[meta-oe,walnascar,4/4] redis: patch CVE-2025-48367

Message ID	20251007194936.146845-4-skandigraun@gmail.com
State	New
Headers	show Return-Path: <skandigraun@gmail.com> ip: 209.85.218.44, mailfrom: skandigraun@gmail.com) From: Gyorgy Sarvari <skandigraun@gmail.com> To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][walnascar][PATCH 4/4] redis: patch CVE-2025-48367 Date: Tue, 7 Oct 2025 21:49:36 +0200 Message-ID: <20251007194936.146845-4-skandigraun@gmail.com> In-Reply-To: <20251007194936.146845-1-skandigraun@gmail.com> References: <20251007194936.146845-1-skandigraun@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[meta-oe,walnascar,1/4] redis: ignore CVE-2025-21605 \| expand [meta-oe,walnascar,1/4] redis: ignore CVE-2025-21605 [meta-oe,walnascar,2/4] redis: patch CVE-2025-27151 [meta-oe,walnascar,3/4] redis: patch CVE-2025-32023 [meta-oe,walnascar,4/4] redis: patch CVE-2025-48367

diff --git a/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch new file mode 100644 index 0000000000..8017345913 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch @@ -0,0 +1,117 @@ +From 05524dbadb1acc3d8d75905108fea39cdf43832c Mon Sep 17 00:00:00 2001 +From: Ozan Tezcan <ozantezcan@gmail.com> +Date: Wed, 14 May 2025 11:02:30 +0300 +Subject: [PATCH] Retry accept() even if accepted connection reports an error + (CVE-2025-48367) + +In case of accept4() returns an error, we should check errno value and +decide if we should retry accept4() without waiting next event loop iteration. + +CVE: CVE-2025-48367 +Upstream-Status: Backport [https://github.com/redis/redis/commit/c76d6182096cbe10bd3a1dc41095b5ab422e6a74] + +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> +--- + src/anet.c | 24 ++++++++++++++++++++++++ + src/anet.h | 1 + + src/cluster.c | 2 ++ + src/socket.c | 2 ++ + src/tls.c | 2 ++ + src/unix.c | 2 ++ + 6 files changed, 33 insertions(+) + +diff --git a/src/anet.c b/src/anet.c +index 64824a2..6c539d5 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -704,3 +704,27 @@ int anetIsFifo(char *filepath) { + if (stat(filepath, &sb) == -1) return 0; + return S_ISFIFO(sb.st_mode); + } ++ ++/* This function must be called after accept4() fails. It returns 1 if 'err' ++ * indicates accepted connection faced an error, and it's okay to continue ++ * accepting next connection by calling accept4() again. Other errors either ++ * indicate programming errors, e.g. calling accept() on a closed fd or indicate ++ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been ++ * reached. In the latter case, caller might wait until resources are available. ++ * See accept4() documentation for details. */ ++int anetAcceptFailureNeedsRetry(int err) { ++ if (err == ECONNABORTED) ++ return 1; ++ ++#if defined(__linux__) ++ /* For details, see 'Error Handling' section on ++ * https://man7.org/linux/man-pages/man2/accept.2.html */ ++ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT || ++ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH || ++ err == EOPNOTSUPP || err == ENETUNREACH) ++ { ++ return 1; ++ } ++#endif ++ return 0; ++} +diff --git a/src/anet.h b/src/anet.h +index b13c14f..2319039 100644 +--- a/src/anet.h ++++ b/src/anet.h +@@ -71,5 +71,6 @@ int anetPipe(int fds[2], int read_flags, int write_flags); + int anetSetSockMarkId(char *err, int fd, uint32_t id); + int anetGetError(int fd); + int anetIsFifo(char *filepath); ++int anetAcceptFailureNeedsRetry(int err); + + #endif +diff --git a/src/cluster.c b/src/cluster.c +index 765958a..2130ffd 100644 +--- a/src/cluster.c ++++ b/src/cluster.c +@@ -1309,6 +1309,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_VERBOSE, + "Error accepting cluster node: %s", server.neterr); +diff --git a/src/socket.c b/src/socket.c +index dad8e93..09d87bc 100644 +--- a/src/socket.c ++++ b/src/socket.c +@@ -318,6 +318,8 @@ static void connSocketAcceptHandler(aeEventLoop *el, int fd, void *privdata, int + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +diff --git a/src/tls.c b/src/tls.c +index e709c99..9a66e81 100644 +--- a/src/tls.c ++++ b/src/tls.c +@@ -774,6 +774,8 @@ static void tlsAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +diff --git a/src/unix.c b/src/unix.c +index bd146d0..8fdefe4 100644 +--- a/src/unix.c ++++ b/src/unix.c +@@ -100,6 +100,8 @@ static void connUnixAcceptHandler(aeEventLoop *el, int fd, void *privdata, int m + while(max--) { + cfd = anetUnixAccept(server.neterr, fd); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); diff --git