Bug 1278965 - (CVE-2015-8080) CVE-2015-8080 redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow
CVE-2015-8080 redis: Integer wraparound in lua_struct.c causing stack-based b...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20151106,repor...
: Security
Depends On: 1278966 1278967 1299657 1299658 1299659 1299660
Blocks: 1278970
  Show dependency treegraph
 
Reported: 2015-11-06 16:47 EST by Adam Mariš
Modified: 2016-04-26 21:19 EDT (History)
25 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An integer-wraparound flaw leading to a stack-based overflow was found in Redis. A user with access to run Lua code in a Redis session could possibly use this flaw to crash the server (denial of service) or gain code execution outside of the Lua sandbox.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-01 16:35:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-11-06 16:47:05 EST
It was found that getnum() function in lua_struct.c is vulnerable to integer overflow that can be used to trigger stack-based buffer overflow. getnum() can be tricked into an integer wraparound with a large size number as input, thus returning a negative value. Affected versions of redis are 2.8 and 3.0.

Vulnerable code:

static int getnum (const char **fmt, int df) {
  if (!isdigit(**fmt))  /* no number? */
    return df;  /* return default value */
  else {
    int a = 0;
    do {
      a = a*10 + *((*fmt)++) - '0';
    } while (isdigit(**fmt));
    return a;
  }
}

static size_t optsize (lua_State *L, char opt, const char **fmt) {
  switch (opt) {
[...]
    case 'c': return getnum(fmt, 1);
    case 'i': case 'I': {
      int sz = getnum(fmt, sizeof(int));
      if (sz > MAXINTSIZE)
        luaL_error(L, "integral size %d is larger than limit of %d",
                       sz, MAXINTSIZE);
      return sz;
    }
    default: return 0;  /* other cases do not need alignment */
  }
}

Upstream bug report (including reproducer):

https://github.com/antirez/redis/issues/2855

CVE assignment:

http://seclists.org/oss-sec/2015/q4/231
Comment 1 Adam Mariš 2015-11-06 16:47:48 EST
Created redis tracking bugs for this issue:

Affects: fedora-all [bug 1278966]
Affects: epel-all [bug 1278967]
Comment 4 errata-xmlrpc 2016-02-01 16:04:11 EST
This issue has been addressed in the following products:

  OpenStack 7.0 Operational Tools for RHEL 7

Via RHSA-2016:0097 https://rhn.redhat.com/errata/RHSA-2016-0097.html
Comment 5 errata-xmlrpc 2016-02-01 16:04:38 EST
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2016:0096 https://rhn.redhat.com/errata/RHSA-2016-0096.html
Comment 6 errata-xmlrpc 2016-02-01 16:05:38 EST
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2016:0095 https://rhn.redhat.com/errata/RHSA-2016-0095.html

Note You need to log in before you can comment on or make changes to this bug.