redis: fix CVE-2021-29477

This patch backports the fix for CVE-2021-29477. CVE: CVE-2021-29477 Upstream-Status: Backport [https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9] An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Tony Tascioglu <tony.tascioglu@windriver.com> 2021-07-16 11:47:32 -0700
committer: Armin Kuster <akuster808@gmail.com> 2021-07-17 16:14:02 -0700
commit: 5865a7684755011d45c4f51d4227851c641d9eea (patch)
tree: 07ac8225dd552a8f998c1610067e3f56c1d5ba31
parent: 98e00710b7c1cf20092b8ff8fa7c01f153ff95ab (diff)
download: meta-openembedded-5865a7684755011d45c4f51d4227851c641d9eea.tar.gz
2 files changed, 36 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
new file mode 100644
index 0000000000..a5e5a1ba55
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
@@ -0,0 +1,35 @@
+From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 3 May 2021 08:32:31 +0300
+Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
+An integer overflow bug in Redis version 6.0 or newer could be exploited using
+the STRALGO LCS command to corrupt the heap and potentially result with remote
+code execution.
+CVE: CVE-2021-29477
+Upstream-Status: Backport
+[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ src/t_string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/t_string.c b/src/t_string.c
+index 9228c5ed0..db6f7042e 100644
+--- a/src/t_string.c
+++ b/src/t_string.c
+@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
+     /* Setup an uint32_t array to store at LCS[i,j] the length of the
+      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
+      * we index it as LCS[j+(blen+1)*j] */
+-    uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
+    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
+     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
+ 
+     /* Start building the LCS table. */
+-- 
+2.32.0
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
index 65b525709e..e89bb50f15 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://0001-src-Do-not-reset-FINAL_LIBS.patch \
           file://GNU_SOURCE.patch \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
+           file://fix-CVE-2021-29477.patch \
           "
 SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
author	Tony Tascioglu <tony.tascioglu@windriver.com>	2021-07-16 11:47:32 -0700
committer	Armin Kuster <akuster808@gmail.com>	2021-07-17 16:14:02 -0700
commit	5865a7684755011d45c4f51d4227851c641d9eea (patch)
tree	07ac8225dd552a8f998c1610067e3f56c1d5ba31
parent	98e00710b7c1cf20092b8ff8fa7c01f153ff95ab (diff)
download	meta-openembedded-5865a7684755011d45c4f51d4227851c641d9eea.tar.gz

diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch new file mode 100644 index 0000000000..a5e5a1ba55 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
@@ -0,0 +1,35 @@
		1	From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
		2	From: Oran Agra <oran@redislabs.com>
		3	Date: Mon, 3 May 2021 08:32:31 +0300
		4	Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
		5
		6	An integer overflow bug in Redis version 6.0 or newer could be exploited using
		7	the STRALGO LCS command to corrupt the heap and potentially result with remote
		8	code execution.
		9
		10	CVE: CVE-2021-29477
		11	Upstream-Status: Backport
		12	[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
		13
		14	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		15
		16	---
		17	src/t_string.c \| 2 +-
		18	1 file changed, 1 insertion(+), 1 deletion(-)
		19
		20	diff --git a/src/t_string.c b/src/t_string.c
		21	index 9228c5ed0..db6f7042e 100644
		22	--- a/src/t_string.c
		23	+++ b/src/t_string.c
		24	@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
		25	/* Setup an uint32_t array to store at LCS[i,j] the length of the
		26	* LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
		27	* we index it as LCS[j+(blen+1)j] /
		28	- uint32_t lcs = zmalloc((alen+1)(blen+1)*sizeof(uint32_t));
		29	+ uint32_t lcs = zmalloc((size_t)(alen+1)(blen+1)*sizeof(uint32_t));
		30	#define LCS(A,B) lcs[(B)+((A)*(blen+1))]
		31
		32	/* Start building the LCS table. */
		33	--
		34	2.32.0
		35


diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb index 65b525709e..e89bb50f15 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
16	file://0001-src-Do-not-reset-FINAL_LIBS.patch \	16	file://0001-src-Do-not-reset-FINAL_LIBS.patch \
17	file://GNU_SOURCE.patch \	17	file://GNU_SOURCE.patch \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
		19	file://fix-CVE-2021-29477.patch \
19	"	20	"
20	SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"	21	SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
21		22