helium-3rd-party/meta-openembedded
1
0
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-04-02 02:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

redis: fix CVE-2025-32023

Browse Source 
Upstream-Status: Backport from 50188747cb

Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
Hitendra Prajapati 2025-07-16 11:45:12 +05:30 committed by Armin Kuster
parent fb6424156a
commit e66e64ee63
2 changed files with 219 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

218
meta-oe/recipes-extended/redis/redis-7.2.8/CVE-2025-32023.patch Normal file
View File

@ -0,0 +1,218 @@
From 50188747cbfe43528d2719399a2a3c9599169445 Mon Sep 17 00:00:00 2001
From: "debing.sun" <debing.sun@redis.com>
Date: Wed, 7 May 2025 18:25:06 +0800
Subject: [PATCH] Fix out of bounds write in hyperloglog commands
(CVE-2025-32023)
Co-authored-by: oranagra <oran@redislabs.com>
Upstream-Status: Backport [https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445]
CVE: CVE-2025-32023
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
src/hyperloglog.c | 47 +++++++++++++++++++++++++++++++----
tests/unit/hyperloglog.tcl | 51 ++++++++++++++++++++++++++++++++++++++
2 files changed, 93 insertions(+), 5 deletions(-)
diff --git a/src/hyperloglog.c b/src/hyperloglog.c
index 1a74f47..ca592a0 100644
--- a/src/hyperloglog.c
+++ b/src/hyperloglog.c
@@ -587,6 +587,7 @@ int hllSparseToDense(robj *o) {
struct hllhdr *hdr, *oldhdr = (struct hllhdr*)sparse;
int idx = 0, runlen, regval;
uint8_t *p = (uint8_t*)sparse, *end = p+sdslen(sparse);
+ int valid = 1;
/* If the representation is already the right one return ASAP. */
hdr = (struct hllhdr*) sparse;
@@ -606,16 +607,27 @@ int hllSparseToDense(robj *o) {
while(p < end) {
if (HLL_SPARSE_IS_ZERO(p)) {
runlen = HLL_SPARSE_ZERO_LEN(p);
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
idx += runlen;
p++;
} else if (HLL_SPARSE_IS_XZERO(p)) {
runlen = HLL_SPARSE_XZERO_LEN(p);
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
idx += runlen;
p += 2;
} else {
runlen = HLL_SPARSE_VAL_LEN(p);
regval = HLL_SPARSE_VAL_VALUE(p);
- if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
while(runlen--) {
HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
idx++;
@@ -626,7 +638,7 @@ int hllSparseToDense(robj *o) {
/* If the sparse representation was valid, we expect to find idx
* set to HLL_REGISTERS. */
- if (idx != HLL_REGISTERS) {
+ if (!valid || idx != HLL_REGISTERS) {
sdsfree(dense);
return C_ERR;
}
@@ -923,27 +935,40 @@ int hllSparseAdd(robj *o, unsigned char *ele, size_t elesize) {
void hllSparseRegHisto(uint8_t *sparse, int sparselen, int *invalid, int* reghisto) {
int idx = 0, runlen, regval;
uint8_t *end = sparse+sparselen, *p = sparse;
+ int valid = 1;
while(p < end) {
if (HLL_SPARSE_IS_ZERO(p)) {
runlen = HLL_SPARSE_ZERO_LEN(p);
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
idx += runlen;
reghisto[0] += runlen;
p++;
} else if (HLL_SPARSE_IS_XZERO(p)) {
runlen = HLL_SPARSE_XZERO_LEN(p);
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
idx += runlen;
reghisto[0] += runlen;
p += 2;
} else {
runlen = HLL_SPARSE_VAL_LEN(p);
regval = HLL_SPARSE_VAL_VALUE(p);
+ if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
idx += runlen;
reghisto[regval] += runlen;
p++;
}
}
- if (idx != HLL_REGISTERS && invalid) *invalid = 1;
+ if ((!valid || idx != HLL_REGISTERS) && invalid) *invalid = 1;
}
/* ========================= HyperLogLog Count ==============================
