From dd06e80bf3eba2bcce439229fc508ea36eece06f Mon Sep 17 00:00:00 2001
From: wszlight <wushaozheng@ncti-gba.cn>
Date: Tue, 28 Mar 2023 01:48:43 +0000
Subject: [PATCH] fix CVE-2022-36021

(cherry picked from commit dcfdee2c5e48c6c6a74104f6011c2d779ecd7878)
---
 CVE-2022-36021.patch | 92 ++++++++++++++++++++++++++++++++++++++++++++
 redis.spec           |  7 +++-
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-36021.patch

diff --git a/CVE-2022-36021.patch b/CVE-2022-36021.patch
new file mode 100644
index 0000000..0eb5b30
--- /dev/null
+++ b/CVE-2022-36021.patch
@@ -0,0 +1,92 @@
+From dcbfcb916ca1a269b3feef86ee86835294758f84 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Tue, 28 Feb 2023 15:15:26 +0200
+Subject: [PATCH] String pattern matching had exponential time complexity on
+ pathological patterns (CVE-2022-36021) (#11858)
+
+Authenticated users can use string matching commands with a
+specially crafted pattern to trigger a denial-of-service attack on Redis,
+causing it to hang and consume 100% CPU time.
+
+Co-authored-by: Tom Levy <tomlevy93@gmail.com>
+---
+ src/util.c              | 27 +++++++++++++++++++++++----
+ tests/unit/keyspace.tcl |  6 ++++++
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index d33f4522a507..26d92b92290e 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -44,8 +44,8 @@
+ #include "sha1.h"
+
+ /* Glob-style pattern matching. */
+-int stringmatchlen(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase)
++static int stringmatchlen_impl(const char *pattern, int patternLen,
++        const char *string, int stringLen, int nocase, int *skipLongerMatches)
+ {
+     while(patternLen && stringLen) {
+         switch(pattern[0]) {
+@@ -57,12 +57,24 @@
+             if (patternLen == 1)
+                 return 1; /* match */
+             while(stringLen) {
+-                if (stringmatchlen(pattern+1, patternLen-1,
+-                            string, stringLen, nocase))
++               if (stringmatchlen_impl(pattern+1, patternLen-1,
++                            string, stringLen, nocase, skipLongerMatches))
+                     return 1; /* match */
++               if (*skipLongerMatches)
++                    return 0; /* no match */
+                 string++;
+                 stringLen--;
+             }
++           /* There was no match for the rest of the pattern starting
++             * from anywhere in the rest of the string. If there were
++             * any '*' earlier in the pattern, we can terminate the
++             * search early without trying to match them to longer
++             * substrings. This is because a longer match for the
++             * earlier part of the pattern would require the rest of the
++             * pattern to match starting later in the string, and we
++             * have just determined that there is no match for the rest
++             * of the pattern starting from anywhere in the current
++             * string. */
+             return 0; /* no match */
+             break;
+         case '?':
+@@ -166,10 +178,17 @@
+     return 0;
+ }
+
++int stringmatchlen(const char *pattern, int patternLen,
++        const char *string, int stringLen, int nocase) {
++    int skipLongerMatches = 0;
++    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
++}
++
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+     return stringmatchlen(pattern,strlen(pattern),string,strlen(string),nocase);
+ }
+
++
+ /* Convert a string representing an amount of memory into the number of
+  * bytes, so for instance memtoll("1Gb") will return 1073741824 that is
+  * (1024*1024*1024).
+
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index b173e0efcacc..43690d06b321 100644
+--- a/tests/unit/keyspace.tcl
++++ b/tests/unit/keyspace.tcl
+@@ -493,4 +493,10 @@ foreach {type large} [array get largevalue] {
+         r keys *
+         r keys *
+     } {dlskeriewrioeuwqoirueioqwrueoqwrueqw}
++
++    test {Regression for pattern matching long nested loops} {
++        r flushdb
++        r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
++        r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
++    } {}
+ }
diff --git a/redis.spec b/redis.spec
index 779ec72..ed2bff8 100644
--- a/redis.spec
+++ b/redis.spec
@@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.14
-Release:        3
+Release:        4
 Summary:        A persistent key-value database
 License:        BSD-3-Clause and MIT
 URL:            https://redis.io
@@ -19,6 +19,7 @@ Patch0007:      CVE-2021-21309.patch
 Patch0008:      CVE-2021-3470.patch
 Patch0009:      CVE-2021-29478.patch
 Patch0010:      CVE-2021-32672.patch
+Patch0011:      CVE-2022-36021.patch
 
 BuildRequires:     systemd gcc
 Requires:          /bin/awk
@@ -46,6 +47,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
 %patch0008 -p1
 %patch0009 -p1
 %patch0010 -p1
+%patch0011 -p1
 %ifarch loongarch64
 %_update_config_guess
 %_update_config_sub
@@ -107,6 +109,9 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service
 
 %changelog
+* Mon Mar 27 2023 wushaozheng<wushaozheng@ncti-gba.cn> - 4.0.14-4
+- Fix CVE-2022-36021.patch
+
 * Tue Nov 15 2022 huajingyun<huajingyun@loongson.cn> - 4.0.14-3
 - Update config.guess and config.sub for loongarch
 
-- 
Gitee