Bug 1943623 (CVE-2021-3470) - CVE-2021-3470 redis: potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc
Summary: CVE-2021-3470 redis: potential heap overflow when using a heap allocator othe...
Keywords:
Status: NEW
Alias: CVE-2021-3470
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1946481 1946482 1948769 1948770 1944790 1944791 1948630 1948631 1948632
Blocks: 1930427 1943663
TreeView+ depends on / blocked
 
Reported: 2021-03-26 16:30 UTC by Mauro Matteo Cascella
Modified: 2021-04-20 07:45 UTC (History)
43 users (show)

Fixed In Version: redis 5.0.10, redis 6.0.9, redis 6.2.0
Doc Type: If docs needed, set a value
Doc Text:
A heap overflow issue was found in Redis when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2021-03-26 16:30:19 UTC
When using a system with no malloc_usable_size(), zmalloc_size() assumed that the heap allocator always returns blocks that are long-padded. This may not always be the case, and will result with zmalloc_size() returning a size that is bigger than allocated. At least in one case this leads to out of bound write, process crash and a potential security vulnerability. Effectively this does not affect the vast majority of users, who use jemalloc or glibc.

Upstream pull request:
https://github.com/redis/redis/pull/7963

Upstream commit:
https://github.com/redis/redis/commit/9824fe3e392caa04dc1b4071886e9ac402dd6d95

Release notes:
https://raw.githubusercontent.com/redis/redis/5.0.10/00-RELEASENOTES
https://raw.githubusercontent.com/redis/redis/6.0.9/00-RELEASENOTES

Comment 1 Mauro Matteo Cascella 2021-03-26 16:35:08 UTC
It is worth noting that the default Redis heap allocator on Linux is jemalloc: https://github.com/redis/redis#allocator.

Comment 6 Borja Tarraso 2021-04-06 13:08:40 UTC
Statement:

The following products are not affected by this flaw because they use `jemalloc` as default heap allocator:
* Red Hat Enterprise Linux 8
* Red Hat Software Collections
* Red Hat Advanced Cluster Management for Kubernetes

Comment 7 Tapas Jena 2021-04-12 16:19:21 UTC
Completed the analysis of the concerned vulnerability for both AAP 1.2 and Ansible Tower and below is my observation:
- Ansible Tower uses the RHEL Redis where both jemalloc() and zmalloc() are in use. However, "jemalloc()" being used as default Heap allocator.
- Ansible Core doesn't use redis, by default. There is the cache plugin that is optional and it doesn't directly make any choices about the heap allocator redis would use.

Hence, marking AAP 1.2 and Tower as "Affected" and "delegated".

Kind Regards,
Tapas J

Comment 9 Mauro Matteo Cascella 2021-04-12 21:08:32 UTC
Created redis tracking bugs for this issue:

Affects: epel-all [bug 1948769]
Affects: fedora-all [bug 1948770]


Note You need to log in before you can comment on or make changes to this bug.