diff options
| author | Meir Shpilraien (Spielrein) <meir@redis.com> | 2021-11-28 11:59:39 +0200 |
|---|---|---|
| committer | Oran Agra <oran@redislabs.com> | 2022-04-27 16:31:52 +0300 |
| commit | 93c1d31d97a995cd07a2c235b7a4e177f3c752cc (patch) | |
| tree | cf4fa9767d15e14b0ba95a8043062be9ab26664b | |
| parent | 8fca090ede6baad717d36048ac5a5cf4703f9369 (diff) | |
| download | redis-93c1d31d97a995cd07a2c235b7a4e177f3c752cc.tar.gz | |
Clean Lua stack before parsing call reply to avoid crash on a call with many arguments (#9809)
This commit 0f8b634cd (CVE-2021-32626 released in 6.2.6, 6.0.16, 5.0.14)
fixes an invalid memory write issue by using `lua_checkstack` API to make
sure the Lua stack is not overflow. This fix was added on 3 places:
1. `luaReplyToRedisReply`
2. `ldbRedis`
3. `redisProtocolToLuaType`
On the first 2 functions, `lua_checkstack` is handled gracefully while the
last is handled with an assert and a statement that this situation can
not happened (only with misbehave module):
> the Redis reply might be deep enough to explode the LUA stack (notice
that currently there is no such command in Redis that returns such a nested
reply, but modules might do it)
The issue that was discovered is that user arguments is also considered part
of the stack, and so the following script (for example) make the assertion reachable:
```
local a = {}
for i=1,7999 do
a[i] = 1
end
return redis.call("lpush", "l", unpack(a))
```
This is a regression because such a script would have worked before and now
its crashing Redis. The solution is to clear the function arguments from the Lua
stack which makes the original assumption true and the assertion unreachable.
(cherry picked from commit 6b0b04f1b265c429bd19d6c99c9e7e2921723601)
| -rw-r--r-- | src/scripting.c | 4 | ||||
| -rw-r--r-- | tests/unit/scripting.tcl | 26 |
2 files changed, 30 insertions, 0 deletions
diff --git a/src/scripting.c b/src/scripting.c index b43c00880..0a2c326ad 100644 --- a/src/scripting.c +++ b/src/scripting.c @@ -678,6 +678,10 @@ int luaRedisGenericCommand(lua_State *lua, int raise_error) { return raise_error ? luaRaiseError(lua) : 1; } + /* Pop all arguments from the stack, we do not need them anymore + * and this way we guaranty we will have room on the stack for the result. */ + lua_pop(lua, argc); + /* Setup our fake client for command execution */ c->argv = argv; c->argc = argc; diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl index 83ced8707..02d2c4ae8 100644 --- a/tests/unit/scripting.tcl +++ b/tests/unit/scripting.tcl @@ -695,6 +695,32 @@ start_server {tags {"scripting"}} { } e set _ $e } {*Script attempted to access nonexistent global variable 'print'*} + + test {Script return recursive object} { + r readraw 1 + set res [r eval {local a = {}; local b = {a}; a[1] = b; return a} 0] + # drain the response + while {true} { + if {$res == "-ERR reached lua stack limit"} { + break + } + assert_equal $res "*1" + set res [r read] + } + r readraw 0 + # make sure the connection is still valid + assert_equal [r ping] {PONG} + } + + test {Script check unpack with massive arguments} { + r eval { + local a = {} + for i=1,7999 do + a[i] = 1 + end + return redis.call("lpush", "l", unpack(a)) + } 0 + } {7999} } # Start a new server since the last test in this stanza will kill the |