diff --git a/cve-2022-3647.patch b/cve-2022-3647.patch deleted file mode 100644 index 685b426..0000000 --- a/cve-2022-3647.patch +++ /dev/null @@ -1,202 +0,0 @@ -From 0bf90d944313919eb8e63d3588bf63a367f020a3 Mon Sep 17 00:00:00 2001 -From: "Meir Shpilraien (Spielrein)" -Date: Thu, 29 Sep 2022 08:58:58 +0300 -Subject: [PATCH] Avoid crash on crash report when a bad function pointer was - called (#11298) - -If Redis crashes due to calling an invalid function pointer, -the `backtrace` function will try to dereference this invalid pointer -which will cause a crash inside the crash report and will kill -the processes without having all the crash report information. - -Example: - -``` -=== REDIS BUG REPORT START: Cut & paste starting from here === -198672:M 19 Sep 2022 18:06:12.936 # Redis 255.255.255 crashed by signal: 11, si_code: 1 -198672:M 19 Sep 2022 18:06:12.936 # Accessing address: 0x1 -198672:M 19 Sep 2022 18:06:12.936 # Crashed running the instruction at: 0x1 -// here the processes is crashing -``` - -This PR tries to fix this crash be: -1. Identify the issue when it happened. -2. Replace the invalid pointer with a pointer to some dummy function - so that `backtrace` will not crash. - -I identification is done by comparing `eip` to `info->si_addr`, if they -are the same we know that the crash happened on the same address it tries to -accesses and we can conclude that it tries to call and invalid function pointer. - -To replace the invalid pointer we introduce a new function, `setMcontextEip`, -which is very similar to `getMcontextEip` and it knows to set the Eip for the -different supported OS's. After printing the trace we retrieve the old `Eip` value. ---- - src/debug.c | 80 ++++++++++++++++++++++++++++++++++++++--------------- - 1 file changed, 58 insertions(+), 22 deletions(-) - -diff --git a/src/debug.c b/src/debug.c -index 8cc811be444b..b15ac8780d83 100644 ---- a/src/debug.c -+++ b/src/debug.c -@@ -1123,73 +1123,88 @@ void bugReportStart(void) { - } - - #ifdef HAVE_BACKTRACE --static void *getMcontextEip(ucontext_t *uc) { -+ -+/* Returns the current eip and set it to the given new value (if its not NULL) */ -+static void* getAndSetMcontextEip(ucontext_t *uc, void *eip) { - #define NOT_SUPPORTED() do {\ - UNUSED(uc);\ -+ UNUSED(eip);\ - return NULL;\ - } while(0) -+#define GET_SET_RETURN(target_var, new_val) do {\ -+ void *old_val = (void*)target_var; \ -+ if (new_val) { \ -+ void **temp = (void**)&target_var; \ -+ *temp = new_val; \ -+ } \ -+ return old_val; \ -+} while(0) - #if defined(__APPLE__) && !defined(MAC_OS_X_VERSION_10_6) - /* OSX < 10.6 */ - #if defined(__x86_64__) -- return (void*) uc->uc_mcontext->__ss.__rip; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip); - #elif defined(__i386__) -- return (void*) uc->uc_mcontext->__ss.__eip; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip); - #else -- return (void*) uc->uc_mcontext->__ss.__srr0; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__srr0, eip); - #endif - #elif defined(__APPLE__) && defined(MAC_OS_X_VERSION_10_6) - /* OSX >= 10.6 */ - #if defined(_STRUCT_X86_THREAD_STATE64) && !defined(__i386__) -- return (void*) uc->uc_mcontext->__ss.__rip; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip); - #elif defined(__i386__) -- return (void*) uc->uc_mcontext->__ss.