diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch new file mode 100644 index 0000000000..036e62c8f0 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2023-41056.patch @@ -0,0 +1,63 @@ +From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001 +From: Oran Agra +Date: Sun, 7 Jan 2024 12:32:44 +0200 +Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056) + +#11766 introduced a bug in sdsResize where it could forget to update +the sds type in the sds header and then cause an overflow in sdsalloc. +it looks like the only implication of that is a possible assertion in HLL, +but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer + +CVE: CVE-2023-41056 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/e351099e1119fb89496be578f5232c61ce300224] + +Signed-off-by: Divya Chellam +--- + src/sds.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +diff --git a/src/sds.c b/src/sds.c +index 8e5863a..71490d5 100644 +--- a/src/sds.c ++++ b/src/sds.c +@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) { + * type. */ + int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8)); + size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1; +- int alloc_already_optimal = 0; +- #if defined(USE_JEMALLOC) +- /* je_nallocx returns the expected allocation size for the newlen. +- * We aim to avoid calling realloc() when using Jemalloc if there is no +- * change in the allocation size, as it incurs a cost even if the +- * allocation size stays the same. */ +- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh)); +- #endif +- +- if (use_realloc && !alloc_already_optimal) { +- newsh = s_realloc(sh, newlen); +- if (newsh == NULL) return NULL; +- s = (char*)newsh+oldhdrlen; +- } else if (!alloc_already_optimal) { ++ ++ if (use_realloc) { ++ int alloc_already_optimal = 0; ++ #if defined(USE_JEMALLOC) ++ /* je_nallocx returns the expected allocation size for the newlen. ++ * We aim to avoid calling realloc() when using Jemalloc if there is no ++ * change in the allocation size, as it incurs a cost even if the ++ * allocation size stays the same. */ ++ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh)); ++ #endif ++ if (!alloc_already_optimal) { ++ newsh = s_realloc(sh, newlen); ++ if (newsh == NULL) return NULL; ++ s = (char*)newsh+oldhdrlen; ++ } ++ } else { + newsh = s_malloc(newlen); + if (newsh == NULL) return NULL; + memcpy((char*)newsh+hdrlen, s, len); +-- +2.40.0 + diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb index e88ab4ddf5..dc5f9b7a89 100644 --- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb +++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0001-src-Do-not-reset-FINAL_LIBS.patch \ file://GNU_SOURCE-7.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ + file://CVE-2023-41056.patch \ " SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"