From 30b930438d614d44d15461864eb9241cdb24a1af Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Wed, 7 Apr 2021 15:04:24 +0800 Subject: [PATCH] Fix CVE-2021-3470 (cherry picked from commit f0007957335f927dea83c460dfac01799105628d) --- CVE-2021-3470.patch | 39 +++++++++++++++++++++++++++++++++++++++ redis.spec | 9 ++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 CVE-2021-3470.patch diff --git a/CVE-2021-3470.patch b/CVE-2021-3470.patch new file mode 100644 index 0000000..d49e271 --- /dev/null +++ b/CVE-2021-3470.patch @@ -0,0 +1,39 @@ +From a714d2561b78985ec85f3056aac83c603cbaaa5f Mon Sep 17 00:00:00 2001 +From: wang_yue111 <648774160@qq.com> +Date: Wed, 7 Apr 2021 10:00:53 +0800 +Subject: [PATCH] Fix wrong zmalloc_size() assumption. (#7963) + +When using a system with no malloc_usable_size(), zmalloc_size() assumed +that the heap allocator always returns blocks that are long-padded. + +This may not always be the case, and will result with zmalloc_size() +returning a size that is bigger than allocated. At least in one case +this leads to out of bound write, process crash and a potential security +vulnerability. + +Effectively this does not affect the vast majority of users, who use +jemalloc or glibc. + +This problem along with a (different) fix was reported by Drew DeVault. + +--- + src/zmalloc.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/src/zmalloc.c b/src/zmalloc.c +index cc47f71..67b1b65 100644 +--- a/src/zmalloc.c ++++ b/src/zmalloc.c +@@ -186,9 +186,6 @@ void *zrealloc(void *ptr, size_t size) { + size_t zmalloc_size(void *ptr) { + void *realptr = (char*)ptr-PREFIX_SIZE; + size_t size = *((size_t*)realptr); +- /* Assume at least that all the allocations are padded at sizeof(long) by +- * the underlying allocator. */ +- if (size&(sizeof(long)-1)) size += sizeof(long)-(size&(sizeof(long)-1)); + return size+PREFIX_SIZE; + } + #endif +-- +2.23.0 + diff --git a/redis.spec b/redis.spec index d8036ac..591afa7 100644 --- a/redis.spec +++ b/redis.spec @@ -1,6 +1,6 @@ Name: redis Version: 4.0.11 -Release: 13 +Release: 14 Summary: A persistent key-value database License: BSD and MIT URL: https://redis.io @@ -19,6 +19,8 @@ Patch0005: Aesthetic-changes-to-PR.patch Patch0006: CVE-2019-10193.patch Patch0007: modify-aarch64-architecture-jemalloc-page-size-from-4k-to-64k.patch Patch0008: CVE-2021-21309.patch +Patch0009: CVE-2021-3470.patch + BuildRequires: systemd Requires: /bin/awk Requires: logrotate @@ -43,6 +45,8 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s %patch0007 -p1 %endif %patch0008 -p1 +%patch0009 -p1 + sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf sed -i -e 's|^dir .*$|dir /var/lib/redis|g' redis.conf @@ -99,6 +103,9 @@ exit 0 %{_unitdir}/%{name}-sentinel.service %changelog +* Wed Apr 07 2021 wangyue - 4.0.11-14 +- Fix CVE-2021-3470 + * Wed 24 Mar 2021 sunguoshuai - 4.0.11-13 - change patch file in order src.rpm is same in aarch64 and x86_64 -- Gitee