Skip to content

Fix possible corruption in sdsResize (CVE-2023-41056)#12924

Merged
oranagra merged 1 commit into
redis:unstablefrom
oranagra:fix_sdsResize
Jan 9, 2024
Merged

Fix possible corruption in sdsResize (CVE-2023-41056)#12924
oranagra merged 1 commit into
redis:unstablefrom
oranagra:fix_sdsResize

Conversation

@oranagra

@oranagra oranagra commented Jan 9, 2024

Copy link
Copy Markdown
Member

#11766 introduced a bug in sdsResize where it could forget to update the sds type in the sds header and then cause an overflow in sdsalloc. it looks like the only implication of that is a possible assertion in HLL, but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer

#11766 introduced a bug in sdsResize where it could forget to update
the sds type in the sds header and then cause an overflow in sdsalloc.
it looks like the only implication of that is a possible assertion in HLL,
but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
@oranagra oranagra requested a review from yossigo January 9, 2024 06:52
@oranagra oranagra merged commit f7b1d02 into redis:unstable Jan 9, 2024
@oranagra oranagra deleted the fix_sdsResize branch January 9, 2024 11:52
@zhaochunxue

Copy link
Copy Markdown

#11766 introduced a bug in sdsResize where it could forget to update the sds type in the sds header and then cause an overflow in sdsalloc. it looks like the only implication of that is a possible assertion in HLL, but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer

if redis5.0.5 also has this question (CVE-2023-41056),I don‘t find this function sdsResize in sds.c.

@sundb

sundb commented Jan 11, 2024

Copy link
Copy Markdown
Collaborator

@zhaochunxue this only affects version 7.0.x, and 7.2.x.

@zhaochunxue

Copy link
Copy Markdown

@zhaochunxue this only affects version 7.0.x, and 7.2.x.

ok,thank you

roggervalf pushed a commit to roggervalf/redis that referenced this pull request Feb 11, 2024
redis#11766 introduced a bug in sdsResize where it could forget to update the
sds type in the sds header and then cause an overflow in sdsalloc. it
looks like the only implication of that is a possible assertion in HLL,
but it's hard to rule out possible heap corruption issues with
clientsCronResizeQueryBuffer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants