|
|
Backported for 5.0.3
|
|
|
|
|
|
|
|
|
|
|
|
From a4b813d8b844094fcd77c511af596866043b20c8 Mon Sep 17 00:00:00 2001
|
|
|
From: "meir@redislabs.com" <meir@redislabs.com>
|
|
|
Date: Sun, 13 Jun 2021 14:27:18 +0300
|
|
|
Subject: [PATCH] Fix invalid memory write on lua stack overflow
|
|
|
{CVE-2021-32626}
|
|
|
MIME-Version: 1.0
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
When LUA call our C code, by default, the LUA stack has room for 20
|
|
|
elements. In most cases, this is more than enough but sometimes it's not
|
|
|
and the caller must verify the LUA stack size before he pushes elements.
|
|
|
|
|
|
On 3 places in the code, there was no verification of the LUA stack size.
|
|
|
On specific inputs this missing verification could have lead to invalid
|
|
|
memory write:
|
|
|
1. On 'luaReplyToRedisReply', one might return a nested reply that will
|
|
|
explode the LUA stack.
|
|
|
2. On 'redisProtocolToLuaType', the Redis reply might be deep enough
|
|
|
to explode the LUA stack (notice that currently there is no such
|
|
|
command in Redis that returns such a nested reply, but modules might
|
|
|
do it)
|
|
|
3. On 'ldbRedis', one might give a command with enough arguments to
|
|
|
explode the LUA stack (all the arguments will be pushed to the LUA
|
|
|
stack)
|
|
|
|
|
|
This commit is solving all those 3 issues by calling 'lua_checkstack' and
|
|
|
verify that there is enough room in the LUA stack to push elements. In
|
|
|
case 'lua_checkstack' returns an error (there is not enough room in the
|
|
|
LUA stack and it's not possible to increase the stack), we will do the
|
|
|
following:
|
|
|
1. On 'luaReplyToRedisReply', we will return an error to the user.
|
|
|
2. On 'redisProtocolToLuaType' we will exit with panic (we assume this
|
|
|
scenario is rare because it can only happen with a module).
|
|
|
3. On 'ldbRedis', we return an error.
|
|
|
|
|
|
(cherry picked from commit d32a3f74f2a343846b50920e95754a955c1a10a9)
|
|
|
---
|
|
|
src/scripting.c | 36 ++++++++++++++++++++++++++++++++++++
|
|
|
1 file changed, 36 insertions(+)
|
|
|
|
|
|
diff --git a/src/scripting.c b/src/scripting.c
|
|
|
index db1e4d4b5f1..153b942404e 100644
|
|
|
--- a/src/scripting.c
|
|
|
+++ b/src/scripting.c
|
|
|
@@ -125,6 +125,16 @@ void sha1hex(char *digest, char *script, size_t len) {
|
|
|
*/
|
|
|
|
|
|
char *redisProtocolToLuaType(lua_State *lua, char* reply) {
|
|
|
+
|
|
|
+ if (!lua_checkstack(lua, 5)) {
|
|
|
+ /*
|
|
|
+ * Increase the Lua stack if needed, to make sure there is enough room
|
|
|
+ * to push 5 elements to the stack. On failure, exit with panic.
|
|
|
+ * Notice that we need, in the worst case, 5 elements because redisProtocolToLuaType_Aggregate
|
|
|
+ * might push 5 elements to the Lua stack.*/
|
|
|
+ serverPanic("lua stack limit reach when parsing redis.call reply");
|
|
|
+ }
|
|
|
+
|
|
|
char *p = reply;
|
|
|
|
|
|
switch(*p) {
|
|
|
@@ -275,6 +285,17 @@ void luaSortArray(lua_State *lua) {
|
|
|
* ------------------------------------------------------------------------- */
|
|
|
|
|
|
void luaReplyToRedisReply(client *c, lua_State *lua) {
|
|
|
+
|
|
|
+ if (!lua_checkstack(lua, 4)) {
|
|
|
+ /* Increase the Lua stack if needed to make sure there is enough room
|
|
|
+ * to push 4 elements to the stack. On failure, return error.
|
|
|
+ * Notice that we need, in the worst case, 4 elements because returning a map might
|
|
|
+ * require push 4 elements to the Lua stack.*/
|
|
|
+ addReplyErrorFormat(c, "reached lua stack limit");
|
|
|
+ lua_pop(lua,1); // pop the element from the stack
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
int t = lua_type(lua,-1);
|
|
|
|
|
|
switch(t) {
|
|
|
@@ -292,6 +313,9 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
|
|
|
* Error are returned as a single element table with 'err' field.
|
|
|
* Status replies are returned as single element table with 'ok'
|
|
|
* field. */
|
|
|
+
|
|
|
+ /* Handle error reply. */
|
|
|
+ /* we took care of the stack size on function start */
|
|
|
lua_pushstring(lua,"err");
|
|
|
lua_gettable(lua,-2);
|
|
|
t = lua_type(lua,-1);
|
|
|
@@ -320,6 +344,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
|
|
|
|
|
|
lua_pop(lua,1); /* Discard the 'ok' field value we popped */
|
|
|
while(1) {
|
|
|
+ /* we took care of the stack size on function start */
|
|
|
lua_pushnumber(lua,j++);
|
|
|
lua_gettable(lua,-2);
|
|
|
t = lua_type(lua,-1);
|
|
|
@@ -2231,6 +2256,17 @@ void ldbEval(lua_State *lua, sds *argv, int argc) {
|
|
|
void ldbRedis(lua_State *lua, sds *argv, int argc) {
|
|
|
int j, saved_rc = server.lua_replicate_commands;
|
|
|
|
|
|
+ if (!lua_checkstack(lua, argc + 1)) {
|
|
|
+ /* Increase the Lua stack if needed to make sure there is enough room
|
|
|
+ * to push 'argc + 1' elements to the stack. On failure, return error.
|
|
|
+ * Notice that we need, in worst case, 'argc + 1' elements because we push all the arguments
|
|
|
+ * given by the user (without the first argument) and we also push the 'redis' global table and
|
|
|
+ * 'redis.call' function so:
|
|
|
+ * (1 (redis table)) + (1 (redis.call function)) + (argc - 1 (all arguments without the first)) = argc + 1*/
|
|
|
+ ldbLogRedisReply("max lua stack reached");
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
lua_getglobal(lua,"redis");
|
|
|
lua_pushstring(lua,"call");
|
|
|
lua_gettable(lua,-2); /* Stack: redis, redis.call */
|