Accepting request 1043788 from server:database

OBS-URL: https://build.opensuse.org/request/show/1043788
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/redis?expand=0&rev=85
This commit is contained in:
Dominique Leuenberger 2022-12-20 19:19:57 +00:00 committed by Git OBS Bridge
commit 10a0a97a76
6 changed files with 33 additions and 210 deletions

View File

@ -1,202 +0,0 @@
From 0bf90d944313919eb8e63d3588bf63a367f020a3 Mon Sep 17 00:00:00 2001
From: "Meir Shpilraien (Spielrein)" <meir@redis.com>
Date: Thu, 29 Sep 2022 08:58:58 +0300
Subject: [PATCH] Avoid crash on crash report when a bad function pointer was
called (#11298)
If Redis crashes due to calling an invalid function pointer,
the `backtrace` function will try to dereference this invalid pointer
which will cause a crash inside the crash report and will kill
the processes without having all the crash report information.
Example:
```
=== REDIS BUG REPORT START: Cut & paste starting from here ===
198672:M 19 Sep 2022 18:06:12.936 # Redis 255.255.255 crashed by signal: 11, si_code: 1
198672:M 19 Sep 2022 18:06:12.936 # Accessing address: 0x1
198672:M 19 Sep 2022 18:06:12.936 # Crashed running the instruction at: 0x1
// here the processes is crashing
```
This PR tries to fix this crash be:
1. Identify the issue when it happened.
2. Replace the invalid pointer with a pointer to some dummy function
so that `backtrace` will not crash.
I identification is done by comparing `eip` to `info->si_addr`, if they
are the same we know that the crash happened on the same address it tries to
accesses and we can conclude that it tries to call and invalid function pointer.
To replace the invalid pointer we introduce a new function, `setMcontextEip`,
which is very similar to `getMcontextEip` and it knows to set the Eip for the
different supported OS's. After printing the trace we retrieve the old `Eip` value.
---
src/debug.c | 80 ++++++++++++++++++++++++++++++++++++++---------------
1 file changed, 58 insertions(+), 22 deletions(-)
diff --git a/src/debug.c b/src/debug.c
index 8cc811be444b..b15ac8780d83 100644
--- a/src/debug.c
+++ b/src/debug.c
@@ -1123,73 +1123,88 @@ void bugReportStart(void) {
}
#ifdef HAVE_BACKTRACE
-static void *getMcontextEip(ucontext_t *uc) {
+
+/* Returns the current eip and set it to the given new value (if its not NULL) */
+static void* getAndSetMcontextEip(ucontext_t *uc, void *eip) {
#define NOT_SUPPORTED() do {\
UNUSED(uc);\
+ UNUSED(eip);\
return NULL;\
} while(0)
+#define GET_SET_RETURN(target_var, new_val) do {\
+ void *old_val = (void*)target_var; \
+ if (new_val) { \
+ void **temp = (void**)&target_var; \
+ *temp = new_val; \
+ } \
+ return old_val; \
+} while(0)
#if defined(__APPLE__) && !defined(MAC_OS_X_VERSION_10_6)
/* OSX < 10.6 */
#if defined(__x86_64__)
- return (void*) uc->uc_mcontext->__ss.__rip;
+ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip);
#elif defined(__i386__)
- return (void*) uc->uc_mcontext->__ss.__eip;
+ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip);
#else
- return (void*) uc->uc_mcontext->__ss.__srr0;
+ GET_SET_RETURN(uc->uc_mcontext->__ss.__srr0, eip);
#endif
#elif defined(__APPLE__) && defined(MAC_OS_X_VERSION_10_6)
/* OSX >= 10.6 */
#if defined(_STRUCT_X86_THREAD_STATE64) && !defined(__i386__)
- return (void*) uc->uc_mcontext->__ss.__rip;
+ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip);
#elif defined(__i386__)
- return (void*) uc->uc_mcontext->__ss.__eip;
+ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip);
#else
/* OSX ARM64 */
- return (void*) arm_thread_state64_get_pc(uc->uc_mcontext->__ss);
