slipenkomk/valkey
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Apply security fixes for CVEs (#1114)

Browse Source 
Apply the security fixes for the release.

(CVE-2024-31449) Lua library commands may lead to stack overflow and
potential RCE.
(CVE-2024-31227) Potential Denial-of-service due to malformed ACL
selectors.
(CVE-2024-31228) Potential Denial-of-service due to unbounded pattern
matching.

---------

Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
This commit is contained in:
Madelyn Olson 2024-10-02 14:09:21 -07:00 committed by GitHub
parent b34537834b
commit 4fbab5740b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 34 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
00-RELEASENOTES
View File

@ -26,6 +26,13 @@ Bug fixes
* Fix a build issue on systems where `<threads.h>` is unavailable. (#1053) * Fix a build issue on systems where `<threads.h>` is unavailable. (#1053)
* Fix an issue with the default `sentinel.conf` being invalid. (#1040) * Fix an issue with the default `sentinel.conf` being invalid. (#1040)
Security fixes
==============
* (CVE-2024-31449) Lua library commands may lead to stack overflow and potential RCE.
* (CVE-2024-31227) Potential Denial-of-service due to malformed ACL selectors.
* (CVE-2024-31228) Potential Denial-of-service due to unbounded pattern matching.
================================================================================ ================================================================================
Valkey 8.0.0 GA - Released Sun 15 Sep 2024 Valkey 8.0.0 GA - Released Sun 15 Sep 2024
================================================================================ ================================================================================

1
deps/lua/src/lua_bit.c vendored
View File

@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L)
const char *hexdigits = "0123456789abcdef"; const char *hexdigits = "0123456789abcdef";
char buf[8]; char buf[8];
int i; int i;
if (n == INT32_MIN) n = INT32_MIN+1;
if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; } if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
if (n > 8) n = 8; if (n > 8) n = 8;
for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; } for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }

2
src/acl.c
View File

@ -1079,7 +1079,7 @@ int ACLSetSelector(aclSelector *selector, const char *op, size_t oplen) {
flags |= ACL_READ_PERMISSION; flags |= ACL_READ_PERMISSION;
} else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) { } else if (toupper(op[offset]) == 'W' && !(flags & ACL_WRITE_PERMISSION)) {
flags |= ACL_WRITE_PERMISSION; flags |= ACL_WRITE_PERMISSION;
} else if (op[offset] == '~') { } else if (op[offset] == '~' && flags) {
offset++; offset++;
break; break;
} else { } else {

11
src/util.c
View File

@ -59,7 +59,11 @@ static int stringmatchlen_impl(const char *pattern,
const char *string, const char *string,
int stringLen, int stringLen,
int nocase, int nocase,
int *skipLongerMatches) { int *skipLongerMatches,
int nesting) {
/* Protection against abusive patterns. */
if (nesting > 1000) return 0;
while (patternLen && stringLen) { while (patternLen && stringLen) {
switch (pattern[0]) { switch (pattern[0]) {
case '*': case '*':
@ -69,7 +73,8 @@ static int stringmatchlen_impl(const char *pattern,
} }
if (patternLen == 1) return 1; /* match */ if (patternLen == 1) return 1; /* match */
while (stringLen) { while (stringLen) {
if (stringmatchlen_impl(pattern + 1, patternLen - 1, string, stringLen, nocase, skipLongerMatches)) if (stringmatchlen_impl(pattern + 1, patternLen - 1, string, stringLen, nocase, skipLongerMatches,
nesting + 1))
return 1; /* match */ return 1; /* match */
if (*skipLongerMatches) return 0; /* no match */ if (*skipLongerMatches) return 0; /* no match */
string++; string++;
@ -179,7 +184,7 @@ static int stringmatchlen_impl(const char *pattern,
int stringmatchlen(const char *pattern, int patternLen, const char *string, int stringLen, int nocase) { int stringmatchlen(const char *pattern, int patternLen, const char *string, int stringLen, int nocase) {
int skipLongerMatches = 0; int skipLongerMatches = 0;
return stringmatchlen_impl(pattern, patternLen, string, stringLen, nocase, &skipLongerMatches); return stringmatchlen_impl(pattern, patternLen, string, stringLen, nocase, &skipLongerMatches, 0);
} }
int stringmatch(const char *pattern, const char *string, int nocase) { int stringmatch(const char *pattern, const char *string, int nocase) {

5
tests/unit/acl-v2.tcl
View File

@ -116,6 +116,11 @@ start_server {tags {"acl external:skip"}} {
assert_match "*NOPERM*key*" $err assert_match "*NOPERM*key*" $err
} }
test {Validate read and write permissions format} {
catch {r ACL SETUSER key-permission-RW %~} err
set err
} {ERR Error in ACL SETUSER modifier '%~': Syntax error}
test {Test separate read and write permissions on different selectors are not additive} { test {Test separate read and write permissions on different selectors are not additive} {
r ACL SETUSER key-permission-RW-selector on nopass "(%R~read* +@all)" "(%W~write* +@all)" r ACL SETUSER key-permission-RW-selector on nopass "(%R~read* +@all)" "(%W~write* +@all)"
$r2 auth key-permission-RW-selector password $r2 auth key-permission-RW-selector password

6
tests/unit/keyspace.tcl
View File

@ -547,4 +547,10 @@ foreach {type large} [array get largevalue] {
assert_no_match "*db2:keys=*" [r info keyspace] assert_no_match "*db2:keys=*" [r info keyspace]
r flushall r flushall
} {OK} {singledb:skip} } {OK} {singledb:skip}
test {Regression for pattern matching very long nested loops} {
r flushdb
r SET [string repeat "a" 50000] 1
r KEYS [string repeat "*?" 50000]
} {}
} }

6
tests/unit/scripting.tcl
View File

@ -733,6 +733,12 @@ start_server {tags {"scripting"}} {
set e set e
} {ERR *Attempt to modify a readonly table*} } {ERR *Attempt to modify a readonly table*}
test {lua bit.tohex bug} {
set res [run_script {return bit.tohex(65535, -2147483648)} 0]
r ping
set res
} {0000FFFF}
test {Test an example script DECR_IF_GT} { test {Test an example script DECR_IF_GT} {
set decr_if_gt { set decr_if_gt {
local current local current