From 6a60f0f9943cc19d19ad33ee1699ad54853fddf1 Mon Sep 17 00:00:00 2001
From: wszlight <wushaozheng@ncti-gba.cn>
Date: Tue, 28 Mar 2023 02:11:58 +0000
Subject: [PATCH] fix CVE-2022-36021

---
 CVE-2022-36021.patch | 89 ++++++++++++++++++++++++++++++++++++++++++++
 redis.spec           |  9 ++++-
 2 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 CVE-2022-36021.patch

diff --git a/CVE-2022-36021.patch b/CVE-2022-36021.patch
new file mode 100644
index 0000000..8bc5984
--- /dev/null
+++ b/CVE-2022-36021.patch
@@ -0,0 +1,89 @@
+From dcbfcb916ca1a269b3feef86ee86835294758f84 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Tue, 28 Feb 2023 15:15:26 +0200
+Subject: [PATCH] String pattern matching had exponential time complexity on
+ pathological patterns (CVE-2022-36021) (#11858)
+
+Authenticated users can use string matching commands with a
+specially crafted pattern to trigger a denial-of-service attack on Redis,
+causing it to hang and consume 100% CPU time.
+
+Co-authored-by: Tom Levy <tomlevy93@gmail.com>
+---
+ src/util.c              | 27 +++++++++++++++++++++++----
+ tests/unit/keyspace.tcl |  6 ++++++
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index d33f4522a507..26d92b92290e 100644
+--- a/src/util.c
++++ b/src/util.c
+@@ -44,8 +44,8 @@
+ #include "sha1.h"
+
+ /* Glob-style pattern matching. */
+-int stringmatchlen(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase)
++static int stringmatchlen_impl(const char *pattern, int patternLen,
++        const char *string, int stringLen, int nocase, int *skipLongerMatches)
+ {
+     while(patternLen) {
+         switch(pattern[0]) {
+@@ -57,12 +57,25 @@
+             if (patternLen == 1)
+                 return 1; /* match */
+             while(stringLen) {
+-                if (stringmatchlen(pattern+1, patternLen-1,
+-                            string, stringLen, nocase))
++               if (stringmatchlen_impl(pattern+1, patternLen-1,
++                            string, stringLen, nocase, skipLongerMatches))
+                     return 1; /* match */
++               if (*skipLongerMatches)
++                    return 0; /* no match */
+                 string++;
+                 stringLen--;
+             }
++           /* There was no match for the rest of the pattern starting
++             * from anywhere in the rest of the string. If there were
++             * any '*' earlier in the pattern, we can terminate the
++             * search early without trying to match them to longer
++             * substrings. This is because a longer match for the
++             * earlier part of the pattern would require the rest of the
++             * pattern to match starting later in the string, and we
++             * have just determined that there is no match for the rest
++             * of the pattern starting from anywhere in the current
++             * string. */
++            *skipLongerMatches = 1;
+             return 0; /* no match */
+             break;
+         case '?':
+@@ -166,6 +179,12 @@
+     return 0;
+ }
+
++int stringmatchlen(const char *pattern, int patternLen,
++        const char *string, int stringLen, int nocase) {
++    int skipLongerMatches = 0;
++    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
++}
++
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+     return stringmatchlen(pattern,strlen(pattern),string,strlen(string),nocase);
+ }
+
+
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index b173e0efcacc..43690d06b321 100644
+--- a/tests/unit/keyspace.tcl
++++ b/tests/unit/keyspace.tcl
+@@ -493,4 +493,10 @@ foreach {type large} [array get largevalue] {
+         r keys *
+         r keys *
+     } {dlskeriewrioeuwqoirueioqwrueoqwrueqw}
++
++    test {Regression for pattern matching long nested loops} {
++        r flushdb
++        r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
++        r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
++    } {}
+ }
diff --git a/redis.spec b/redis.spec
index ad448c7..aabc8ec 100644
--- a/redis.spec
+++ b/redis.spec
@@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.11
-Release:        16
+Release:        17
 Summary:        A persistent key-value database
 License:        BSD and MIT
 URL:            https://redis.io
@@ -22,6 +22,7 @@ Patch0008:      CVE-2021-21309.patch
 Patch0009:      CVE-2021-3470.patch
 Patch0010:      CVE-2021-29478.patch
 Patch0011:      CVE-2021-32672.patch
+Patch0012:      CVE-2022-36021.patch
 
 BuildRequires:     systemd
 Requires:          /bin/awk
@@ -50,6 +51,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
 %patch0009 -p1
 %patch0010 -p1
 %patch0011 -p1
+%patch0012 -p1
 
 sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf
 sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf
@@ -107,6 +109,9 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service
 
 %changelog
+* Mon Mar 27 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 4.0.11-17
+- Fix CVE-2022-36021
+
 * Sat Oct 09 2021 yaoxin <yaoxin30@huawei.com> - 4.0.11-16
 - Fix CVE-2021-32672
 
@@ -116,7 +121,7 @@ exit 0
 * Wed Apr 07 2021 wangyue <wangyue92@huawei.com> - 4.0.11-14
 - Fix CVE-2021-3470
 
-* Wed 24 Mar 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-13
+* Wed Mar 24  2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-13
 - change patch file in order src.rpm is same in aarch64 and x86_64
 
 * Fri Mar 12 2021 wangxiao <wangxiao65@huawei.com> - 4.0.11-12