diff mbox series

[meta-oe,kirkstone,4/5] redis: fix CVE-2024-31228

Message ID 20250131125100.3348102-4-divya.chellam@windriver.com
State New
Headers show
Series [meta-oe,kirkstone,1/5] redis: fix CVE-2023-41056 | expand

Commit Message

dchellam Jan. 31, 2025, 12:50 p.m. UTC
From: Divya Chellam <divya.chellam@windriver.com>

Redis is an open source, in-memory database that persists on disk.
Authenticated users can trigger a denial-of-service by using specially
crafted, long string match patterns on supported commands such as
`KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL
definitions. Matching of extremely long patterns may result in
unbounded recursion, leading to stack overflow and process crash.
This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1.
Users are advised to upgrade. There are no known workarounds for this
vulnerability.

References:
https://security-tracker.debian.org/tracker/CVE-2024-31228

Upstream-patch:
https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
---
 .../redis/redis-7.0.13/CVE-2024-31228.patch   | 68 +++++++++++++++++++
 .../redis/redis/CVE-2024-31228.patch          | 68 +++++++++++++++++++
 .../recipes-extended/redis/redis_6.2.12.bb    |  1 +
 .../recipes-extended/redis/redis_7.0.13.bb    |  1 +
 4 files changed, 138 insertions(+)
 create mode 100644 meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch
 create mode 100644 meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch
new file mode 100644
index 0000000000..deb9033c60
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis-7.0.13/CVE-2024-31228.patch
@@ -0,0 +1,68 @@ 
+From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 20:11:01 +0300
+Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
+
+CVE: CVE-2024-31228
+
+Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/util.c              | 9 ++++++---
+ tests/unit/keyspace.tcl | 6 ++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index 8ce2c5f..3a4c9b0 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -51,8 +51,11 @@
+ 
+ /* Glob-style pattern matching. */
+ static int stringmatchlen_impl(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase, int *skipLongerMatches)
++        const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
+ {
++    /* Protection against abusive patterns. */
++    if (nesting > 1000) return 0;
++
+     while(patternLen && stringLen) {
+         switch(pattern[0]) {
+         case '*':
+@@ -64,7 +67,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+                 return 1; /* match */
+             while(stringLen) {
+                 if (stringmatchlen_impl(pattern+1, patternLen-1,
+-                            string, stringLen, nocase, skipLongerMatches))
++                            string, stringLen, nocase, skipLongerMatches, nesting+1))
+                     return 1; /* match */
+                 if (*skipLongerMatches)
+                     return 0; /* no match */
+@@ -186,7 +189,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+ int stringmatchlen(const char *pattern, int patternLen,
+         const char *string, int stringLen, int nocase) {
+     int skipLongerMatches = 0;
+-    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
++    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
+ }
+ 
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index 437f71f..988389f 100644
+--- a/tests/unit/keyspace.tcl
++++ b/tests/unit/keyspace.tcl
+@@ -495,4 +495,10 @@ start_server {tags {"keyspace"}} {
+         r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+         r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+     } {}
++
++    test {Regression for pattern matching very long nested loops} {
++        r flushdb
++        r SET [string repeat "a" 50000] 1
++        r KEYS [string repeat "*?" 50000]
++    } {}
+ }
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch
new file mode 100644
index 0000000000..d86e6c9e72
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/CVE-2024-31228.patch
@@ -0,0 +1,68 @@ 
+From 9317bf64659b33166a943ec03d5d9b954e86afb0 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Wed, 2 Oct 2024 20:11:01 +0300
+Subject: [PATCH] Prevent pattern matching abuse (CVE-2024-31228)
+
+CVE: CVE-2024-31228
+
+Upstream-Status: Backport[https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ src/util.c              | 9 ++++++---
+ tests/unit/keyspace.tcl | 6 ++++++
+ 2 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index e122a26..5763a2b 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -46,8 +46,11 @@
+ 
+ /* Glob-style pattern matching. */
+ static int stringmatchlen_impl(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase, int *skipLongerMatches)
++        const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
+ {
++    /* Protection against abusive patterns. */
++    if (nesting > 1000) return 0;
++
+     while(patternLen && stringLen) {
+         switch(pattern[0]) {
+         case '*':
+@@ -59,7 +62,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+                 return 1; /* match */
+             while(stringLen) {
+                 if (stringmatchlen_impl(pattern+1, patternLen-1,
+-                            string, stringLen, nocase, skipLongerMatches))
++                            string, stringLen, nocase, skipLongerMatches, nesting+1))
+                     return 1; /* match */
+                 if (*skipLongerMatches)
+                     return 0; /* no match */
+@@ -181,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
+ int stringmatchlen(const char *pattern, int patternLen,
+         const char *string, int stringLen, int nocase) {
+     int skipLongerMatches = 0;
+-    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
++    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
+ }
+ 
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index 92029a7..70bc252 100644
+--- a/tests/unit/keyspace.tcl
++++ b/tests/unit/keyspace.tcl
+@@ -485,4 +485,10 @@ start_server {tags {"keyspace"}} {
+         r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+         r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+     } {}
++
++    test {Regression for pattern matching very long nested loops} {
++        r flushdb
++        r SET [string repeat "a" 50000] 1
++        r KEYS [string repeat "*?" 50000]
++    } {}
+ }
+-- 
+2.40.0
+
diff --git a/meta-oe/recipes-extended/redis/redis_6.2.12.bb b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
index 52dcffedb8..bea98100a7 100644
--- a/meta-oe/recipes-extended/redis/redis_6.2.12.bb
+++ b/meta-oe/recipes-extended/redis/redis_6.2.12.bb
@@ -17,6 +17,7 @@  SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://GNU_SOURCE.patch \
            file://0006-Define-correct-gregs-for-RISCV32.patch \
            file://CVE-2023-45145.patch \
+           file://CVE-2024-31228.patch \
            "
 SRC_URI[sha256sum] = "75352eef41e97e84bfa94292cbac79e5add5345fc79787df5cbdff703353fb1b"
 
diff --git a/meta-oe/recipes-extended/redis/redis_7.0.13.bb b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
index 6a2a7ce966..249f002a1b 100644
--- a/meta-oe/recipes-extended/redis/redis_7.0.13.bb
+++ b/meta-oe/recipes-extended/redis/redis_7.0.13.bb
@@ -19,6 +19,7 @@  SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
            file://CVE-2023-41056.patch \
            file://CVE-2023-45145.patch \
            file://CVE-2024-31227.patch \
+           file://CVE-2024-31228.patch \
            "
 SRC_URI[sha256sum] = "97065774d5fb8388eb0d8913458decfcb167d356e40d31dd01cd30c1cc391673"