+ void *old_val = (void*)arm_thread_state64_get_pc(uc->uc_mcontext->__ss);
+ if (eip) {
+ arm_thread_state64_set_pc_fptr(uc->uc_mcontext->__ss, eip);
+ }
+ return old_val;
#endif
#elif defined(__linux__)
/* Linux */
#if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__))
- return (void*) uc->uc_mcontext.gregs[14]; /* Linux 32 */
+ GET_SET_RETURN(uc->uc_mcontext.gregs[14], eip);
#elif defined(__X86_64__) || defined(__x86_64__)
- return (void*) uc->uc_mcontext.gregs[16]; /* Linux 64 */
+ GET_SET_RETURN(uc->uc_mcontext.gregs[16], eip);
#elif defined(__ia64__) /* Linux IA64 */
- return (void*) uc->uc_mcontext.sc_ip;
+ GET_SET_RETURN(uc->uc_mcontext.sc_ip, eip);
#elif defined(__arm__) /* Linux ARM */
- return (void*) uc->uc_mcontext.arm_pc;
+ GET_SET_RETURN(uc->uc_mcontext.arm_pc, eip);
#elif defined(__aarch64__) /* Linux AArch64 */
- return (void*) uc->uc_mcontext.pc;
+ GET_SET_RETURN(uc->uc_mcontext.pc, eip);
#else
NOT_SUPPORTED();
#endif
#elif defined(__FreeBSD__)
/* FreeBSD */
#if defined(__i386__)
- return (void*) uc->uc_mcontext.mc_eip;
+ GET_SET_RETURN(uc->uc_mcontext.mc_eip, eip);
#elif defined(__x86_64__)
- return (void*) uc->uc_mcontext.mc_rip;
+ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip);
#else
NOT_SUPPORTED();
#endif
#elif defined(__OpenBSD__)
/* OpenBSD */
#if defined(__i386__)
- return (void*) uc->sc_eip;
+ GET_SET_RETURN(uc->sc_eip, eip);
#elif defined(__x86_64__)
- return (void*) uc->sc_rip;
+ GET_SET_RETURN(uc->sc_rip, eip);
#else
NOT_SUPPORTED();
#endif
#elif defined(__NetBSD__)
#if defined(__i386__)
- return (void*) uc->uc_mcontext.__gregs[_REG_EIP];
+ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_EIP], eip);
#elif defined(__x86_64__)
- return (void*) uc->uc_mcontext.__gregs[_REG_RIP];
+ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_RIP], eip);
#else
NOT_SUPPORTED();
#endif
#elif defined(__DragonFly__)
- return (void*) uc->uc_mcontext.mc_rip;
+ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip);
#else
NOT_SUPPORTED();
#endif
@@ -1951,6 +1966,10 @@ void dumpCodeAroundEIP(void *eip) {
}
}
+void invalidFunctionWasCalled() {}
+
+typedef void (*invalidFunctionWasCalledType)();
+
void sigsegvHandler(int sig, siginfo_t *info, void *secret) {
UNUSED(secret);
UNUSED(info);
@@ -1968,13 +1987,30 @@ void sigsegvHandler(int sig, siginfo_t *info, void *secret) {
#ifdef HAVE_BACKTRACE
ucontext_t *uc = (ucontext_t*) secret;
- void *eip = getMcontextEip(uc);
+ void *eip = getAndSetMcontextEip(uc, NULL);
if (eip != NULL) {
serverLog(LL_WARNING,
"Crashed running the instruction at: %p", eip);
}
- logStackTrace(getMcontextEip(uc), 1);
+ if (eip == info->si_addr) {
+ /* When eip matches the bad address, it's an indication that we crashed when calling a non-mapped
+ * function pointer. In that case the call to backtrace will crash trying to access that address and we
+ * won't get a crash report logged. Set it to a valid point to avoid that crash. */
+
+ /* This trick allow to avoid compiler warning */
+ void *ptr;
+ invalidFunctionWasCalledType *ptr_ptr = (invalidFunctionWasCalledType*)&ptr;
+ *ptr_ptr = invalidFunctionWasCalled;
+ getAndSetMcontextEip(uc, ptr);
+ }
+
+ logStackTrace(eip, 1);
+
+ if (eip == info->si_addr) {
+ /* Restore old eip */
+ getAndSetMcontextEip(uc, eip);
+ }
logRegisters(uc);
#endif
@@ -2079,7 +2115,7 @@ void watchdogSignalHandler(int sig, siginfo_t *info, void *secret) {
serverLogFromHandler(LL_WARNING,"\n--- WATCHDOG TIMER EXPIRED ---");
#ifdef HAVE_BACKTRACE
- logStackTrace(getMcontextEip(uc), 1);
+ logStackTrace(getAndSetMcontextEip(uc, NULL), 1);
#else
serverLogFromHandler(LL_WARNING,"Sorry: no support for backtrace().");
#endif

