From patchwork Tue Oct 7 19:49:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 71804 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2215BCCA476 for ; Tue, 7 Oct 2025 19:49:47 +0000 (UTC) Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) by mx.groups.io with SMTP id smtpd.web11.28494.1759866579387236667 for ; Tue, 07 Oct 2025 12:49:39 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HfHBzqqY; spf=pass (domain: gmail.com, ip: 209.85.208.41, mailfrom: skandigraun@gmail.com) Received: by mail-ed1-f41.google.com with SMTP id 4fb4d7f45d1cf-637e74e92easo11287698a12.3 for ; Tue, 07 Oct 2025 12:49:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759866578; x=1760471378; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=IuftbTmidkUHlJrecnRJfsxDY7noQ6GjfdAQ0HNHX70=; b=HfHBzqqYltNVRv/pTSWlGXCCy4m1gOHxZ18VO95GTvhnf7ow9lHJmg9WofvxfpRNrE sl4U4r+7auec0Ay8HV4SDfvQm47+1n60Ng6ekfLfTYHouD0rFZFVzNBpnxwsQ0OlLZw3 XWL6QKNs6BkabGaTzbRNNJwJuyOT36lexk9YZL+KlpJfGOmufzwQacRUpig/wa4bue5R 6uhhzmCIkBiYVFFiqKFJQKhPV96mNnBY4BJQ1hPXtkGC47IKoi8sJVI/WpZRdGk23NI1 Dc7NH3VmjznbZdcuu8p5pqfbv37dm/j8lpMDQDqfDv5+6xIEO+Epksp+8TDHv9x+efPe e76g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759866578; x=1760471378; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IuftbTmidkUHlJrecnRJfsxDY7noQ6GjfdAQ0HNHX70=; b=P0Nsi2YgQZ81R1URLL62NtmnIxj/Nm2LUs8Xvz+dxxZlrp4y2xxCgGPBbE9R2s59wT UbhxZzGSb0xqej8uCnc0kjIQd7E+fP/2wjjkaPDIwyX++1SOuUWCxAU84HQo1VCgdyw6 0haNeG4As2EiCBmJpUkejW2f8wNqOsjQZa9urcdM6kkw5Utr0stRdmM7u3CSl/28gLzC 9eKRt1kJSzkDMuNKcmpEqWvhdKYzwyMzA+ZO5rqJMjybo+01myIOjH49vdvI4UnlIupX tGgahez4748NHIECdDCJyWP8opn950cmQGiDBbGCEDN9u6Cu6DxLiP76DuOX/CJRlNSl HUDg== X-Gm-Message-State: AOJu0Yzcf25EeUopCECrQkvFh4N1Ex6G7GkftB74NzwlMS9Bmti6b3hf 32l6NYBpDoCuO3MXsCEVnMC7Z4KqnhNV1c2xy5F8RT+6bmZSL+zE5tCihGKLMg== X-Gm-Gg: ASbGnctfwyX+x6IHxXPQwjUsD7hG/HRWUoTGPqphlWjXJuHHZa2w72j0odz9eN2iVxm OSir5IJORET8x59mxlwuSGCN6O3VCwW8jz/ZKSaunjhj35TzBHPrM2hYEzyDmfWFGC4/C466hjq DSC2j6MRyL7iXeJGkbMNgje3u3nBbfoxNPIDeLMapPWKrWDmvjoBOoUPPkrhXz+iGu2lWnIUqYN rd0imYO6cEYmoDgJLRFUodcCLwsTNL6s/J+icQ8cnHe/qqj74KRTiXe6gW/zmRQnZ8YYhltlRbz EzhrXoJVXvPFGYcE1A13RstY3l5hheM1n+N3y6QqzzNxj/KvfjfxQSQc+i45jvLsGOkyvcM6ADJ 8vPzq+H4BqxWSok6ueT/0EnNvS4yqK4bKumOWsNplwP/R X-Google-Smtp-Source: AGHT+IFKhXWokga3EooND7NS7PXntt1XXA//CJX9ojYdPocK+FqvlKhPGsrmOXflcC2CtgRP5zSvEA== X-Received: by 2002:a05:6402:13d0:b0:62f:d87d:c36d with SMTP id 4fb4d7f45d1cf-639d5b57a4cmr603689a12.8.1759866577316; Tue, 07 Oct 2025 12:49:37 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-6378810112bsm12961955a12.26.2025.10.07.12.49.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Oct 2025 12:49:36 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][walnascar][PATCH 1/4] redis: ignore CVE-2025-21605 Date: Tue, 7 Oct 2025 21:49:33 +0200 Message-ID: <20251007194936.146845-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Oct 2025 19:49:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120346 The vulnerability has been fixed in the used versions already, upstream has backported it. 6.2.18: https://github.com/redis/redis/commit/5e93f9cb9dbc3e7ac9bce36f2838156cbc5c9e62 7.2.8: https://github.com/redis/redis/commit/42fb340ce426364d64f5dccc9c2549e58f48ac6f Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-extended/redis/redis_6.2.18.bb | 2 ++ meta-oe/recipes-extended/redis/redis_7.2.8.bb | 1 + 2 files changed, 3 insertions(+) diff --git a/meta-oe/recipes-extended/redis/redis_6.2.18.bb b/meta-oe/recipes-extended/redis/redis_6.2.18.bb index 171c6640f2..13344beae4 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.18.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.18.bb @@ -65,3 +65,5 @@ INITSCRIPT_NAME = "redis-server" INITSCRIPT_PARAMS = "defaults 87" SYSTEMD_SERVICE:${PN} = "redis.service" + +CVE_STATUS[CVE-2025-21605] = "fixed-version: The backported fix by upstream is included in the used version" diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb index 3c4d84085b..38d8e5ffe9 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb @@ -74,3 +74,4 @@ SYSTEMD_SERVICE:${PN} = "redis.service" CVE_STATUS[CVE-2022-3734] = "not-applicable-platform: CVE only applies for Windows." CVE_STATUS[CVE-2022-0543] = "not-applicable-platform: Debian-specific CVE" +CVE_STATUS[CVE-2025-21605] = "fixed-version: The backported fix by upstream is included in the used version" From patchwork Tue Oct 7 19:49:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 71806 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F2ECCCD183 for ; Tue, 7 Oct 2025 19:49:47 +0000 (UTC) Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) by mx.groups.io with SMTP id smtpd.web11.28495.1759866580780507046 for ; Tue, 07 Oct 2025 12:49:41 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=cOKRtn9F; spf=pass (domain: gmail.com, ip: 209.85.208.47, mailfrom: skandigraun@gmail.com) Received: by mail-ed1-f47.google.com with SMTP id 4fb4d7f45d1cf-637dbabdb32so13312194a12.2 