CaROS/meta-openembedded
3
1
Fork 0
mirror of git://git.openembedded.org/meta-openembedded synced 2026-01-01 13:58:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

redis: patch CVE-2025-48367

Browse Source 
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-48367

Backport the patch mentioned in the details.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
This commit is contained in:
Gyorgy Sarvari 2025-10-07 21:49:36 +02:00
parent 1e7af79e70
commit 97cd359c29
4 changed files with 226 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
meta-oe/recipes-extended/redis/redis-7.2.8/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch Normal file
View File

@ -0,0 +1,117 @@
From 05524dbadb1acc3d8d75905108fea39cdf43832c Mon Sep 17 00:00:00 2001
From: Ozan Tezcan <ozantezcan@gmail.com>
Date: Wed, 14 May 2025 11:02:30 +0300
Subject: [PATCH] Retry accept() even if accepted connection reports an error
(CVE-2025-48367)
In case of accept4() returns an error, we should check errno value and
decide if we should retry accept4() without waiting next event loop iteration.
CVE: CVE-2025-48367
Upstream-Status: Backport [https://github.com/redis/redis/commit/c76d6182096cbe10bd3a1dc41095b5ab422e6a74]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/anet.c | 24 ++++++++++++++++++++++++
src/anet.h | 1 +
src/cluster.c | 2 ++
src/socket.c | 2 ++
src/tls.c | 2 ++
src/unix.c | 2 ++
6 files changed, 33 insertions(+)
diff --git a/src/anet.c b/src/anet.c
index 64824a2..6c539d5 100644
--- a/src/anet.c
+++ b/src/anet.c
@@ -704,3 +704,27 @@ int anetIsFifo(char *filepath) {
if (stat(filepath, &sb) == -1) return 0;
return S_ISFIFO(sb.st_mode);
}
+
+/* This function must be called after accept4() fails. It returns 1 if 'err'
+ * indicates accepted connection faced an error, and it's okay to continue
+ * accepting next connection by calling accept4() again. Other errors either
+ * indicate programming errors, e.g. calling accept() on a closed fd or indicate
+ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been
+ * reached. In the latter case, caller might wait until resources are available.
+ * See accept4() documentation for details. */
+int anetAcceptFailureNeedsRetry(int err) {
+ if (err == ECONNABORTED)
+ return 1;
+
+#if defined(__linux__)
+ /* For details, see 'Error Handling' section on
+ * https://man7.org/linux/man-pages/man2/accept.2.html */
+ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT ||
+ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH ||
+ err == EOPNOTSUPP || err == ENETUNREACH)
+ {
+ return 1;
+ }
+#endif
+ return 0;
+}
diff --git a/src/anet.h b/src/anet.h
index b13c14f..2319039 100644
--- a/src/anet.h
+++ b/src/anet.h
@@ -71,5 +71,6 @@ int anetPipe(int fds[2], int read_flags, int write_flags);
int anetSetSockMarkId(char *err, int fd, uint32_t id);
int anetGetError(int fd);
int anetIsFifo(char *filepath);
+int anetAcceptFailureNeedsRetry(int err);
#endif
diff --git a/src/cluster.c b/src/cluster.c
index 765958a..2130ffd 100644
--- a/src/cluster.c
+++ b/src/cluster.c
@@ -1309,6 +1309,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_VERBOSE,
"Error accepting cluster node: %s", server.neterr);
diff --git a/src/socket.c b/src/socket.c
index dad8e93..09d87bc 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -318,6 +318,8 @@ static void connSocketAcceptHandler(aeEventLoop *el, int fd, void *privdata, int
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);
diff --git a/src/tls.c b/src/tls.c
index e709c99..9a66e81 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -774,6 +774,8 @@ static void tlsAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask)
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);
diff --git a/src/unix.c b/src/unix.c
index bd146d0..8fdefe4 100644
--- a/src/unix.c
+++ b/src/unix.c
@@ -100,6 +100,8 @@ static void connUnixAcceptHandler(aeEventLoop *el, int fd, void *privdata, int m
while(max--) {
cfd = anetUnixAccept(server.neterr, fd);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);