@@ -1091,22 +1116,34 @@ int hllMerge(uint8_t *max, robj *hll) {
} else {
uint8_t *p = hll->ptr, *end = p + sdslen(hll->ptr);
long runlen, regval;
+ int valid = 1;
p += HLL_HDR_SIZE;
i = 0;
while(p < end) {
if (HLL_SPARSE_IS_ZERO(p)) {
runlen = HLL_SPARSE_ZERO_LEN(p);
+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
i += runlen;
p++;
} else if (HLL_SPARSE_IS_XZERO(p)) {
runlen = HLL_SPARSE_XZERO_LEN(p);
+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
i += runlen;
p += 2;
} else {
runlen = HLL_SPARSE_VAL_LEN(p);
regval = HLL_SPARSE_VAL_VALUE(p);
- if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
+ if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
+ valid = 0;
+ break;
+ }
while(runlen--) {
if (regval > max[i]) max[i] = regval;
i++;
@@ -1114,7 +1151,7 @@ int hllMerge(uint8_t *max, robj *hll) {
p++;
}
}
- if (i != HLL_REGISTERS) return C_ERR;
+ if (!valid || i != HLL_REGISTERS) return C_ERR;
}
return C_OK;
}
diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl
index ee43718..bc90eb2 100644
--- a/tests/unit/hyperloglog.tcl
+++ b/tests/unit/hyperloglog.tcl
@@ -137,6 +137,57 @@ start_server {tags {"hll"}} {
set e
} {*WRONGTYPE*}
+ test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with XZERO opcode} {
+ r del hll
+
+ # Create a sparse-encoded HyperLogLog header
+ set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
+
+ # Create an XZERO opcode with the maximum run length of 16384(2^14)
+ set runlen [expr 16384 - 1]
+ set chunk [binary format cc [expr {0b01000000 | ($runlen >> 8)}] [expr {$runlen & 0xff}]]
+ # Fill the HLL with more than 131072(2^17) XZERO opcodes to make the total
+ # run length exceed 4GB, will cause an integer overflow.
+ set repeat [expr 131072 + 1000]
+ for {set i 0} {$i < $repeat} {incr i} {
+ append pl $chunk
+ }
+
+ # Create a VAL opcode with a value that will cause out-of-bounds.
+ append pl [binary format c 0b11111111]
+ r set hll $pl
+
+ # This should not overflow and out-of-bounds.
+ assert_error {*INVALIDOBJ*} {r pfcount hll hll}
+ assert_error {*INVALIDOBJ*} {r pfdebug getreg hll}
+ r ping
+ }
+
+ test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with ZERO opcode} {
+ r del hll
+
+ # Create a sparse-encoded HyperLogLog header
+ set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
+
+ # # Create an ZERO opcode with the maximum run length of 64(2^6)
+ set chunk [binary format c [expr {0b00000000 | 0x3f}]]
+ # Fill the HLL with more than 33554432(2^17) ZERO opcodes to make the total
+ # run length exceed 4GB, will cause an integer overflow.
+ set repeat [expr 33554432 + 1000]
+ for {set i 0} {$i < $repeat} {incr i} {
+ append pl $chunk
+ }
+
+ # Create a VAL opcode with a value that will cause out-of-bounds.
+ append pl [binary format c 0b11111111]
+ r set hll $pl
+
+ # This should not overflow and out-of-bounds.
+ assert_error {*INVALIDOBJ*} {r pfcount hll hll}
+ assert_error {*INVALIDOBJ*} {r pfdebug getreg hll}
+ r ping
+ }
+
test {Corrupted dense HyperLogLogs are detected: Wrong length} {
r del hll
r pfadd hll a b c
--
2.49.0

1
meta-oe/recipes-extended/redis/redis_7.2.8.bb
View File

@ -16,6 +16,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://0004-src-Do-not-reset-FINAL_LIBS.patch \
file://0005-Define-_GNU_SOURCE-to-get-PTHREAD_MUTEX_INITIALIZER.patch \
file://0006-Define-correct-gregs-for-RISCV32.patch \
file://CVE-2025-32023.patch \
"
SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"