for ; Tue, 07 Oct 2025 12:49:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759866579; x=1760471379; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=p2FREANwLidpn7+PSN9yZoyMwbI1yUpTjqYcNzADboU=; b=cOKRtn9FCCxqLMPsJDqyCutbbsescUqqJ/lys+TX7L9pMcNTDYtJQbVCXtvkYAdirE DW1/jl+pFKSIu6F+rzrB2xSbBShLwtA8Ibe/f4Ff/DhI+Y08adg0qGlIlV8hAXmeIZ6c fW/YDeIuWybilQVTNCFxKlRVOt1HrtHgM7C5b0OJHdgQZJ/ooVja6sNerXaypdVmZw6z QAv0XC43JZVP0zxlyYSSgDFhe1kjRbZmHYoM4vVKVzFRDWc58byT+HegZH0/+ae3qbVC M9hFGvp6OACONdImkI7p/oCpom0oqzMsA6UM0yqcNUM1weY6wpCXVSq0k5JxDuKQA5Wq UhgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759866579; x=1760471379; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=p2FREANwLidpn7+PSN9yZoyMwbI1yUpTjqYcNzADboU=; b=kwu3aPF4bYGu3pz6F4D/qXk0TNwjlLjYZu09XRhgfC43LHGRkOZbut3wfIolZoKw1D 1vaM/EefVl5jAXoKNUQPSrWtGUFUDfZu2To1Q6CRVmhFQ14tyBNzXrg5lolEr95WLnwQ 9rIIT95uX5BQs5KiWUwyBpA1kg9hRqVbqqUO/fY95MJmkvvjv3wq9OroDXmaUQW7QGTw +CAzrvostiZEeROZKaBaVixgPlNkznevIeGw3PpZjAguq/c7nVaru0MzqD1Guad4GQRg 9qXWj6XRyGqrTWG16mTFgTq7Xp092wbTpm27vYpcKxxr9qKB7WbwoyV3KCN2TwuRqAbl iiBg== X-Gm-Message-State: AOJu0YwBqf4lInr+2oUsPp4YOENWkM57dLDOy9stW+i0soaaGcx8toM8 lIN/yokw6xXzMqgRrZf3+l6DcPa6J/8MZPeTujj+W0NMo9KgG1PIbBe70t8fcg== X-Gm-Gg: ASbGnctZzScqWhyBV6+QEA8IP4glAFEU4ivpWA7M2MVyV13rufO316oiKgkeW53d/T4 u0kSl/XYw+9DANBnKabRZgedgWjm6I+3ra/Z+clOCoXTFL/q+RJJ7jq2b6ZtxDP3UJQ0Bf/7Yju uQM3WGpCx5WOVko26aHbl8JHJ4ydusDWFWGLQkbUa+rPHOmXdCa210FqEOBV2d+GKvdat6gTR1z B/xXx7VkBN8Y8rOE/iX/0E44ChVOTvuX31eWXqQYE6c0dkN7QYK/MzcKntQrcp3xDOQ1cxZKnVX nds9scjNM3ZnbmQSDAa3i0FCbtrn6zlRX0xrNcVg9/CcINK7xuwIgtRQGle2kb0DttyvKjBH7vF MDFs4csRtks/LlqvcdsPh/eJcUbz21sD1ut6BqNrWyxtZ X-Google-Smtp-Source: AGHT+IFBGDfJZeRd97XNPhuDjXqaKWpg3JU2rEJWW1POz2jPXfxmx+JahyY+KlxUnQK/YrQq/ISTwg== X-Received: by 2002:a05:6402:50d1:b0:631:b058:bef0 with SMTP id 4fb4d7f45d1cf-639d5c52eddmr619927a12.32.1759866578996; Tue, 07 Oct 2025 12:49:38 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-6378810112bsm12961955a12.26.2025.10.07.12.49.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Oct 2025 12:49:37 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][walnascar][PATCH 2/4] redis: patch CVE-2025-27151 Date: Tue, 7 Oct 2025 21:49:34 +0200 Message-ID: <20251007194936.146845-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251007194936.146845-1-skandigraun@gmail.com> References: <20251007194936.146845-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Oct 2025 19:49:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120347 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-27151 Backport the patch mentioned in the details. Signed-off-by: Gyorgy Sarvari --- ...AOF-file-name-in-redis-check-aof-CVE.patch | 34 +++++++++++++++++++ .../redis/redis/0001-CVE-2025-27151.patch | 31 +++++++++++++++++ .../recipes-extended/redis/redis_6.2.18.bb | 1 + meta-oe/recipes-extended/redis/redis_7.2.8.bb | 1 + 4 files changed, 67 insertions(+) create mode 100644 meta-oe/recipes-extended/redis/redis-7.2.8/0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch create mode 100644 meta-oe/recipes-extended/redis/redis/0001-CVE-2025-27151.patch diff --git a/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch new file mode 100644 index 0000000000..159f8341b2 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch @@ -0,0 +1,34 @@ +From 1b71849d83940971b95b7c576cdfbc9ff60d48b2 Mon Sep 17 00:00:00 2001 +From: YaacovHazan +Date: Tue, 27 May 2025 10:23:27 +0300 +Subject: [PATCH] Check length of AOF file name in redis-check-aof + (CVE-2025-27151) + +Ensure that the length of the input file name does not exceed PATH_MAX + +CVE: CVE-2025-27151 + +Upstream-Status: Backport [https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9] + +Signed-off-by: Gyorgy Sarvari +--- + src/redis-check-aof.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/redis-check-aof.c b/src/redis-check-aof.c +index e28126d..5b3ee2a 100644 +--- a/src/redis-check-aof.c ++++ b/src/redis-check-aof.c +@@ -547,6 +547,12 @@ int redis_check_aof_main(int argc, char **argv) { + goto invalid_args; + } + ++ /* Check if filepath is longer than PATH_MAX */ ++ if (strlen(filepath) > PATH_MAX) { ++ printf("Error: filepath is too long (exceeds PATH_MAX)\n"); ++ goto invalid_args; ++ } ++ + /* In the glibc implementation dirname may modify their argument. */ + memcpy(temp_filepath, filepath, strlen(filepath) + 1); + dirpath = dirname(temp_filepath); diff --git a/meta-oe/recipes-extended/redis/redis/0001-CVE-2025-27151.patch b/meta-oe/recipes-extended/redis/redis/0001-CVE-2025-27151.patch new file mode 100644 index 0000000000..dd2ce977a7 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/0001-CVE-2025-27151.patch @@ -0,0 +1,31 @@ +From 96f00cb60cb6e73c66375264227872053385bea2 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Tue, 7 Oct 2025 21:26:55 +0200 +Subject: [PATCH] CVE-2025-27151 + +Ensure that the length of the input file name does not exceed PATH_MAX + +CVE: CVE-2025-27151 +Upstream-Status: Backport [https://github.com/redis/redis/commit/d0eeee6e31f0fefb510007a8cfdf5dce729a8be9] + +Signed-off-by: Gyorgy Sarvari +--- + src/redis-check-aof.