Bug 1278965 (CVE-2015-8080) - CVE-2015-8080 redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow
Summary: CVE-2015-8080 redis: Integer wraparound in lua_struct.c causing stack-based b...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8080
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1278966 1278967 1299657 1299658 1299659 1299660
Blocks: 1278970
TreeView+ depends on / blocked
 
Reported: 2015-11-06 21:47 UTC by Adam Mariš
Modified: 2021-02-17 04:44 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An integer-wraparound flaw leading to a stack-based overflow was found in Redis. A user with access to run Lua code in a Redis session could possibly use this flaw to crash the server (denial of service) or gain code execution outside of the Lua sandbox.
Clone Of:
Environment:
Last Closed: 2016-02-01 21:35:09 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0095 0 normal SHIPPED_LIVE Moderate: redis security advisory 2016-02-02 02:04:03 UTC
Red Hat Product Errata RHSA-2016:0096 0 normal SHIPPED_LIVE Moderate: redis security advisory 2016-02-02 02:03:56 UTC
Red Hat Product Errata RHSA-2016:0097 0 normal SHIPPED_LIVE Moderate: redis security advisory 2016-02-02 02:03:47 UTC

Description Adam Mariš 2015-11-06 21:47:05 UTC 
It was found that getnum() function in lua_struct.c is vulnerable to integer overflow that can be used to trigger stack-based buffer overflow. getnum() can be tricked into an integer wraparound with a large size number as input, thus returning a negative value. Affected versions of redis are 2.8 and 3.0.

Vulnerable code:

static int getnum (const char **fmt, int df) {
  if (!isdigit(**fmt))  /* no number? */
    return df;  /* return default value */
  else {
    int a = 0;
    do {
      a = a*10 + *((*fmt)++) - '0';
    } while (isdigit(**fmt));
    return a;
  }
}

static size_t optsize (lua_State *L, char opt, const char **fmt) {
  switch (opt) {
[...]
    case 'c': return getnum(fmt, 1);
    case 'i': case 'I': {
      int sz = getnum(fmt, sizeof(int));
      if (sz > MAXINTSIZE)
        luaL_error(L, "integral size %d is larger than limit of %d",
                       sz, MAXINTSIZE);
      return sz;
    }
    default: return 0;  /* other cases do not need alignment */
  }
}

Upstream bug report (including reproducer):

https://github.com/antirez/redis/issues/2855

CVE assignment:

http://seclists.org/oss-sec/2015/q4/231
Comment 1 Adam Mariš 2015-11-06 21:47:48 UTC 
Created redis tracking bugs for this issue:

Affects: fedora-all [bug 1278966]
Affects: epel-all [bug 1278967]
Comment 4 errata-xmlrpc 2016-02-01 21:04:11 UTC 
This issue has been addressed in the following products:

  OpenStack 7.0 Operational Tools for RHEL 7

Via RHSA-2016:0097 https://rhn.redhat.com/errata/RHSA-2016-0097.html
Comment 5 errata-xmlrpc 2016-02-01 21:04:38 UTC 
This issue has been addressed in the following products:

  OpenStack 7 For RHEL 7

Via RHSA-2016:0096 https://rhn.redhat.com/errata/RHSA-2016-0096.html
Comment 6 errata-xmlrpc 2016-02-01 21:05:38 UTC 
This issue has been addressed in the following products:

  OpenStack 6 for RHEL 7

Via RHSA-2016:0095 https://rhn.redhat.com/errata/RHSA-2016-0095.html
Note You need to log in before you can comment on or make changes to this bug.