__eip; -+ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip); - #else - /* OSX ARM64 */ -- return (void*) arm_thread_state64_get_pc(uc->uc_mcontext->__ss); -+ void *old_val = (void*)arm_thread_state64_get_pc(uc->uc_mcontext->__ss); -+ if (eip) { -+ arm_thread_state64_set_pc_fptr(uc->uc_mcontext->__ss, eip); -+ } -+ return old_val; - #endif - #elif defined(__linux__) - /* Linux */ - #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) -- return (void*) uc->uc_mcontext.gregs[14]; /* Linux 32 */ -+ GET_SET_RETURN(uc->uc_mcontext.gregs[14], eip); - #elif defined(__X86_64__) || defined(__x86_64__) -- return (void*) uc->uc_mcontext.gregs[16]; /* Linux 64 */ -+ GET_SET_RETURN(uc->uc_mcontext.gregs[16], eip); - #elif defined(__ia64__) /* Linux IA64 */ -- return (void*) uc->uc_mcontext.sc_ip; -+ GET_SET_RETURN(uc->uc_mcontext.sc_ip, eip); - #elif defined(__arm__) /* Linux ARM */ -- return (void*) uc->uc_mcontext.arm_pc; -+ GET_SET_RETURN(uc->uc_mcontext.arm_pc, eip); - #elif defined(__aarch64__) /* Linux AArch64 */ -- return (void*) uc->uc_mcontext.pc; -+ GET_SET_RETURN(uc->uc_mcontext.pc, eip); - #else - NOT_SUPPORTED(); - #endif - #elif defined(__FreeBSD__) - /* FreeBSD */ - #if defined(__i386__) -- return (void*) uc->uc_mcontext.mc_eip; -+ GET_SET_RETURN(uc->uc_mcontext.mc_eip, eip); - #elif defined(__x86_64__) -- return (void*) uc->uc_mcontext.mc_rip; -+ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip); - #else - NOT_SUPPORTED(); - #endif - #elif defined(__OpenBSD__) - /* OpenBSD */ - #if defined(__i386__) -- return (void*) uc->sc_eip; -+ GET_SET_RETURN(uc->sc_eip, eip); - #elif defined(__x86_64__) -- return (void*) uc->sc_rip; -+ GET_SET_RETURN(uc->sc_rip, eip); - #else - NOT_SUPPORTED(); - #endif - #elif defined(__NetBSD__) - #if defined(__i386__) -- return (void*) uc->uc_mcontext.__gregs[_REG_EIP]; -+ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_EIP], eip); - #elif defined(__x86_64__) -- return (void*) uc->uc_mcontext.__gregs[_REG_RIP]; -+ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_RIP], eip); - #else - NOT_SUPPORTED(); - #endif - #elif defined(__DragonFly__) -- return (void*) uc->uc_mcontext.mc_rip; -+ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip); - #else - NOT_SUPPORTED(); - #endif -@@ -1951,6 +1966,10 @@ void dumpCodeAroundEIP(void *eip) { - } - } - -+void invalidFunctionWasCalled() {} -+ -+typedef void (*invalidFunctionWasCalledType)(); -+ - void sigsegvHandler(int sig, siginfo_t *info, void *secret) { - UNUSED(secret); - UNUSED(info); -@@ -1968,13 +1987,30 @@ void sigsegvHandler(int sig, siginfo_t *info, void *secret) { - - #ifdef HAVE_BACKTRACE - ucontext_t *uc = (ucontext_t*) secret; -- void *eip = getMcontextEip(uc); -+ void *eip = getAndSetMcontextEip(uc, NULL); - if (eip != NULL) { - serverLog(LL_WARNING, - "Crashed running the instruction at: %p", eip); - } - -- logStackTrace(getMcontextEip(uc), 1); -+ if (eip == info->si_addr) { -+ /* When eip matches the bad address, it's an indication that we crashed when calling a non-mapped -+ * function pointer. In that case the call to backtrace will crash trying to access that address and we -+ * won't get a crash report logged. Set it to a valid point to avoid that crash. */ -+ -+ /* This trick allow to avoid compiler warning */ -+ void *ptr; -+ invalidFunctionWasCalledType *ptr_ptr = (invalidFunctionWasCalledType*)&ptr; -+ *ptr_ptr = invalidFunctionWasCalled; -+ getAndSetMcontextEip(uc, ptr); -+ } -+ -+ logStackTrace(eip, 1); -+ -+ if (eip == info->si_addr) { -+ /* Restore old eip */ -+ getAndSetMcontextEip(uc, eip); -+ } - - logRegisters(uc); - #endif -@@ -2079,7 +2115,7 @@ void watchdogSignalHandler(int sig, siginfo_t *info, void *secret) { - - serverLogFromHandler(LL_WARNING,"\n--- WATCHDOG TIMER EXPIRED ---"); - #ifdef HAVE_BACKTRACE -- logStackTrace(getMcontextEip(uc), 1); -+ logStackTrace(getAndSetMcontextEip(uc, NULL), 1); - #else - serverLogFromHandler(LL_WARNING,"Sorry: no support for backtrace()."); - #endif diff --git a/redis-7.0.5.tar.gz b/redis-7.0.5.tar.gz deleted file mode 100644 index 386aa58..0000000 --- a/redis-7.0.