ||
| 38 | @@ -616,6 +616,12 @@ int proxy_run_coroutine(lua_State *Lc, mc_resp *resp, io_pending_proxy_t *p, con | ||
| 39 | return 0; | ||
| 40 | } | ||
| 41 | |||
| 42 | +// basically any data before the first key. | ||
| 43 | +// max is like 15ish plus spaces. we can be more strict about how many spaces | ||
| 44 | +// to expect because any client spamming space is being deliberately stupid | ||
| 45 | +// anyway. | ||
| 46 | +#define MAX_CMD_PREFIX 20 | ||
| 47 | + | ||
| 48 | static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool multiget) { | ||
| 49 | assert(c != NULL); | ||
| 50 | LIBEVENT_THREAD *thr = c->thread; | ||
| 51 | @@ -687,12 +693,18 @@ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool mu | ||
| 52 | if (!multiget && pr.cmd_type == CMD_TYPE_GET && pr.has_space) { | ||
| 53 | uint32_t keyoff = pr.tokens[pr.keytoken]; | ||
| 54 | while (pr.klen != 0) { | ||
| 55 | - char temp[KEY_MAX_LENGTH + 30]; | ||
| 56 | + char temp[KEY_MAX_LENGTH + MAX_CMD_PREFIX + 30]; | ||
| 57 | char *cur = temp; | ||
| 58 | // Core daemon can abort the entire command if one key is bad, but | ||
| 59 | // we cannot from the proxy. Instead we have to inject errors into | ||
| 60 | // the stream. This should, thankfully, be rare at least. | ||
| 61 | - if (pr.klen > KEY_MAX_LENGTH) { | ||
| 62 | + if (pr.tokens[pr.keytoken] > MAX_CMD_PREFIX) { | ||
| 63 | + if (!resp_start(c)) { | ||
| 64 | + conn_set_state(c, conn_closing); | ||
| 65 | + return; | ||
| 66 | + } | ||
| 67 | + proxy_out_errstring(c->resp, PROXY_CLIENT_ERROR, "malformed request"); | ||
| 68 | + } else if (pr.klen > KEY_MAX_LENGTH) { | ||
| 69 | if (!resp_start(c)) { | ||
| 70 | conn_set_state(c, conn_closing); | ||
| 71 | return; | ||
diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb index 7234f02a13..b4c1847bf6 100644 --- a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb +++ b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb | |||
| @@ -22,6 +22,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \ | |||
| 22 | SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ | 22 | SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ |
| 23 | file://memcached-add-hugetlbfs-check.patch \ | 23 | file://memcached-add-hugetlbfs-check.patch \ |
| 24 | file://0001-Fix-function-protypes.patch \ | 24 | file://0001-Fix-function-protypes.patch \ |
| 25 | file://CVE-2023-46852.patch \ | ||
| 25 | " | 26 | " |
| 26 | SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224" | 27 | SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224" |
| 27 | 28 | ||
