mirror of
http://github.com/valkey-io/valkey
synced 2024-11-21 16:46:15 +00:00
Ziplist: insertion bug under particular conditions fixed.
Ziplists had a bug that was discovered while investigating a different issue, resulting in a corrupted ziplist representation, and a likely segmentation foult and/or data corruption of the last element of the ziplist, once the ziplist is accessed again. The bug happens when a specific set of insertions / deletions is performed so that an entry is encoded to have a "prevlen" field (the length of the previous entry) of 5 bytes but with a count that could be encoded in a "prevlen" field of a since byte. This could happen when the "cascading update" process called by ziplistInsert()/ziplistDelete() in certain contitious forces the prevlen to be bigger than necessary in order to avoid too much data moving around. Once such an entry is generated, inserting a very small entry immediately before it will result in a resizing of the ziplist for a count smaller than the current ziplist length (which is a violation, inserting code expects the ziplist to get bigger actually). So an FF byte is inserted in a misplaced position. Moreover a realloc() is performed with a count smaller than the ziplist current length so the final bytes could be trashed as well. SECURITY IMPLICATIONS: Currently it looks like an attacker can only crash a Redis server by providing specifically choosen commands. However a FF byte is written and there are other memory operations that depend on a wrong count, so even if it is not immediately apparent how to mount an attack in order to execute code remotely, it is not impossible at all that this could be done. Attacks always get better... and we did not spent enough time in order to think how to exploit this issue, but security researchers or malicious attackers could.
This commit is contained in:
parent
4a64bc3e40
commit
48e24d54b7
@ -613,7 +613,12 @@ static unsigned char *__ziplistInsert(unsigned char *zl, unsigned char *p, unsig
|
|||||||
/* When the insert position is not equal to the tail, we need to
|
/* When the insert position is not equal to the tail, we need to
|
||||||
* make sure that the next entry can hold this entry's length in
|
* make sure that the next entry can hold this entry's length in
|
||||||
* its prevlen field. */
|
* its prevlen field. */
|
||||||
|
int forcelarge = 0;
|
||||||
nextdiff = (p[0] != ZIP_END) ? zipPrevLenByteDiff(p,reqlen) : 0;
|
nextdiff = (p[0] != ZIP_END) ? zipPrevLenByteDiff(p,reqlen) : 0;
|
||||||
|
if (nextdiff == -4 && reqlen < 4) {
|
||||||
|
nextdiff = 0;
|
||||||
|
forcelarge = 1;
|
||||||
|
}
|
||||||
|
|
||||||
/* Store offset because a realloc may change the address of zl. */
|
/* Store offset because a realloc may change the address of zl. */
|
||||||
offset = p-zl;
|
offset = p-zl;
|
||||||
@ -626,7 +631,10 @@ static unsigned char *__ziplistInsert(unsigned char *zl, unsigned char *p, unsig
|
|||||||
memmove(p+reqlen,p-nextdiff,curlen-offset-1+nextdiff);
|
memmove(p+reqlen,p-nextdiff,curlen-offset-1+nextdiff);
|
||||||
|
|
||||||
/* Encode this entry's raw length in the next entry. */
|
/* Encode this entry's raw length in the next entry. */
|
||||||
zipPrevEncodeLength(p+reqlen,reqlen);
|
if (forcelarge)
|
||||||
|
zipPrevEncodeLengthForceLarge(p+reqlen,reqlen);
|
||||||
|
else
|
||||||
|
zipPrevEncodeLength(p+reqlen,reqlen);
|
||||||
|
|
||||||
/* Update offset for tail */
|
/* Update offset for tail */
|
||||||
ZIPLIST_TAIL_OFFSET(zl) =
|
ZIPLIST_TAIL_OFFSET(zl) =
|
||||||
|
Loading…
Reference in New Issue
Block a user