Bug 1278965 (CVE-2015-8080)

Summary: CVE-2015-8080 redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, carnil, chrisw, dallan, fabian.deutsch, fpercoco, gkotton, gmollett, hguemar, i, jal233, jrusnack, jschluet, lhh, lpeer, markmc, msamia, rbryant, rhos-maint, sclewis, slong, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An integer-wraparound flaw leading to a stack-based overflow was found in Redis. A user with access to run Lua code in a Redis session could possibly use this flaw to crash the server (denial of service) or gain code execution outside of the Lua sandbox.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-01 21:35:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1278966, 1278967, 1299657, 1299658, 1299659, 1299660    
Bug Blocks: 1278970    

Description Adam Mariš 2015-11-06 21:47:05 UTC 
It was found that getnum() function in lua_struct.c is vulnerable to integer overflow that can be used to trigger stack-based buffer overflow. getnum() can be tricked into an integer wraparound with a large size number as input, thus returning a negative value. Affected versions of redis are 2.8 and 3.0.

Vulnerable code:

static int getnum (const char **fmt, int df) {
  if (!isdigit(**fmt))  /* no number? */
    return df;  /* return default value */
  else {
    int a = 0;
    do {
      a = a*10 + *((*fmt)++) - '0';
    } while (isdigit(**fmt));
    return a;
  }
}

static size_t optsize (lua_State *L, char opt, const char **fmt) {
  switch (opt) {
[...]
    case 'c': return getnum(fmt, 1);
    case 'i': case 'I': {
      int sz = getnum(fmt, sizeof(int));
      if (sz > MAXINTSIZE)
        luaL_error(L, "integral size %d is larger than limit of %d",
                       sz, MAXINTSIZE);
      return sz;
    }
    default: return 0;  /* other cases do not need alignment */
  }
}

Upstream bug report (including reproducer):

https://github.com/antirez/redis/issues/2855

CVE assignment:

http://seclists.org/oss-sec/2015/q4/231
Comment 1 Adam Mariš 2015-11-06 21:47:48 UTC 
Created redis tracking bugs for this issue:

Affects: fedora-all [bug 1278966]
Affects: epel-all [bug 1278967]
Comment 4 errata-xmlrpc 2016-02-01 21:04:11 UTC 
This issue has been addressed in the following products:

  OpenStack 7.0 Operational Tools for RHEL 7

Via RHSA-2016:0097 https://rhn.redhat.com/errata/RHSA-2016-0097.html
Comment 5 errata-xmlrpc 2016-02-01 21:04:38 UTC 
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2016:0096 https://rhn.redhat.com/errata/RHSA-2016-0096.html
Comment 6 errata-xmlrpc 2016-02-01 21:05:38 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2016:0095 https://rhn.redhat.com/errata/RHSA-2016-0095.html