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/redis-check-aof.c b/src/redis-check-aof.c +index 1507e0a..f7dd5cb 100644 +--- a/src/redis-check-aof.c ++++ b/src/redis-check-aof.c +@@ -164,6 +164,11 @@ int redis_check_aof_main(int argc, char **argv) { + exit(1); + } + ++ if (strlen(filename) > PATH_MAX) { ++ printf("Error: filename is too long (exceeds PATH_MAX)\n"); ++ exit(1); ++ } ++ + FILE *fp = fopen(filename,"r+"); + if (fp == NULL) { + printf("Cannot open file: %s\n", filename); diff --git a/meta-oe/recipes-extended/redis/redis_6.2.18.bb b/meta-oe/recipes-extended/redis/redis_6.2.18.bb index 13344beae4..179701bbf8 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.18.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.18.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0004-src-Do-not-reset-FINAL_LIBS.patch \ file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ + file://0001-CVE-2025-27151.patch \ " SRC_URI[sha256sum] = "470c75bac73d7390be4dd66479c6f29e86371c5d380ce0c7efb4ba2bbda3612d" diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb index 38d8e5ffe9..fe811dcc7e 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb @@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0004-src-Do-not-reset-FINAL_LIBS.patch \ file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ + file://0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch \ " SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574" From patchwork Tue Oct 7 19:49:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 71805 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1C94BCCA470 for ; Tue, 7 Oct 2025 19:49:47 +0000 (UTC) Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) by mx.groups.io with SMTP id smtpd.web10.28243.1759866582671005653 for ; Tue, 07 Oct 2025 12:49:43 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VHQfFS3O; spf=pass (domain: gmail.com, ip: 209.85.208.42, mailfrom: skandigraun@gmail.com) Received: by mail-ed1-f42.google.com with SMTP id 4fb4d7f45d1cf-637a2543127so12324092a12.1 for ; Tue, 07 Oct 2025 12:49:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759866581; x=1760471381; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=ooux8Uoy+fSCoafLKwK5R0iVoD3tD5ZGTjDlFh1mEO8=; b=VHQfFS3Oas6+FmVGPLbPltv8BInat1Ug2CSJWm5jm4mjyw5EWoBld3XX/ZjQQTfWhu GCLfBl2qfmAEgDzYbYwLf9RbYiWPguat39eN4WSi+KYp73m7be2SfAJWodlXXkGWPY8G H6azH3cCyOLowHh9uZ04jWyWQg9N1tVsnbaFaZqNLd+GEMKey8M+iiINMQQHo0clHmys cjiuiz7d8Kqd35QCrfjumwvqP5QnuiLIM635gGHs3RgmBw/eSSmZuj1B2IEPpWOn2vll t1iWz987SZiafQrLVQSFrEuHYcqNmUdlGcjSEBgKa7K/6qpU77SeZ3tlWFl+HsLkuLwI gjgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759866581; x=1760471381; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ooux8Uoy+fSCoafLKwK5R0iVoD3tD5ZGTjDlFh1mEO8=; b=hoO5NC6Gwf9O97x78c8rHbIpBRD6nL0T8UNy1lQx2x7zpTNBXUTuru0K93H55+p1Mj ZEaPsop/8D6+olp3LBQxhrAxQRPvXpSt6+JLI5bEL/2Frd8pmex+e+mvhu+Pwt6BamHC X+fB/f4JE6vc1S7crX5/rnzNrgYgcYY3reuGASzKXJ34skpG8MK9gRURKaQezXH+G5Ub TKlXxG97m6a4VZbcuL+hE/iki3I8pmFsTNt2qrfmBIe+UtKjtL73+6GZo9WU1AtOqaps JD/CK824V5LwwjVW3AExaHaiA2ydPhzj7ODWggDWqpvEZWGpjygTrklswF9gg063HfcZ r8vg== X-Gm-Message-State: AOJu0YzN7z6ro7Txc+8cGqQpaYjviCWtKNbUrnr0JQFMsqLdFGRQvwcr vEyWzxOxNxkmFqMcErghmq0bMKL7n9D/QerXfOl54Uj6TJlZ8qk8j0Pn6pQ+rA== X-Gm-Gg: ASbGncsffXnCfKOeCAt+AksZoQcryHaDPh8z7g//2bvNAMFpa+SYTM+FdedfZ+sBziE KIQ8bjwcfzhEmIokWJzIwMqnbRf+QTktpJX5hAHbaybroBqAh90O2SpoE9mc5g3E8ovk3jvETNz 6bLebd8QFtvNmGvTIvIHf1Z8AW5E3iz4CexHuoEUPFLokX5QB5XioTunF1zkUTD65xwXd7VMKaf hygvjuI9cTt2zCMi2e0ghWnjZsphAPLi+xUH6nKb2Z5rgfXiGDgDCpGb0ldt7rwdfZMbjQ0plA+ G0lSL1P44IY2WBr4l9dC3j1MY1Gk5T/JibAdRnV9nk89AZgmLgBiBxOoB2S6dUoSBGPAtT5yhV8 oVnPYpngT0LL/cB4LZ+NTx9HK4+6WnZFu9BlUvnRriAyt X-Google-Smtp-Source: AGHT+IE5iW4DZdCo+MQ+xwNSne/AzYJkp0XiSs8dlMKbulEeT4ubSgiCVs+vE0oGmz4H+yyvXgXWeQ== X-Received: by 2002:a05:6402:35cb:b0:634:bb0c:728 with SMTP id 4fb4d7f45d1cf-639d5c2ae43mr611090a12.23.1759866580703; Tue, 07 Oct 2025 12:49:40 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-6378810112bsm12961955a12.26.2025.10.07.12.49.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Oct 2025 12:49:40 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][walnascar][PATCH 3/4] redis: patch CVE-2025-32023 Date: Tue, 7 Oct 2025 21:49:35 +0200 Message-ID: <20251007194936.146845-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251007194936.146845-1-skandigraun@gmail.com> References: <20251007194936.146845-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Oct 2025 19:49:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120348 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-32023 Backport the patch mentioned in the details. Signed-off-by: Gyorgy Sarvari --- ...s-write-in-hyperloglog-commands-CVE-.patch | 215 ++++++++++++++++++ ...s-write-in-hyperloglog-commands-CVE-.patch | 215 ++++++++++++++++++ .../recipes-extended/redis/redis_6.2.18.bb | 1 + meta-oe/recipes-extended/redis/redis_7.2.8.bb | 1 + 4 files changed, 432 insertions(+) create mode 100644 meta-oe/recipes-extended/redis/redis-7.2.8/0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch create mode 100644 meta-oe/recipes-extended/redis/redis/0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch diff --git a/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch new file mode 100644 index 0000000000..4949424a72 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch @@ -0,0 +1,215 @@ +From 547b5c86a0882b03def5d418db906380f649acaa Mon Sep 17 00:00:00 2001 +From: "debing.sun" +Date: Wed, 7 May 2025 18:25:06 +0800 +Subject: [PATCH] Fix out of bounds write in hyperloglog commands + (CVE-2025-32023) + +CVE: CVE-2025-32023 +Upstream-Status: Backport [https://github.com/redis/redis/commit/f35b72dd1735f381337a2eb078083450cb98e237] + +Co-authored-by: oranagra +Signed-off-by: Gyorgy Sarvari +--- + src/hyperloglog.c | 47 +++++++++++++++++++++++++++++++---- + tests/unit/hyperloglog.tcl | 51 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 93 insertions(+), 5 deletions(-) + +diff --git a/src/hyperloglog.c b/src/hyperloglog.c +index 1a74f47..ca592a0 100644 +--- a/src/hyperloglog.c ++++ b/src/hyperloglog.c +@@ -587,6 +587,7 @@ int hllSparseToDense(robj *o) { + struct hllhdr *hdr, *oldhdr = (struct hllhdr*)sparse; + int idx = 0, runlen, regval; + uint8_t *p = (uint8_t*)sparse, *end = p+sdslen(sparse); ++ int valid = 1; + + /* If the representation is already the right one return ASAP. */ + hdr = (struct hllhdr*) sparse; +@@ -606,16 +607,27 @@ int hllSparseToDense(robj *o) { + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); +- if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */ ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + while(runlen--) { + HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval); + idx++; +@@ -626,7 +638,7 @@ int hllSparseToDense(robj *o) { + + /* If the sparse representation was valid, we expect to find idx + * set to HLL_REGISTERS. */ +- if (idx != HLL_REGISTERS) { ++ if (!valid || idx != HLL_REGISTERS) { + sdsfree(dense); + return C_ERR; + } +@@ -923,27 +935,40 @@ int hllSparseAdd(robj *o, unsigned char *ele, size_t elesize) { + void hllSparseRegHisto(uint8_t *sparse, int sparselen, int *invalid, int* reghisto) { + int idx = 0, runlen, regval; + uint8_t *end = sparse+sparselen, *p = sparse; ++ int valid = 1; + + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[0] += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[0] += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[regval] += runlen; + p++; + } + } +- if (idx != HLL_REGISTERS && invalid) *invalid = 1; ++ if ((!valid || idx != HLL_REGISTERS) && invalid) *invalid = 1; + } + + /* ========================= HyperLogLog Count ============================== +@@ -1091,22 +1116,34 @@ int hllMerge(uint8_t *max, robj *hll) { + } else { + uint8_t *p = hll->ptr, *end = p + sdslen(hll->ptr); + long runlen, regval; ++ int valid = 1; + + p += HLL_HDR_SIZE; + i = 0; + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + i += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + i += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); +- if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */ ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + while(runlen--) { + if (regval > max[i]) max[i] = regval; + i++; +@@ -1114,7 +1151,7 @@ int hllMerge(uint8_t *max, robj *hll) { + p++; + } + } +- if (i != HLL_REGISTERS) return C_ERR; ++ if (!valid || i != HLL_REGISTERS) return C_ERR; + } + return C_OK; + } +diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl +index ee43718..bc90eb2 100644 +--- a/tests/unit/hyperloglog.tcl ++++ b/tests/unit/hyperloglog.tcl +@@ -137,6 +137,57 @@ start_server {tags {"hll"}} { + set e + } {*WRONGTYPE*} + ++ test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with XZERO opcode} { ++ r del hll ++ ++ # Create a sparse-encoded HyperLogLog header ++ set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]] ++ ++ # Create an XZERO opcode with the maximum run length of 16384(2^14) ++ set runlen [expr 16384 - 1] ++ set chunk [binary format cc [expr {0b01000000 | ($runlen >> 8)}] [expr {$runlen & 0xff}]] ++ # Fill the HLL with more than 131072(2^17) XZERO opcodes to make the total ++ # run length exceed 4GB, will cause an integer overflow. ++ set repeat [expr 131072 + 1000] ++ for {set i 0} {$i < $repeat} {incr i} { ++ append pl $chunk ++ } ++ ++ # Create a VAL opcode with a value that will cause out-of-bounds. ++ append pl [binary format c 0b11111111] ++ r set hll $pl ++ ++ # This should not overflow and out-of-bounds. ++ assert_error {*INVALIDOBJ*} {r pfcount hll hll} ++ assert_error {*INVALIDOBJ*} {r pfdebug getreg hll} ++ r ping ++ } ++ ++ test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with ZERO opcode} { ++ r del hll ++ ++ # Create a sparse-encoded HyperLogLog header ++ set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]] ++ ++ # # Create an ZERO opcode with the maximum run length of 64(2^6) ++ set chunk [binary format c [expr {0b00000000 | 0x3f}]] ++ # Fill the HLL with more than 33554432(2^17) ZERO opcodes to make the total ++ # run length exceed 4GB, will cause an integer overflow. ++ set repeat [expr 33554432 + 1000] ++ for {set i 0} {$i < $repeat} {incr i} { ++ append pl $chunk ++ } ++ ++ # Create a VAL opcode with a value that will cause out-of-bounds. ++ append pl [binary format c 0b11111111] ++ r set hll $pl ++ ++ # This should not overflow and out-of-bounds. ++ assert_error {*INVALIDOBJ*} {r pfcount hll hll} ++ assert_error {*INVALIDOBJ*} {r pfdebug getreg hll} ++ r ping ++ } ++ + test {Corrupted dense HyperLogLogs are detected: Wrong length} { + r del hll + r pfadd hll a b c diff --git a/meta-oe/recipes-extended/redis/redis/0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch b/meta-oe/recipes-extended/redis/redis/0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch new file mode 100644 index 0000000000..7b801949dd --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch @@ -0,0 +1,215 @@ +From 8f26e5acc5e5db6040e23aeeb96b0886e02d627e Mon Sep 17 00:00:00 2001 +From: "debing.sun" +Date: Wed, 7 May 2025 18:25:06 +0800 +Subject: [PATCH] Fix out of bounds write in hyperloglog commands + (CVE-2025-32023) + +CVE: CVE-2025-32023 +Upstream-Status: Backport [https://github.com/redis/redis/commit/df47cffd065fc886a76460959a6e2205117d0d30] + +Co-authored-by: oranagra +Signed-off-by: Gyorgy Sarvari +--- + src/hyperloglog.c | 47 +++++++++++++++++++++++++++++++---- + tests/unit/hyperloglog.tcl | 51 ++++++++++++++++++++++++++++++++++++++ + 2 files changed, 93 insertions(+), 5 deletions(-) + +diff --git a/src/hyperloglog.c b/src/hyperloglog.c +index 75a0422..7cabfa1 100644 +--- a/src/hyperloglog.c ++++ b/src/hyperloglog.c +@@ -586,6 +586,7 @@ int hllSparseToDense(robj *o) { + struct hllhdr *hdr, *oldhdr = (struct hllhdr*)sparse; + int idx = 0, runlen, regval; + uint8_t *p = (uint8_t*)sparse, *end = p+sdslen(sparse); ++ int valid = 1; + + /* If the representation is already the right one return ASAP. */ + hdr = (struct hllhdr*) sparse; +@@ -605,16 +606,27 @@ int hllSparseToDense(robj *o) { + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); +- if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */ ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + while(runlen--) { + HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval); + idx++; +@@ -625,7 +637,7 @@ int hllSparseToDense(robj *o) { + + /* If the sparse representation was valid, we expect to find idx + * set to HLL_REGISTERS. */ +- if (idx != HLL_REGISTERS) { ++ if (!valid || idx != HLL_REGISTERS) { + sdsfree(dense); + return C_ERR; + } +@@ -911,27 +923,40 @@ int hllSparseAdd(robj *o, unsigned char *ele, size_t elesize) { + void hllSparseRegHisto(uint8_t *sparse, int sparselen, int *invalid, int* reghisto) { + int idx = 0, runlen, regval; + uint8_t *end = sparse+sparselen, *p = sparse; ++ int valid = 1; + + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[0] += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[0] += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); ++ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + idx += runlen; + reghisto[regval] += runlen; + p++; + } + } +- if (idx != HLL_REGISTERS && invalid) *invalid = 1; ++ if ((!valid || idx != HLL_REGISTERS) && invalid) *invalid = 1; + } + + /* ========================= HyperLogLog Count ============================== +@@ -1079,22 +1104,34 @@ int hllMerge(uint8_t *max, robj *hll) { + } else { + uint8_t *p = hll->ptr, *end = p + sdslen(hll->ptr); + long runlen, regval; ++ int valid = 1; + + p += HLL_HDR_SIZE; + i = 0; + while(p < end) { + if (HLL_SPARSE_IS_ZERO(p)) { + runlen = HLL_SPARSE_ZERO_LEN(p); ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + i += runlen; + p++; + } else if (HLL_SPARSE_IS_XZERO(p)) { + runlen = HLL_SPARSE_XZERO_LEN(p); ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + i += runlen; + p += 2; + } else { + runlen = HLL_SPARSE_VAL_LEN(p); + regval = HLL_SPARSE_VAL_VALUE(p); +- if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */ ++ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */ ++ valid = 0; ++ break; ++ } + while(runlen--) { + if (regval > max[i]) max[i] = regval; + i++; +@@ -1102,7 +1139,7 @@ int hllMerge(uint8_t *max, robj *hll) { + p++; + } + } +- if (i != HLL_REGISTERS) return C_ERR; ++ if (!valid || i != HLL_REGISTERS) return C_ERR; + } + return C_OK; + } +diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl +index db26a2e..a1ae520 100644 +--- a/tests/unit/hyperloglog.tcl ++++ b/tests/unit/hyperloglog.tcl +@@ -106,6 +106,57 @@ start_server {tags {"hll"}} { + set e + } {*WRONGTYPE*} + ++ test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with XZERO opcode} { ++ r del hll ++ ++ # Create a sparse-encoded HyperLogLog header ++ set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]] ++ ++ # Create an XZERO opcode with the maximum run length of 16384(2^14) ++ set runlen [expr 16384 - 1] ++ set chunk [binary format cc [expr {0b01000000 | ($runlen >> 8)}] [expr {$runlen & 0xff}]] ++ # Fill the HLL with more than 131072(2^17) XZERO opcodes to make the total ++ # run length exceed 4GB, will cause an integer overflow. ++ set repeat [expr 131072 + 1000] ++ for {set i 0} {$i < $repeat} {incr i} { ++ append pl $chunk ++ } ++ ++ # Create a VAL opcode with a value that will cause out-of-bounds. ++ append pl [binary format c 0b11111111] ++ r set hll $pl ++ ++ # This should not overflow and out-of-bounds. ++ assert_error {*INVALIDOBJ*} {r pfcount hll hll} ++ assert_error {*INVALIDOBJ*} {r pfdebug getreg hll} ++ r ping ++ } ++ ++ test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with ZERO opcode} { ++ r del hll ++ ++ # Create a sparse-encoded HyperLogLog header ++ set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]] ++ ++ # # Create an ZERO opcode with the maximum run length of 64(2^6) ++ set chunk [binary format c [expr {0b00000000 | 0x3f}]] ++ # Fill the HLL with more than 33554432(2^17) ZERO opcodes to make the total ++ # run length exceed 4GB, will cause an integer overflow. ++ set repeat [expr 33554432 + 1000] ++ for {set i 0} {$i < $repeat} {incr i} { ++ append pl $chunk ++ } ++ ++ # Create a VAL opcode with a value that will cause out-of-bounds. ++ append pl [binary format c 0b11111111] ++ r set hll $pl ++ ++ # This should not overflow and out-of-bounds. ++ assert_error {*INVALIDOBJ*} {r pfcount hll hll} ++ assert_error {*INVALIDOBJ*} {r pfdebug getreg hll} ++ r ping ++ } ++ + test {Corrupted dense HyperLogLogs are detected: Wrong length} { + r del hll + r pfadd hll a b c diff --git a/meta-oe/recipes-extended/redis/redis_6.2.18.bb b/meta-oe/recipes-extended/redis/redis_6.2.18.bb index 179701bbf8..9ce476e14e 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.18.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.18.bb @@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://0001-CVE-2025-27151.patch \ + file://0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch \ " SRC_URI[sha256sum] = "470c75bac73d7390be4dd66479c6f29e86371c5d380ce0c7efb4ba2bbda3612d" diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb index fe811dcc7e..f5ea3eaf5b 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb @@ -17,6 +17,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch \ + file://0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch \ " SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574" From patchwork Tue Oct 7 19:49:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 71807 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 22F23CCD186 for ; Tue, 7 Oct 2025 19:49:47 +0000 (UTC) Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) by mx.groups.io with SMTP id smtpd.web11.28497.1759866584468063906 for ; Tue, 07 Oct 2025 12:49:44 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=T6EMWuXg; spf=pass (domain: gmail.com, ip: 209.85.218.44, mailfrom: skandigraun@gmail.com) Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-afcb7ae6ed0so1124321966b.3 for ; Tue, 07 Oct 2025 12:49:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1759866583; x=1760471383; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=31Mgxso2MDjz+gJ7X+9WkOJXQtJ1g/9wdPLRiQ/GmPQ=; b=T6EMWuXgts/mBAh6VzpcbKb32hX2biB8uPW6Fh07LZZLU0j2QF+TizKjiO4qlCzIJj e28WWJbgMtQ5DxSZFm72LNQVHf27nqRzheZqvvEpBIkY4p2Lss8Qg5au2WxM9+PfafYe zGgpAR/uvCZJPAYwMeR1n/YRbQ4nss4TfCAabF0dS6kLn81GZkXoYeZHIW6PPNwOnTL7 4JqmVIrGZRWrDd57maspysW9pl9FZKCDNHaXkZLYomzD4kllizqk9qHh4gxp22vH3pN6 qku2b/LjJT+U9fsIeA7Et0921iYu6/OXhKMS82XdRSPcASKo77Z9DEaj3N66EX1/1ek3 BMZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1759866583; x=1760471383; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=31Mgxso2MDjz+gJ7X+9WkOJXQtJ1g/9wdPLRiQ/GmPQ=; b=Jg1i+UEjJDQeFEcPBt3qb9Q9DwzIltlBBCD03WciwvOy3J9p608CpY/K+1LHVUIScq dpY6uKiJzaQM56KBYFgKOIHP1j6Yl6Z+DvReEgLXDiCF81A2pH381j3s4v+Rd068XwZL 62pXW8u9YPzwMy9tkx3HzJbu0ZoUKyslH9jO0+ZXclXHPFgO1ickfQtFt9LbZbkbs+Kj faqK+VQBH21A8vkWkoIbsRYip9CWY5juOwtwkFgZRBrdo3tWmf+YUkqhuD2pnfX05PWz IwwuXfljTdYvj4BguHHBMnFZe3oMsLfvwiMUvypV4IY4JmPgi3SWVtro187QhdHnNFWL 1FPA== X-Gm-Message-State: AOJu0YwlV8o8JvbyOoq/7beX70/TTb1DoqPIikObAG1rhXsx1vl5btL7 c/+gwhOEszygP2sHcY67jxfEt+a2UCFpgDh020fPDIhPsiZDGyMTKIL+/9i/pw== X-Gm-Gg: ASbGncs9jY5AFgjs+NBplHWgvtiVQ4fsC1GAdjHhqemvuMKdhurnnuiNQI6sbwR++er yOR0cPBQN2VJhxTyU75cFasgb20evoD8US9IAVfdr6RQeHauboghS/hJdab583d1qx6Zsv7ptlC zjKaatjonr002psQtIGY6fRHmGCZgkxVmlzr/6xTBEAdQtghH5V+BaEF2cMF5lcZmmKKun0qDbF WqwqXyVILYBGbNJSS8uZIVgQ1J/GzvNkFIzyt6dVVsHzDsrMk1gvqskCAzUisItysZWliPMGezn 358YyhYqi4iJH56aADnYw3Y/qzxxuzmDxIEhMao7KnKSBa893EfCeNP6lmh0qEqnfab+ZUjPiWR Z+3vZAxOf36p+XXy/rEuRPPqM6xAbm6Plj9TusVYYW5xg X-Google-Smtp-Source: AGHT+IEgsa4znYqWbxHev1vkV8nKwOh9J51BQBKztLZQzJ/4ptsBXHoC+hqubye64/02pvbfh/NS6w== X-Received: by 2002:a17:907:6d25:b0:b40:52:19c2 with SMTP id a640c23a62f3a-b50aaa9c937mr94559666b.20.1759866582502; Tue, 07 Oct 2025 12:49:42 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-6378810112bsm12961955a12.26.2025.10.07.12.49.