|
 |
e8abc3 |
From 666ed7facf4524bf6d19b11b20faa2cf93fdf591 Mon Sep 17 00:00:00 2001
|
|
|
e8abc3 |
From: "meir@redislabs.com" <meir@redislabs.com>
|
|
|
e8abc3 |
Date: Sun, 13 Jun 2021 14:27:18 +0300
|
|
|
e8abc3 |
Subject: [PATCH] Fix invalid memory write on lua stack overflow
|
|
|
e8abc3 |
{CVE-2021-32626}
|
|
|
e8abc3 |
MIME-Version: 1.0
|
|
|
e8abc3 |
Content-Type: text/plain; charset=UTF-8
|
|
|
e8abc3 |
Content-Transfer-Encoding: 8bit
|
|
|
e8abc3 |
|
|
|
e8abc3 |
When LUA call our C code, by default, the LUA stack has room for 20
|
|
|
e8abc3 |
elements. In most cases, this is more than enough but sometimes it's not
|
|
|
e8abc3 |
and the caller must verify the LUA stack size before he pushes elements.
|
|
|
e8abc3 |
|
|
|
e8abc3 |
On 3 places in the code, there was no verification of the LUA stack size.
|
|
|
e8abc3 |
On specific inputs this missing verification could have lead to invalid
|
|
|
e8abc3 |
memory write:
|
|
|
e8abc3 |
1. On 'luaReplyToRedisReply', one might return a nested reply that will
|
|
|
e8abc3 |
explode the LUA stack.
|
|
|
e8abc3 |
2. On 'redisProtocolToLuaType', the Redis reply might be deep enough
|
|
|
e8abc3 |
to explode the LUA stack (notice that currently there is no such
|
|
|
e8abc3 |
command in Redis that returns such a nested reply, but modules might
|
|
|
e8abc3 |
do it)
|
|
|
e8abc3 |
3. On 'ldbRedis', one might give a command with enough arguments to
|
|
|
e8abc3 |
explode the LUA stack (all the arguments will be pushed to the LUA
|
|
|
e8abc3 |
stack)
|
|
|
e8abc3 |
|
|
|
e8abc3 |
This commit is solving all those 3 issues by calling 'lua_checkstack' and
|
|
|
e8abc3 |
verify that there is enough room in the LUA stack to push elements. In
|
|
|
e8abc3 |
case 'lua_checkstack' returns an error (there is not enough room in the
|
|
|
e8abc3 |
LUA stack and it's not possible to increase the stack), we will do the
|
|
|
e8abc3 |
following:
|
|
|
e8abc3 |
1. On 'luaReplyToRedisReply', we will return an error to the user.
|
|
|
e8abc3 |
2. On 'redisProtocolToLuaType' we will exit with panic (we assume this
|
|
|
e8abc3 |
scenario is rare because it can only happen with a module).
|
|
|
e8abc3 |
3. On 'ldbRedis', we return an error.
|
|
|
e8abc3 |
---
|
|
|
e8abc3 |
src/scripting.c | 41 +++++++++++++++++++++++++++++++++++++++++
|
|
|
e8abc3 |
1 file changed, 41 insertions(+)
|
|
|
e8abc3 |
|
|
|
e8abc3 |
diff --git a/src/scripting.c b/src/scripting.c
|
|
|
e8abc3 |
index dea5f516561..afa6adb0c47 100644
|
|
|
e8abc3 |
--- a/src/scripting.c
|
|
|
e8abc3 |
+++ b/src/scripting.c
|
|
|
e8abc3 |
@@ -128,6 +128,16 @@ void sha1hex(char *digest, char *script, size_t len) {
|
|
|
e8abc3 |
*/
|
|
|
e8abc3 |
|
|
|
e8abc3 |
char *redisProtocolToLuaType(lua_State *lua, char* reply) {
|
|
|
e8abc3 |
+
|
|
|
e8abc3 |
+ if (!lua_checkstack(lua, 5)) {
|
|
|
e8abc3 |
+ /*
|
|
|
e8abc3 |
+ * Increase the Lua stack if needed, to make sure there is enough room
|
|
|
e8abc3 |
+ * to push 5 elements to the stack. On failure, exit with panic.
|
|
|
e8abc3 |
+ * Notice that we need, in the worst case, 5 elements because redisProtocolToLuaType_Aggregate
|
|
|
e8abc3 |
+ * might push 5 elements to the Lua stack.*/
|
|
|
e8abc3 |
+ serverPanic("lua stack limit reach when parsing redis.call reply");
|
|
|
e8abc3 |
+ }
|
|
|
e8abc3 |
+
|
|
|
e8abc3 |
char *p = reply;
|
|
|
e8abc3 |
|
|
|
e8abc3 |
switch(*p) {
|
|
|
e8abc3 |
@@ -220,6 +230,11 @@ char *redisProtocolToLuaType_Aggregate(lua_State *lua, char *reply, int atype) {
|
|
|
e8abc3 |
if (atype == '%') {
|
|
|
e8abc3 |
p = redisProtocolToLuaType(lua,p);
|
|
|
e8abc3 |
} else {
|
|
|
e8abc3 |
+ if (!lua_checkstack(lua, 1)) {
|
|
|
e8abc3 |
+ /* Notice that here we need to check the stack again because the recursive
|
|
|
e8abc3 |
+ * call to redisProtocolToLuaType might have use the room allocated in the stack */
|
|
|
e8abc3 |
+ serverPanic("lua stack limit reach when parsing redis.call reply");
|
|
|
e8abc3 |
+ }
|
|
|
e8abc3 |
lua_pushboolean(lua,1);
|
|
|
e8abc3 |
}
|
|
|
e8abc3 |
lua_settable(lua,-3);
|
|
|
e8abc3 |
@@ -339,6 +354,17 @@ void luaSortArray(lua_State *lua) {
|
|
|
e8abc3 |
/* Reply to client 'c' converting the top element in the Lua stack to a
|
|
|
e8abc3 |
* Redis reply. As a side effect the element is consumed from the stack. */
|
|
|
e8abc3 |
void luaReplyToRedisReply(client *c, lua_State *lua) {
|
|
|
e8abc3 |
+
|
|
|
e8abc3 |
+ if (!lua_checkstack(lua, 4)) {
|
|
|
e8abc3 |
+ /* Increase the Lua stack if needed to make sure there is enough room
|
|
|
e8abc3 |
+ * to push 4 elements to the stack. On failure, return error.
