fix CVE-2022-36021

2023-03-28 02:11:58 +00:00 · 2023-03-28 02:11:58 +00:00 · 6a60f0f994
commit 6a60f0f994
parent 87c5328f8c
2 changed files with 96 additions and 2 deletions
--- a/CVE-2022-36021.patch
+++ b/CVE-2022-36021.patch
@ -0,0 +1,89 @@
+From dcbfcb916ca1a269b3feef86ee86835294758f84 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Tue, 28 Feb 2023 15:15:26 +0200
+Subject: [PATCH] String pattern matching had exponential time complexity on
+ pathological patterns (CVE-2022-36021) (#11858)
+
+Authenticated users can use string matching commands with a
+specially crafted pattern to trigger a denial-of-service attack on Redis,
+causing it to hang and consume 100% CPU time.
+
+Co-authored-by: Tom Levy <tomlevy93@gmail.com>
+---
+ src/util.c              | 27 +++++++++++++++++++++++----
+ tests/unit/keyspace.tcl |  6 ++++++
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/src/util.c b/src/util.c
+index d33f4522a507..26d92b92290e 100644
+--- a/src/util.c
+++ b/src/util.c
+@@ -44,8 +44,8 @@
+ #include "sha1.h"
+
+ /* Glob-style pattern matching. */
+-int stringmatchlen(const char *pattern, int patternLen,
+-        const char *string, int stringLen, int nocase)
+static int stringmatchlen_impl(const char *pattern, int patternLen,
+        const char *string, int stringLen, int nocase, int *skipLongerMatches)
+ {
+     while(patternLen) {
+         switch(pattern[0]) {
+@@ -57,12 +57,25 @@
+             if (patternLen == 1)
+                 return 1; /* match */
+             while(stringLen) {
+-                if (stringmatchlen(pattern+1, patternLen-1,
+-                            string, stringLen, nocase))
+               if (stringmatchlen_impl(pattern+1, patternLen-1,
+                            string, stringLen, nocase, skipLongerMatches))
+                     return 1; /* match */
+               if (*skipLongerMatches)
+                    return 0; /* no match */
+                 string++;
+                 stringLen--;
+             }
+           /* There was no match for the rest of the pattern starting
+             * from anywhere in the rest of the string. If there were
+             * any '*' earlier in the pattern, we can terminate the
+             * search early without trying to match them to longer
+             * substrings. This is because a longer match for the
+             * earlier part of the pattern would require the rest of the
+             * pattern to match starting later in the string, and we
+             * have just determined that there is no match for the rest
+             * of the pattern starting from anywhere in the current
+             * string. */
+            *skipLongerMatches = 1;
+             return 0; /* no match */
+             break;
+         case '?':
+@@ -166,6 +179,12 @@
+     return 0;
+ }
+
+int stringmatchlen(const char *pattern, int patternLen,
+        const char *string, int stringLen, int nocase) {
+    int skipLongerMatches = 0;
+    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
+}
+
+ int stringmatch(const char *pattern, const char *string, int nocase) {
+     return stringmatchlen(pattern,strlen(pattern),string,strlen(string),nocase);
+ }
+
+
+diff --git a/tests/unit/keyspace.tcl b/tests/unit/keyspace.tcl
+index b173e0efcacc..43690d06b321 100644
+--- a/tests/unit/keyspace.tcl
+++ b/tests/unit/keyspace.tcl
+@@ -493,4 +493,10 @@ foreach {type large} [array get largevalue] {
+         r keys *
+         r keys *
+     } {dlskeriewrioeuwqoirueioqwrueoqwrueqw}
+
+    test {Regression for pattern matching long nested loops} {
+        r flushdb
+        r SET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa 1
+        r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
+    } {}
+ }
--- a/redis.spec
+++ b/redis.spec
@ -1,6 +1,6 @@
 Name:           redis
 Version:        4.0.11
-Release:        16
+Release:        17
 Summary:        A persistent key-value database
 License:        BSD and MIT
 URL:            https://redis.io
@ -22,6 +22,7 @@ Patch0008:      CVE-2021-21309.patch
 Patch0009:      CVE-2021-3470.patch
 Patch0010:      CVE-2021-29478.patch
 Patch0011:      CVE-2021-32672.patch
+Patch0012:      CVE-2022-36021.patch

 BuildRequires:     systemd
 Requires:          /bin/awk
@ -50,6 +51,7 @@ Redis is an advanced key-value store. It is often referred to as a dattructure s
 %patch0009 -p1
 %patch0010 -p1
 %patch0011 -p1
+%patch0012 -p1

 sed -i -e 's|^logfile .*$|logfile /var/log/redis/redis.log|g' redis.conf
 sed -i -e '$ alogfile /var/log/redis/sentinel.log' sentinel.conf
@ -107,6 +109,9 @@ exit 0
 %{_unitdir}/%{name}-sentinel.service

 %changelog
+* Mon Mar 27 2023 wushaozheng <wushaozheng@ncti-gba.cn> - 4.0.11-17
+- Fix CVE-2022-36021
+
 * Sat Oct 09 2021 yaoxin <yaoxin30@huawei.com> - 4.0.11-16
 - Fix CVE-2021-32672

@ -116,7 +121,7 @@ exit 0
 * Wed Apr 07 2021 wangyue <wangyue92@huawei.com> - 4.0.11-14
 - Fix CVE-2021-3470

-* Wed 24 Mar 2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-13
+* Wed Mar 24  2021 sunguoshuai <sunguoshuai@huawei.com> - 4.0.11-13
 - change patch file in order src.rpm is same in aarch64 and x86_64

 * Fri Mar 12 2021 wangxiao <wangxiao65@huawei.com> - 4.0.11-12