From cef7c30a8a700f28dde3b99ad98237850de4aac6 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Wed, 7 Apr 2021 10:07:33 +0800 Subject: [PATCH] Fix CVE-2021-3470 (cherry picked from commit c0d03fe00ebc8e6b643118c213cd7e26d7d8ad0d) --- CVE-2021-3470.patch | 39 +++++++++++++++++++++++++++++++++++++++ redis.spec | 10 ++++++++-- 2 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 CVE-2021-3470.patch diff --git a/CVE-2021-3470.patch b/CVE-2021-3470.patch new file mode 100644 index 0000000..d49e271 --- /dev/null +++ b/CVE-2021-3470.patch @@ -0,0 +1,39 @@ +From a714d2561b78985ec85f3056aac83c603cbaaa5f Mon Sep 17 00:00:00 2001 +From: wang_yue111 <648774160@qq.com> +Date: Wed, 7 Apr 2021 10:00:53 +0800 +Subject: [PATCH] Fix wrong zmalloc_size() assumption. (#7963) + +When using a system with no malloc_usable_size(), zmalloc_size() assumed +that the heap allocator always returns blocks that are long-padded. + +This may not always be the case, and will result with zmalloc_size() +returning a size that is bigger than allocated. At least in one case +this leads to out of bound write, process crash and a potential security +vulnerability. + +Effectively this does not affect the vast majority of users, who use +jemalloc or glibc. + +This problem along with a (different) fix was reported by Drew DeVault. + +--- + src/zmalloc.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/zmalloc.c b/src/zmalloc.c +index cc47f71..67b1b65 100644 +--- a/src/zmalloc.c ++++ b/src/zmalloc.c +@@ -186,9 +186,6 @@ void *zrealloc(void *ptr, size_t size) { + size_t zmalloc_size(void *ptr) { + void *realptr = (char*)ptr-PREFIX_SIZE; + size_t size = *((size_t*)realptr); +- /* Assume at least that all the allocations are padded at sizeof(long) by +- * the underlying allocator. */ +- if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1)); + return size+PREFIX_SIZE; + } + #endif +-- +2.23.0 + diff --git a/redis.spec b/redis.spec index 34294ff..e74d63b 100644 --- a/redis.spec +++ b/redis.spec @@ -1,6 +1,6 @@ Name: redis Version: 4.0.11 -Release: 14 +Release: 15 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -20,6 +20,7 @@ Patch0006: CVE-2019-10193.patch Patch0007: modify-aarch64-architecture-jemalloc-page-size-from-4k-to-64k.patch Patch0008: huawei-deps-jemalloc-support-riscv.patch Patch0009: CVE-2021-21309.patch +Patch0010: CVE-2021-3470.patch BuildRequires: systemd Requires: /bin/awk Requires: logrotate @@ -45,6 +46,8 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s %endif %patch0008 -p1 %patch0009 -p1 +%patch0010 -p1 + sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf sed -i -e 's|^dir .*$|dir /var/lib/redis|g' redis.conf @@ -101,7 +104,10 @@ exit 0 %{_unitdir}/%{name}-sentinel.service %changelog -* Wed 24 Mar 2021 sunguoshuai - 4.0.11-14 +* Wed Apr 07 2021 wangyue - 4.0.11-15 +- Fix CVE-2021-3470 + +* Wed Mar 24 2021 sunguoshuai - 4.0.11-14 - change patch file in order src.rpm is same in aarch64 and x86_64 * Thu Mar 11 2021 wangxiao - 4.0.11-13 -- Gitee