|
|
|
e8abc3 |
+ * Notice that we need, in the worst case, 4 elements because returning a map might
|
|
|
e8abc3 |
+ * require push 4 elements to the Lua stack.*/
|
|
|
e8abc3 |
+ addReplyErrorFormat(c, "reached lua stack limit");
|
|
|
e8abc3 |
+ lua_pop(lua,1); // pop the element from the stack
|
|
|
e8abc3 |
+ return;
|
|
|
e8abc3 |
+ }
|
|
|
e8abc3 |
+
|
|
|
e8abc3 |
int t = lua_type(lua,-1);
|
|
|
e8abc3 |
|
|
|
e8abc3 |
switch(t) {
|
|
|
e8abc3 |
@@ -362,6 +388,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
|
|
|
e8abc3 |
* field. */
|
|
|
e8abc3 |
|
|
|
e8abc3 |
/* Handle error reply. */
|
|
|
e8abc3 |
+ // we took care of the stack size on function start
|
|
|
e8abc3 |
lua_pushstring(lua,"err");
|
|
|
e8abc3 |
lua_gettable(lua,-2);
|
|
|
e8abc3 |
t = lua_type(lua,-1);
|
|
|
e8abc3 |
@@ -407,6 +434,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
|
|
|
e8abc3 |
if (t == LUA_TTABLE) {
|
|
|
e8abc3 |
int maplen = 0;
|
|
|
e8abc3 |
void *replylen = addReplyDeferredLen(c);
|
|
|
e8abc3 |
+ /* we took care of the stack size on function start */
|
|
|
e8abc3 |
lua_pushnil(lua); /* Use nil to start iteration. */
|
|
|
e8abc3 |
while (lua_next(lua,-2)) {
|
|
|
e8abc3 |
/* Stack now: table, key, value */
|
|
|
e8abc3 |
@@ -429,6 +457,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
|
|
|
e8abc3 |
if (t == LUA_TTABLE) {
|
|
|
e8abc3 |
int setlen = 0;
|
|
|
e8abc3 |
void *replylen = addReplyDeferredLen(c);
|
|
|
e8abc3 |
+ /* we took care of the stack size on function start */
|
|
|
e8abc3 |
lua_pushnil(lua); /* Use nil to start iteration. */
|
|
|
e8abc3 |
while (lua_next(lua,-2)) {
|
|
|
e8abc3 |
/* Stack now: table, key, true */
|
|
|
e8abc3 |
@@ -448,6 +477,7 @@ void luaReplyToRedisReply(client *c, lua_State *lua) {
|
|
|
e8abc3 |
void *replylen = addReplyDeferredLen(c);
|
|
|
e8abc3 |
int j = 1, mbulklen = 0;
|
|
|
e8abc3 |
while(1) {
|
|
|
e8abc3 |
+ /* we took care of the stack size on function start */
|
|
|
e8abc3 |
lua_pushnumber(lua,j++);
|
|
|
e8abc3 |
lua_gettable(lua,-2);
|
|
|
e8abc3 |
t = lua_type(lua,-1);
|
|
|
e8abc3 |
@@ -2506,6 +2536,17 @@ void ldbEval(lua_State *lua, sds *argv, int argc) {
|
|
|
e8abc3 |
void ldbRedis(lua_State *lua, sds *argv, int argc) {
|
|
|
e8abc3 |
int j, saved_rc = server.lua_replicate_commands;
|
|
|
e8abc3 |
|
|
|
e8abc3 |
+ if (!lua_checkstack(lua, argc + 1)) {
|
|
|
e8abc3 |
+ /* Increase the Lua stack if needed to make sure there is enough room
|
|
|
e8abc3 |
+ * to push 'argc + 1' elements to the stack. On failure, return error.
|
|
|
e8abc3 |
+ * Notice that we need, in worst case, 'argc + 1' elements because we push all the arguments
|
|
|
e8abc3 |
+ * given by the user (without the first argument) and we also push the 'redis' global table and
|
|
|
e8abc3 |
+ * 'redis.call' function so:
|
|
|
e8abc3 |
+ * (1 (redis table)) + (1 (redis.call function)) + (argc - 1 (all arguments without the first)) = argc + 1*/
|
|
|
e8abc3 |
+ ldbLogRedisReply("max lua stack reached");
|
|
|
e8abc3 |
+ return;
|
|
|
e8abc3 |
+ }
|
|
|
e8abc3 |
+
|
|
|
e8abc3 |
lua_getglobal(lua,"redis");
|
|
|
e8abc3 |
lua_pushstring(lua,"call");
|
|
|
e8abc3 |
lua_gettable(lua,-2); /* Stack: redis, redis.call */
|