2 files changed, 62 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch
new file mode 100644
index 0000000000..6311a5db10
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch
@@ -0,0 +1,61 @@
+From e9a1438ac4c52aa68dfa2a8324b6419356842116 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Tue, 1 Jun 2021 09:12:45 +0300
+Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-32625) (#9011)
+An integer overflow bug in Redis version 6.0 or newer can be exploited using the
+STRALGO LCS command to corrupt the heap and potentially result with remote code
+execution. This is a result of an incomplete fix by CVE-2021-29477.
+(cherry picked from commit 1ddecf1958924b178b76a31d989ef1e05af81964)
+CVE: CVE-2021-32625
+Upstream-Status: Backport [e9a1438ac4c52aa68dfa2a8324b6419356842116]
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+---
+ src/t_string.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+diff --git a/src/t_string.c b/src/t_string.c
+index 490d5983a..587d3aeb8 100644
+--- a/src/t_string.c
+++ b/src/t_string.c
+@@ -797,6 +797,12 @@ void stralgoLCS(client *c) {
+         goto cleanup;
+     }
+ 
+    /* Detect string truncation or later overflows. */
+    if (sdslen(a) >= UINT32_MAX-1 || sdslen(b) >= UINT32_MAX-1) {
+        addReplyError(c, "String too long for LCS");
+        goto cleanup;
+    }
+
+     /* Compute the LCS using the vanilla dynamic programming technique of
+      * building a table of LCS(x,y) substrings. */
+     uint32_t alen = sdslen(a);
+@@ -805,9 +811,19 @@ void stralgoLCS(client *c) {
+     /* Setup an uint32_t array to store at LCS[i,j] the length of the
+      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
+      * we index it as LCS[j+(blen+1)*j] */
+-    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
+     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
+ 
+    /* Try to allocate the LCS table, and abort on overflow or insufficient memory. */
+    unsigned long long lcssize = (unsigned long long)(alen+1)*(blen+1); /* Can't overflow due to the size limits above. */
+    unsigned long long lcsalloc = lcssize * sizeof(uint32_t);
+    uint32_t *lcs = NULL;
+    if (lcsalloc < SIZE_MAX && lcsalloc / lcssize == sizeof(uint32_t))
+        lcs = ztrymalloc(lcsalloc);
+    if (!lcs) {
+        addReplyError(c, "Insufficient memory");
+        goto cleanup;
+    }
+
+     /* Start building the LCS table. */
+     for (uint32_t i = 0; i <= alen; i++) {
+         for (uint32_t j = 0; j <= blen; j++) {
+-- 
+2.32.0
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
index a36c190af3..a9e6eaffaa 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
           file://0006-Define-correct-gregs-for-RISCV32.patch \
           file://fix-CVE-2021-29477.patch \
           file://fix-CVE-2021-29478.patch \
+           file://fix-CVE-2021-32625.patch \
           "
 SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"

diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch new file mode 100644 index 0000000000..6311a5db10 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-32625.patch
@@ -0,0 +1,61 @@
		1	From e9a1438ac4c52aa68dfa2a8324b6419356842116 Mon Sep 17 00:00:00 2001
		2	From: Oran Agra <oran@redislabs.com>
		3	Date: Tue, 1 Jun 2021 09:12:45 +0300
		4	Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-32625) (#9011)
		5
		6	An integer overflow bug in Redis version 6.0 or newer can be exploited using the
		7	STRALGO LCS command to corrupt the heap and potentially result with remote code
		8	execution. This is a result of an incomplete fix by CVE-2021-29477.
		9
		10	(cherry picked from commit 1ddecf1958924b178b76a31d989ef1e05af81964)
		11
		12
		13	CVE: CVE-2021-32625
		14	Upstream-Status: Backport [e9a1438ac4c52aa68dfa2a8324b6419356842116]
		15
		16	Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
		17	---
		18	src/t_string.c \| 18 +++++++++++++++++-
		19	1 file changed, 17 insertions(+), 1 deletion(-)
		20
		21	diff --git a/src/t_string.c b/src/t_string.c
		22	index 490d5983a..587d3aeb8 100644
		23	--- a/src/t_string.c
		24	+++ b/src/t_string.c
		25	@@ -797,6 +797,12 @@ void stralgoLCS(client *c) {
		26	goto cleanup;
		27	}
		28
		29	+ /* Detect string truncation or later overflows. */
		30	+ if (sdslen(a) >= UINT32_MAX-1 \|\| sdslen(b) >= UINT32_MAX-1) {
		31	+ addReplyError(c, "String too long for LCS");
		32	+ goto cleanup;
		33	+ }
		34	+
		35	/* Compute the LCS using the vanilla dynamic programming technique of
		36	* building a table of LCS(x,y) substrings. */
		37	uint32_t alen = sdslen(a);
		38	@@ -805,9 +811,19 @@ void stralgoLCS(client *c) {
		39	/* Setup an uint32_t array to store at LCS[i,j] the length of the
		40	* LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
		41	* we index it as LCS[j+(blen+1)j] /
		42	- uint32_t lcs = zmalloc((size_t)(alen+1)(blen+1)*sizeof(uint32_t));
		43	#define LCS(A,B) lcs[(B)+((A)*(blen+1))]
		44
		45	+ /* Try to allocate the LCS table, and abort on overflow or insufficient memory. */
		46	+ unsigned long long lcssize = (unsigned long long)(alen+1)(blen+1); / Can't overflow due to the size limits above. */
		47	+ unsigned long long lcsalloc = lcssize * sizeof(uint32_t);
		48	+ uint32_t *lcs = NULL;
		49	+ if (lcsalloc < SIZE_MAX && lcsalloc / lcssize == sizeof(uint32_t))
		50	+ lcs = ztrymalloc(lcsalloc);
		51	+ if (!lcs) {
		52	+ addReplyError(c, "Insufficient memory");
		53	+ goto cleanup;
		54	+ }
		55	+
		56	/* Start building the LCS table. */
		57	for (uint32_t i = 0; i <= alen; i++) {
		58	for (uint32_t j = 0; j <= blen; j++) {
		59	--
		60	2.32.0
		61


diff --git a/meta-oe/recipes-extended/redis/redis_6.2.2.bb b/meta-oe/recipes-extended/redis/redis_6.2.2.bb index a36c190af3..a9e6eaffaa 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.2.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.2.bb
@@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
18	file://0006-Define-correct-gregs-for-RISCV32.patch \	18	file://0006-Define-correct-gregs-for-RISCV32.patch \
19	file://fix-CVE-2021-29477.patch \	19	file://fix-CVE-2021-29477.patch \
20	file://fix-CVE-2021-29478.patch \	20	file://fix-CVE-2021-29478.patch \
		21	file://fix-CVE-2021-32625.patch \
21	"	22	"
22	SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"	23	SRC_URI[sha256sum] = "7a260bb74860f1b88c3d5942bf8ba60ca59f121c6dce42d3017bed6add0b9535"
23		24