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Oct 2025 12:49:41 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][walnascar][PATCH 4/4] redis: patch CVE-2025-48367 Date: Tue, 7 Oct 2025 21:49:36 +0200 Message-ID: <20251007194936.146845-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251007194936.146845-1-skandigraun@gmail.com> References: <20251007194936.146845-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 07 Oct 2025 19:49:47 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120349 Details: https://nvd.nist.gov/vuln/detail/CVE-2025-48367 Backport the patch mentioned in the details. Signed-off-by: Gyorgy Sarvari --- ...n-if-accepted-connection-reports-an-.patch | 117 ++++++++++++++++++ ...n-if-accepted-connection-reports-an-.patch | 107 ++++++++++++++++ .../recipes-extended/redis/redis_6.2.18.bb | 1 + meta-oe/recipes-extended/redis/redis_7.2.8.bb | 1 + 4 files changed, 226 insertions(+) create mode 100644 meta-oe/recipes-extended/redis/redis-7.2.8/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch create mode 100644 meta-oe/recipes-extended/redis/redis/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch diff --git a/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch new file mode 100644 index 0000000000..8017345913 --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis-7.2.8/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch @@ -0,0 +1,117 @@ +From 05524dbadb1acc3d8d75905108fea39cdf43832c Mon Sep 17 00:00:00 2001 +From: Ozan Tezcan +Date: Wed, 14 May 2025 11:02:30 +0300 +Subject: [PATCH] Retry accept() even if accepted connection reports an error + (CVE-2025-48367) + +In case of accept4() returns an error, we should check errno value and +decide if we should retry accept4() without waiting next event loop iteration. + +CVE: CVE-2025-48367 +Upstream-Status: Backport [https://github.com/redis/redis/commit/c76d6182096cbe10bd3a1dc41095b5ab422e6a74] + +Signed-off-by: Gyorgy Sarvari +--- + src/anet.c | 24 ++++++++++++++++++++++++ + src/anet.h | 1 + + src/cluster.c | 2 ++ + src/socket.c | 2 ++ + src/tls.c | 2 ++ + src/unix.c | 2 ++ + 6 files changed, 33 insertions(+) + +diff --git a/src/anet.c b/src/anet.c +index 64824a2..6c539d5 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -704,3 +704,27 @@ int anetIsFifo(char *filepath) { + if (stat(filepath, &sb) == -1) return 0; + return S_ISFIFO(sb.st_mode); + } ++ ++/* This function must be called after accept4() fails. It returns 1 if 'err' ++ * indicates accepted connection faced an error, and it's okay to continue ++ * accepting next connection by calling accept4() again. Other errors either ++ * indicate programming errors, e.g. calling accept() on a closed fd or indicate ++ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been ++ * reached. In the latter case, caller might wait until resources are available. ++ * See accept4() documentation for details. */ ++int anetAcceptFailureNeedsRetry(int err) { ++ if (err == ECONNABORTED) ++ return 1; ++ ++#if defined(__linux__) ++ /* For details, see 'Error Handling' section on ++ * https://man7.org/linux/man-pages/man2/accept.2.html */ ++ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT || ++ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH || ++ err == EOPNOTSUPP || err == ENETUNREACH) ++ { ++ return 1; ++ } ++#endif ++ return 0; ++} +diff --git a/src/anet.h b/src/anet.h +index b13c14f..2319039 100644 +--- a/src/anet.h ++++ b/src/anet.h +@@ -71,5 +71,6 @@ int anetPipe(int fds[2], int read_flags, int write_flags); + int anetSetSockMarkId(char *err, int fd, uint32_t id); + int anetGetError(int fd); + int anetIsFifo(char *filepath); ++int anetAcceptFailureNeedsRetry(int err); + + #endif +diff --git a/src/cluster.c b/src/cluster.c +index 765958a..2130ffd 100644 +--- a/src/cluster.c ++++ b/src/cluster.c +@@ -1309,6 +1309,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_VERBOSE, + "Error accepting cluster node: %s", server.neterr); +diff --git a/src/socket.c b/src/socket.c +index dad8e93..09d87bc 100644 +--- a/src/socket.c ++++ b/src/socket.c +@@ -318,6 +318,8 @@ static void connSocketAcceptHandler(aeEventLoop *el, int fd, void *privdata, int + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +diff --git a/src/tls.c b/src/tls.c +index e709c99..9a66e81 100644 +--- a/src/tls.c ++++ b/src/tls.c +@@ -774,6 +774,8 @@ static void tlsAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +diff --git a/src/unix.c b/src/unix.c +index bd146d0..8fdefe4 100644 +--- a/src/unix.c ++++ b/src/unix.c +@@ -100,6 +100,8 @@ static void connUnixAcceptHandler(aeEventLoop *el, int fd, void *privdata, int m + while(max--) { + cfd = anetUnixAccept(server.neterr, fd); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); diff --git a/meta-oe/recipes-extended/redis/redis/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch b/meta-oe/recipes-extended/redis/redis/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch new file mode 100644 index 0000000000..e16ad07e3e --- /dev/null +++ b/meta-oe/recipes-extended/redis/redis/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch @@ -0,0 +1,107 @@ +From 5cb320f03b7d619499d2d69f4371096b5d6a9bdf Mon Sep 17 00:00:00 2001 +From: Ozan Tezcan +Date: Wed, 14 May 2025 11:02:30 +0300 +Subject: [PATCH] Retry accept() even if accepted connection reports an error + (CVE-2025-48367) + +In case of accept4() returns an error, we should check errno value and +decide if we should retry accept4() without waiting next event loop iteration. + +CVE: CVE-2025-48367 +Upstream-Status: Backport [https://github.com/redis/redis/commit/0fe67435935cc5724ff6eb9c4ca4120c58a15765] + +Signed-off-by: Gyorgy Sarvari +--- + src/anet.c | 24 ++++++++++++++++++++++++ + src/anet.h | 2 +- + src/cluster.c | 2 ++ + src/networking.c | 6 ++++++ + 4 files changed, 33 insertions(+), 1 deletion(-) + +diff --git a/src/anet.c b/src/anet.c +index 91f6171..2e42fc5 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -594,3 +594,27 @@ int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type) { + anetFdToString(fd,ip,sizeof(ip),&port,fd_to_str_type); + return anetFormatAddr(buf, buf_len, ip, port); + } ++ ++/* This function must be called after accept4() fails. It returns 1 if 'err' ++ * indicates accepted connection faced an error, and it's okay to continue ++ * accepting next connection by calling accept4() again. Other errors either ++ * indicate programming errors, e.g. calling accept() on a closed fd or indicate ++ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been ++ * reached. In the latter case, caller might wait until resources are available. ++ * See accept4() documentation for details. */ ++int anetAcceptFailureNeedsRetry(int err) { ++ if (err == ECONNABORTED) ++ return 1; ++ ++#if defined(__linux__) ++ /* For details, see 'Error Handling' section on ++ * https://man7.org/linux/man-pages/man2/accept.2.html */ ++ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT || ++ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH || ++ err == EOPNOTSUPP || err == ENETUNREACH) ++ { ++ return 1; ++ } ++#endif ++ return 0; ++} +diff --git a/src/anet.h b/src/anet.h +index 2a685cc..adedaf3 100644 +--- a/src/anet.h ++++ b/src/anet.h +@@ -72,5 +72,5 @@ int anetFdToString(int fd, char *ip, size_t ip_len, int *port, int fd_to_str_typ + int anetKeepAlive(char *err, int fd, int interval); + int anetFormatAddr(char *fmt, size_t fmt_len, char *ip, int port); + int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type); +- ++int anetAcceptFailureNeedsRetry(int err); + #endif +diff --git a/src/cluster.c b/src/cluster.c +index 8807fe2..030897c 100644 +--- a/src/cluster.c ++++ b/src/cluster.c +@@ -691,6 +691,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_VERBOSE, + "Error accepting cluster node: %s", server.neterr); +diff --git a/src/networking.c b/src/networking.c +index 11891d3..2598a58 100644 +--- a/src/networking.c ++++ b/src/networking.c +@@ -1190,6 +1190,8 @@ void acceptTcpHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +@@ -1211,6 +1213,8 @@ void acceptTLSHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +@@ -1231,6 +1235,8 @@ void acceptUnixHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetUnixAccept(server.neterr, fd); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); diff --git a/meta-oe/recipes-extended/redis/redis_6.2.18.bb b/meta-oe/recipes-extended/redis/redis_6.2.18.bb index 9ce476e14e..5e3b8d4430 100644 --- a/meta-oe/recipes-extended/redis/redis_6.2.18.bb +++ b/meta-oe/recipes-extended/redis/redis_6.2.18.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://0001-CVE-2025-27151.patch \ file://0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch \ + file://0001-Retry-accept-even-if-accepted-connection-reports-an-.patch \ " SRC_URI[sha256sum] = "470c75bac73d7390be4dd66479c6f29e86371c5d380ce0c7efb4ba2bbda3612d" diff --git a/meta-oe/recipes-extended/redis/redis_7.2.8.bb b/meta-oe/recipes-extended/redis/redis_7.2.8.bb index f5ea3eaf5b..22f48afd17 100644 --- a/meta-oe/recipes-extended/redis/redis_7.2.8.bb +++ b/meta-oe/recipes-extended/redis/redis_7.2.8.bb @@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \ file://0006-Define-correct-gregs-for-RISCV32.patch \ file://0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch \ file://0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch \ + file://0001-Retry-accept-even-if-accepted-connection-reports-an-.patch \ " SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"