packages/redis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!76 FIX CVE-2022-36021

Browse Source 
From: @wszlight 
Reviewed-by: @wang--ge 
Signed-off-by: @wang--ge
This commit is contained in:
openeuler-ci-bot 2023-03-28 03:44:41 +00:00 committed by Gitee
commit 6372c32058
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 96 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
CVE-2022-36021.patch Normal file
View File

@ -0,0 +1,89 @@
From dcbfcb916ca1a269b3feef86ee86835294758f84 Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Tue, 28 Feb 2023 15:15:26 +0200
Subject: [PATCH] String pattern matching had exponential time complexity on
pathological patterns (CVE-2022-36021) (#11858)
Authenticated users can use string matching commands with a
specially crafted pattern to trigger a denial-of-service attack on Redis,
causing it to hang and consume 100% CPU time.
Co-authored-by: Tom Levy <tomlevy93@gmail.com>
---
src/util.c | 27 +++++++++++++++++++++++----
tests/unit/keyspace.tcl | 6 ++++++
2 files changed, 29 insertions(+), 4 deletions(-)
diff --git a/src/util.c b/src/util.c
index d33f4522a507..26d92b92290e 100644
--- a/src/util.c
+++ b/src/util.c
@@ -44,8 +44,8 @@
#include "sha1.h"
/* Glob-style pattern matching. */
-int stringmatchlen(const char *pattern, int patternLen,
- const char *string, int stringLen, int nocase)
+static int stringmatchlen_impl(const char *pattern, int patternLen,
+ const char *string, int stringLen, int nocase, int *skipLongerMatches)
{
while(patternLen) {
switch(pattern[0]) {
@@ -57,12 +57,25 @@
if (patternLen == 1)
return 1; /* match */
while(stringLen) {
- if (stringmatchlen(pattern+1, patternLen-1,
- string, stringLen, nocase))
+ if (stringmatchlen_impl(pattern+1, patternLen-1,
+ string, stringLen, nocase, skipLongerMatches))
return 1; /* match */
+ if (*skipLongerMatches)
+ return 0; /* no match */
string++;
stringLen--;
}
+ /* There was no match for the rest of the pattern starting
+ * from anywhere in the rest of the string. If there were
+ * any '*' earlier in the pattern, we can terminate the
+ * search early without trying to match them to longer
+ * substrings. This is because a longer match for the
+ * earlier part of the pattern would require the rest of the
+ * pattern to match starting later in the string, and we
+ * have just determined that there is no match for the rest
+ * of the pattern starting from anywhere in the current
+ * string. */
+ *skipLongerMatches = 1;
return 0; /* no match */
break;
case '?':
@@ -166,6 +179,12 @@
return 0;
}
+int stringmatchlen(const char *pattern, int patternLen,
+ const char *string, int stringLen, int nocase) {
+ int skipLongerMatches = 0;
+ return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
+}
+
int stringmatch(const char *pattern, const char *string, int nocase) {
return stringmatchlen(pattern,strlen(pattern),string,strlen(string),nocase);
}
diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
index b173e0efcacc..43690d06b321 100644
--- a/tests/unit/keyspace.tcl
+++ b/tests/unit/keyspace.tcl
@@ -493,4 +493,10 @@ foreach {type large} [array get largevalue] {
r keys *
r keys *
} {dlskeriewrioeuwqoirueioqwrueoqwrueqw}
+
+ test {Regression for pattern matching long nested loops} {
+ r flushdb
+ r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+ r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+ } {}
}

9
redis.spec
View File

@ -1,6 +1,6 @@
Name: redis Name: redis
Version: 4.0.11 Version: 4.0.11
Release: 16 Release: 17
Summary: A persistent key-value database Summary: A persistent key-value database
License: BSD and MIT License: BSD and MIT
URL: https://redis.io URL: https://redis.io
@ -22,6 +22,7 @@ Patch0008: CVE-2021-21309.patch
Patch0009: CVE-2021-3470.patch Patch0009: CVE-2021-3470.patch
Patch0010: CVE-2021-29478.patch Patch0010: CVE-2021-29478.patch
Patch0011: CVE-2021-32672.patch Patch0011: CVE-2021-32672.patch
Patch0012: CVE-2022-36021.patch
BuildRequires: systemd BuildRequires: systemd
Requires: /bin/awk Requires: /bin/awk
@ -50,6 +51,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
%patch0009 -p1 %patch0009 -p1
%patch0010 -p1 %patch0010 -p1
%patch0011 -p1 %patch0011 -p1
%patch0012 -p1
sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf
sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf
@ -107,6 +109,9 @@ exit 0
%{_unitdir}/%{name}-sentinel.service %{_unitdir}/%{name}-sentinel.service
%changelog %changelog
* Mon Mar 27 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 4.0.11-17
- Fix CVE-2022-36021
* Sat Oct 09 2021 yaoxin <yaoxin30@huawei.com> - 4.0.11-16 * Sat Oct 09 2021 yaoxin <yaoxin30@huawei.com> - 4.0.11-16
- Fix CVE-2021-32672 - Fix CVE-2021-32672
@ -116,7 +121,7 @@ exit 0
* Wed Apr 07 2021 wangyue <wangyue92@huawei.com> - 4.0.11-14 * Wed Apr 07 2021 wangyue <wangyue92@huawei.com> - 4.0.11-14
- Fix CVE-2021-3470 - Fix CVE-2021-3470
* Wed 24 Mar 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-13 * Wed Mar 24 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-13
- change patch file in order src.rpm is same in aarch64 and x86_64 - change patch file in order src.rpm is same in aarch64 and x86_64
* Fri Mar 12 2021 wangxiao <wangxiao65@huawei.com> - 4.0.11-12 * Fri Mar 12 2021 wangxiao <wangxiao65@huawei.com> - 4.0.11-12