mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-06-13 17:39:57 +00:00
memcached: patch CVE-2023-46852
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46852 Backport the patch that is referenced by the NVD advisory. The test extension was not backported, because the modified testcase does not exist in the recipe version yet. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari
@@ -0,0 +1,68 @@
|
||||
From 3e7027caf6b1eb79d3d98a77e17051b120c30b9b Mon Sep 17 00:00:00 2001
|
||||
From: dormando <dormando@rydia.net>
|
||||
Date: Fri, 28 Jul 2023 10:32:16 -0700
|
||||
Subject: [PATCH] proxy: fix buffer overflow with multiget syntax
|
||||
|
||||
"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to
|
||||
process multiget syntax.
|
||||
|
||||
To exploit this you must first pass the check in try_read_command_proxy:
|
||||
- The request before the first newline must be less than 1024 bytes.
|
||||
- If it is more than 1024 bytes there is a limit of 100 spaces.
|
||||
- The key length is still checked at 250 bytes
|
||||
- Meaning you have up to 772 spaces and then the key to create stack
|
||||
corruption.
|
||||
|
||||
So the amount of data you can shove in here isn't unlimited.
|
||||
|
||||
The fix caps the amount of data pre-key to be reasonable. Something like
|
||||
GAT needs space for a 32bit TTL which is at most going to be 15 bytes +
|
||||
spaces, so we limit it to 20 bytes.
|
||||
|
||||
I hate hate hate hate hate the multiget syntax. hate it.
|
||||
|
||||
CVE: CVE-2023-46852
|
||||
Upstream-Status: Backport [https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767]
|
||||
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||
---
|
||||
proto_proxy.c | 16 ++++++++++++++--
|
||||
1 file changed, 14 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/proto_proxy.c b/proto_proxy.c
|
||||
index 6c028f4..94e38b6 100644
|
||||
--- a/proto_proxy.c
|
||||
+++ b/proto_proxy.c
|
||||
@@ -613,6 +613,12 @@ int proxy_run_coroutine(lua_State *Lc, mc_resp *resp, io_pending_proxy_t *p, con
|
||||
return 0;
|
||||
}
|
||||
|
||||
+// basically any data before the first key.
|
||||
+// max is like 15ish plus spaces. we can be more strict about how many spaces
|
||||
+// to expect because any client spamming space is being deliberately stupid
|
||||
+// anyway.
|
||||
+#define MAX_CMD_PREFIX 20
|
||||
+
|
||||
static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool multiget) {
|
||||
assert(c != NULL);
|
||||
LIBEVENT_THREAD *thr = c->thread;
|
||||
@@ -670,12 +676,18 @@ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool mu
|
||||
if (!multiget && pr.cmd_type == CMD_TYPE_GET && pr.has_space) {
|
||||
uint32_t keyoff = pr.tokens[pr.keytoken];
|
||||
while (pr.klen != 0) {
|
||||
- char temp[KEY_MAX_LENGTH + 30];
|
||||
+ char temp[KEY_MAX_LENGTH + MAX_CMD_PREFIX + 30];
|
||||
char *cur = temp;
|
||||
// Core daemon can abort the entire command if one key is bad, but
|
||||
// we cannot from the proxy. Instead we have to inject errors into
|
||||
// the stream. This should, thankfully, be rare at least.
|
||||
- if (pr.klen > KEY_MAX_LENGTH) {
|
||||
+ if (pr.tokens[pr.keytoken] > MAX_CMD_PREFIX) {
|
||||
+ if (!resp_start(c)) {
|
||||
+ conn_set_state(c, conn_closing);
|
||||
+ return;
|
||||
+ }
|
||||
+ proxy_out_errstring(c->resp, PROXY_CLIENT_ERROR, "malformed request");
|
||||
+ } else if (pr.klen > KEY_MAX_LENGTH) {
|
||||
if (!resp_start(c)) {
|
||||
conn_set_state(c, conn_closing);
|
||||
return;
|
||||
@@ -21,6 +21,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \
|
||||
|
||||
SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \
|
||||
file://memcached-add-hugetlbfs-check.patch \
|
||||
file://CVE-2023-46852.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "8d7abe3d649378edbba16f42ef1d66ca3f2ac075f2eb97145ce164388e6ed515"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user