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:67054cc37b58c125df93bd78000261ec0ef4436a26b40f38262c780e56315cc3 -size 2968205 diff --git a/redis-7.0.6.tar.gz b/redis-7.0.6.tar.gz new file mode 100644 index 0000000..802ef58 --- /dev/null +++ b/redis-7.0.6.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7b33a7e890d13e27af1f246acb16312669ad8a1d56ce8f807dfbcd3c09aa7bb3 +size 2978882 diff --git a/redis.changes b/redis.changes index 66e295d..0f50547 100644 --- a/redis.changes +++ b/redis.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Thu Dec 15 21:05:16 UTC 2022 - Andreas Stieger + +- Update to version 7.0.6: + * RM_ResetDataset module API should not clear the functions + * RM_Call module API used with the "C" flag to run scripts, + would now cause the commands in the script to check ACL with + the designated user + * Geo commands speedups + * Fix EVAL command performance regression from Redis 7.0 + * Reduce EXPIRE commands performance regression from Redis 7.0 + * Optimize commands returning double values, mainly affecting zset + commands + * Optimize Lua parsing of some command responses + * Optimize client memory usage tracking operation while client + eviction is disabled + * Multiple bug fixes for crashes, hangs, and incorrect behavior +- drop cve-2022-3647 now upstream + ------------------------------------------------------------------- Mon Oct 24 14:56:10 UTC 2022 - Danilo Spinella diff --git a/redis.hashes b/redis.hashes index 06b6b3c..2b5d889 100644 --- a/redis.hashes +++ b/redis.hashes @@ -143,3 +143,5 @@ hash redis-7.0.2.tar.gz sha256 5e57eafe7d4ac5ecb6a7d64d6b61db775616dbf903293b3fc hash redis-7.0.3.tar.gz sha256 2cde7d17214ffe305953da9fff12333e8a72caa57fd4923e4872f6362a208e73 http://download.redis.io/releases/redis-7.0.3.tar.gz hash redis-7.0.4.tar.gz sha256 f0e65fda74c44a3dd4fa9d512d4d4d833dd0939c934e946a5c622a630d057f2f http://download.redis.io/releases/redis-7.0.4.tar.gz hash redis-7.0.5.tar.gz sha256 67054cc37b58c125df93bd78000261ec0ef4436a26b40f38262c780e56315cc3 http://download.redis.io/releases/redis-7.0.5.tar.gz +hash redis-6.2.8.tar.gz sha256 f91ab24bcb42673cb853292eb5d43c2017d11d659854808ed6a529c97297fdfe http://download.redis.io/releases/redis-6.2.8.tar.gz +hash redis-7.0.6.tar.gz sha256 7b33a7e890d13e27af1f246acb16312669ad8a1d56ce8f807dfbcd3c09aa7bb3 http://download.redis.io/releases/redis-7.0.6.tar.gz diff --git a/redis.spec b/redis.spec index dd33d65..47222c4 100644 --- a/redis.spec +++ b/redis.spec @@ -20,7 +20,7 @@ %define _log_dir %{_localstatedir}/log/%{name} %define _conf_dir %{_sysconfdir}/%{name} Name: redis -Version: 7.0.5 +Version: 7.0.6 Release: 0 Summary: Persistent key-value database License: BSD-3-Clause @@ -40,9 +40,6 @@ Source10: https://raw.githubusercontent.com/redis/redis-hashes/master/READ Patch0: %{name}-conf.patch Patch3: reproducible.patch Patch4: ppc-atomic.patch -# PATCH-FIX-UPSTREAm bsc#1204633 danilo.spinella@suse.com CVE-2022-3647 -# crash in sigsegvHandler debug function -Patch5: cve-2022-3647.patch BuildRequires: jemalloc-devel BuildRequires: libopenssl-devel >= 1.1.1 BuildRequires: pkgconfig @@ -70,7 +67,6 @@ echo "`grep -F %{name}-%{version}.tar.gz %{SOURCE10} | cut -d' ' -f4` %{SOURCE0 %patch0 %patch3 -p1 %patch4 -p1 -%patch5 -p1 %build export HOST=OBS # for reproducible builds