a/meta-oe/recipes-extended/redis/redis/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch b/meta-oe/recipes-extended/redis/redis/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch new file mode 100644 index 0000000000..e16ad07e3e --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch @@ -0,0 +1,107 @@ +From 5cb320f03b7d619499d2d69f4371096b5d6a9bdf Mon Sep 17 00:00:00 2001 +From: Ozan Tezcan <ozantezcan@gmail.com> +Date: Wed, 14 May 2025 11:02:30 +0300 +Subject: [PATCH] Retry accept() even if accepted connection reports an error + (CVE-2025-48367) + +In case of accept4() returns an error, we should check errno value and +decide if we should retry accept4() without waiting next event loop iteration. + +CVE: CVE-2025-48367 +Upstream-Status: Backport [https://github.com/redis/redis/commit/0fe67435935cc5724ff6eb9c4ca4120c58a15765] + +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> +--- + src/anet.c | 24 ++++++++++++++++++++++++ + src/anet.h | 2 +- + src/cluster.c | 2 ++ + src/networking.c | 6 ++++++ + 4 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/src/anet.c b/src/anet.c +index 91f6171..2e42fc5 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -594,3 +594,27 @@ int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type) { + anetFdToString(fd,ip,sizeof(ip),&port,fd_to_str_type); + return anetFormatAddr(buf, buf_len, ip, port); + } ++ ++/* This function must be called after accept4() fails. It returns 1 if 'err' ++ * indicates accepted connection faced an error, and it's okay to continue ++ * accepting next connection by calling accept4() again. Other errors either ++ * indicate programming errors, e.g. calling accept() on a closed fd or indicate ++ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been ++ * reached. In the latter case, caller might wait until resources are available. ++ * See accept4() documentation for details. */ ++int anetAcceptFailureNeedsRetry(int err) { ++ if (err == ECONNABORTED) ++ return 1; ++ ++#if defined(__linux__) ++ /* For details, see 'Error Handling' section on ++ * https://man7.org/linux/man-pages/man2/accept.2.html */ ++ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT || ++ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH || ++ err == EOPNOTSUPP || err == ENETUNREACH) ++ { ++ return 1; ++ } ++#endif ++ return 0; ++} +diff --git a/src/anet.h b/src/anet.h +index 2a685cc..adedaf3 100644 +--- a/src/anet.h ++++ b/src/anet.h +@@ -72,5 +72,5 @@ int anetFdToString(int fd, char *ip, size_t ip_len, int *port, int fd_to_str_typ + int anetKeepAlive(char *err, int fd, int interval); + int anetFormatAddr(char *fmt, size_t fmt_len, char *ip, int port); + int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type); +- ++int anetAcceptFailureNeedsRetry(int err); + #endif +diff --git a/src/cluster.c b/src/cluster.c +index 8807fe2..030897c 100644 +--- a/src/cluster.c ++++ b/src/cluster.c +@@ -691,6 +691,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_VERBOSE, + "Error accepting cluster node: %s", server.neterr); +diff --git a/src/networking.c b/src/networking.c +index 11891d3..2598a58 100644 +--- a/src/networking.c ++++ b/src/networking.c +@@ -1190,6 +1190,8 @@ void acceptTcpHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +@@ -1211,6 +1213,8 @@ void acceptTLSHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +@@ -1231,6 +1235,8 @@ void acceptUnixHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetUnixAccept(server.neterr, fd); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); diff --git a/meta-oe/recipes-extended/redis/redis_6.2.18.bb b/meta-oe/recipes-extended/redis/redis_6.2.18.bb index 9ce476e14e..5e3b8d4430 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.18.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.18.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://0001-CVE-2025-27151.patch \ file://0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch \ + file://0001-Retry-accept-even-if-accepted-connection-reports-an-.patch \ " SRC_URI[sha256sum] = "470c75bac73d7390be4dd66479c6f29e86371c5d380ce0c7efb4ba2bbda3612d" diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb index f5ea3eaf5b..22f48afd17 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch \ file://0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch \ + file://0001-Retry-accept-even-if-accepted-connection-reports-an-.patch \ " SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"

[meta-oe,walnascar,4/4] redis: patch CVE-2025-48367

Commit Message

Patch