Bug 1943623 (CVE-2021-3470)

Summary: CVE-2021-3470 redis: potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: 13752555653, apevec, bcoca, chousekn, cmeyers, davidn, fabian.deutsch, fpercoco, gblomqui, gghezzo, gparvin, hhorak, jal233, jcammara, jhardy, jjoyce, jobarker, jorton, jramanat, jschluet, jweiser, kaycoth, lberk, lhh, lpeer, mabashia, mburns, mgoodwin, nathans, notting, osapryki, ppengjin, rcollet, redis-maint, relrod, sclewis, sdoran, slinaber, smcdonal, stcannon, thee, tkuratom, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: redis 5.0.10, redis 6.0.9, redis 6.2.0 Doc Type: If docs needed, set a value
Doc Text:
A heap overflow issue was found in Redis when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-29 08:48:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1946481, 1944790, 1944791, 1946482, 1948630, 1948631, 1948632, 1948769, 1948770    
Bug Blocks: 1930427, 1943663    

Description Mauro Matteo Cascella 2021-03-26 16:30:19 UTC 
When using a system with no malloc_usable_size(), zmalloc_size() assumed that the heap allocator always returns blocks that are long-padded. This may not always be the case, and will result with zmalloc_size() returning a size that is bigger than allocated. At least in one case this leads to out of bound write, process crash and a potential security vulnerability. Effectively this does not affect the vast majority of users, who use jemalloc or glibc.

Upstream pull request:
https://github.com/redis/redis/pull/7963

Upstream commit:
https://github.com/redis/redis/commit/9824fe3e392caa04dc1b4071886e9ac402dd6d95

Release notes:
https://raw.githubusercontent.com/redis/redis/5.0.10/00-RELEASENOTES
https://raw.githubusercontent.com/redis/redis/6.0.9/00-RELEASENOTES
Comment 1 Mauro Matteo Cascella 2021-03-26 16:35:08 UTC 
It is worth noting that the default Redis heap allocator on Linux is jemalloc: https://github.com/redis/redis#allocator.
Comment 7 Tapas Jena 2021-04-12 16:19:21 UTC 
Completed the analysis of the concerned vulnerability for both AAP 1.2 and Ansible Tower and below is my observation:
- Ansible Tower uses the RHEL Redis where both jemalloc() and zmalloc() are in use. However, "jemalloc()" being used as default Heap allocator.
- Ansible Core doesn't use redis, by default. There is the cache plugin that is optional and it doesn't directly make any choices about the heap allocator redis would use.

Hence, marking AAP 1.2 and Tower as "Affected" and "delegated".

Kind Regards,
Tapas J
Comment 9 Mauro Matteo Cascella 2021-04-12 21:08:32 UTC 
Created redis tracking bugs for this issue:

Affects: epel-all [bug 1948769]
Affects: fedora-all [bug 1948770]
Comment 12 Nick Tait 2021-05-08 19:12:57 UTC 
Statement:

The following products are not affected by this flaw because they use `jemalloc` as default heap allocator:
* Red Hat Enterprise Linux 8
* Red Hat Software Collections
* Red Hat Advanced Cluster Management for Kubernetes

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP redis package.