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:67054cc37b58c125df93bd78000261ec0ef4436a26b40f38262c780e56315cc3
size 2968205

3
redis-7.0.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:8d327d7e887d1bb308fc37aaf717a0bf79f58129e3739069aaeeae88955ac586
size 2979019

View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Fri Dec 16 13:15:09 UTC 2022 - Michael Ströder <michael@stroeder.com>
- Update to version 7.0.7
* Fix regression from Redis 7.0.6 in distance replies
of Geo commands (#11631)
-------------------------------------------------------------------
Thu Dec 15 21:05:16 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
- Update to version 7.0.6:
* RM_ResetDataset module API should not clear the functions
* RM_Call module API used with the "C" flag to run scripts,
would now cause the commands in the script to check ACL with
the designated user
* Geo commands speedups
* Fix EVAL command performance regression from Redis 7.0
* Reduce EXPIRE commands performance regression from Redis 7.0
* Optimize commands returning double values, mainly affecting zset
commands
* Optimize Lua parsing of some command responses
* Optimize client memory usage tracking operation while client
eviction is disabled
* Multiple bug fixes for crashes, hangs, and incorrect behavior
- drop cve-2022-3647.patch now upstream
-------------------------------------------------------------------
Mon Oct 24 14:56:10 UTC 2022 - Danilo Spinella <danilo.spinella@suse.com>

View File

@ -143,3 +143,6 @@ hash redis-7.0.2.tar.gz sha256 5e57eafe7d4ac5ecb6a7d64d6b61db775616dbf903293b3fc
hash redis-7.0.3.tar.gz sha256 2cde7d17214ffe305953da9fff12333e8a72caa57fd4923e4872f6362a208e73 http://download.redis.io/releases/redis-7.0.3.tar.gz
hash redis-7.0.4.tar.gz sha256 f0e65fda74c44a3dd4fa9d512d4d4d833dd0939c934e946a5c622a630d057f2f http://download.redis.io/releases/redis-7.0.4.tar.gz
hash redis-7.0.5.tar.gz sha256 67054cc37b58c125df93bd78000261ec0ef4436a26b40f38262c780e56315cc3 http://download.redis.io/releases/redis-7.0.5.tar.gz
hash redis-6.2.8.tar.gz sha256 f91ab24bcb42673cb853292eb5d43c2017d11d659854808ed6a529c97297fdfe http://download.redis.io/releases/redis-6.2.8.tar.gz
hash redis-7.0.6.tar.gz sha256 7b33a7e890d13e27af1f246acb16312669ad8a1d56ce8f807dfbcd3c09aa7bb3 http://download.redis.io/releases/redis-7.0.6.tar.gz
hash redis-7.0.7.tar.gz sha256 8d327d7e887d1bb308fc37aaf717a0bf79f58129e3739069aaeeae88955ac586 http://download.redis.io/releases/redis-7.0.7.tar.gz

View File

@ -20,7 +20,7 @@
%define _log_dir %{_localstatedir}/log/%{name}
%define _conf_dir %{_sysconfdir}/%{name}
Name: redis
Version: 7.0.5
Version: 7.0.7
Release: 0
Summary: Persistent key-value database
License: BSD-3-Clause
@ -40,9 +40,6 @@ Source10: https://raw.githubusercontent.com/redis/redis-hashes/master/READ
Patch0: %{name}-conf.patch
Patch3: reproducible.patch
Patch4: ppc-atomic.patch
# PATCH-FIX-UPSTREAm bsc#1204633 danilo.spinella@suse.com CVE-2022-3647
# crash in sigsegvHandler debug function
Patch5: cve-2022-3647.patch
BuildRequires: jemalloc-devel
BuildRequires: libopenssl-devel >= 1.1.1
BuildRequires: pkgconfig
@ -70,7 +67,6 @@ echo "`grep -F %{name}-%{version}.tar.gz %{SOURCE10} | cut -d' ' -f4` %{SOURCE0
%patch0
%patch3 -p1
%patch4 -p1
%patch5 -p1
%build
export HOST=OBS # for reproducible builds