107
meta-oe/recipes-extended/redis/redis/0001-Retry-accept-even-if-accepted-connection-reports-an-.patch Normal file
View File

@ -0,0 +1,107 @@
From 5cb320f03b7d619499d2d69f4371096b5d6a9bdf Mon Sep 17 00:00:00 2001
From: Ozan Tezcan <ozantezcan@gmail.com>
Date: Wed, 14 May 2025 11:02:30 +0300
Subject: [PATCH] Retry accept() even if accepted connection reports an error
(CVE-2025-48367)
In case of accept4() returns an error, we should check errno value and
decide if we should retry accept4() without waiting next event loop iteration.
CVE: CVE-2025-48367
Upstream-Status: Backport [https://github.com/redis/redis/commit/0fe67435935cc5724ff6eb9c4ca4120c58a15765]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/anet.c | 24 ++++++++++++++++++++++++
src/anet.h | 2 +-
src/cluster.c | 2 ++
src/networking.c | 6 ++++++
4 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/src/anet.c b/src/anet.c
index 91f6171..2e42fc5 100644
--- a/src/anet.c
+++ b/src/anet.c
@@ -594,3 +594,27 @@ int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type) {
anetFdToString(fd,ip,sizeof(ip),&port,fd_to_str_type);
return anetFormatAddr(buf, buf_len, ip, port);
}
+
+/* This function must be called after accept4() fails. It returns 1 if 'err'
+ * indicates accepted connection faced an error, and it's okay to continue
+ * accepting next connection by calling accept4() again. Other errors either
+ * indicate programming errors, e.g. calling accept() on a closed fd or indicate
+ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been
+ * reached. In the latter case, caller might wait until resources are available.
+ * See accept4() documentation for details. */
+int anetAcceptFailureNeedsRetry(int err) {
+ if (err == ECONNABORTED)
+ return 1;
+
+#if defined(__linux__)
+ /* For details, see 'Error Handling' section on
+ * https://man7.org/linux/man-pages/man2/accept.2.html */
+ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT ||
+ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH ||
+ err == EOPNOTSUPP || err == ENETUNREACH)
+ {
+ return 1;
+ }
+#endif
+ return 0;
+}
diff --git a/src/anet.h b/src/anet.h
index 2a685cc..adedaf3 100644
--- a/src/anet.h
+++ b/src/anet.h
@@ -72,5 +72,5 @@ int anetFdToString(int fd, char *ip, size_t ip_len, int *port, int fd_to_str_typ
int anetKeepAlive(char *err, int fd, int interval);
int anetFormatAddr(char *fmt, size_t fmt_len, char *ip, int port);
int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type);
-
+int anetAcceptFailureNeedsRetry(int err);
#endif
diff --git a/src/cluster.c b/src/cluster.c
index 8807fe2..030897c 100644
--- a/src/cluster.c
+++ b/src/cluster.c
@@ -691,6 +691,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_VERBOSE,
"Error accepting cluster node: %s", server.neterr);
diff --git a/src/networking.c b/src/networking.c
index 11891d3..2598a58 100644
--- a/src/networking.c
+++ b/src/networking.c
@@ -1190,6 +1190,8 @@ void acceptTcpHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);
@@ -1211,6 +1213,8 @@ void acceptTLSHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);
@@ -1231,6 +1235,8 @@ void acceptUnixHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
while(max--) {
cfd = anetUnixAccept(server.neterr, fd);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);

1
meta-oe/recipes-extended/redis/redis_6.2.18.bb
View File

@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://0006-Define-correct-gregs-for-RISCV32.patch \
file://0001-CVE-2025-27151.patch \
file://0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch \
file://0001-Retry-accept-even-if-accepted-connection-reports-an-.patch \
"
SRC_URI[sha256sum] = "470c75bac73d7390be4dd66479c6f29e86371c5d380ce0c7efb4ba2bbda3612d"

1
meta-oe/recipes-extended/redis/redis_7.2.8.bb
View File

@ -18,6 +18,7 @@ SRC_URI = "http://download.redis.io/releases/${BP}.tar.gz \
file://0006-Define-correct-gregs-for-RISCV32.patch \
file://0001-Check-length-of-AOF-file-name-in-redis-check-aof-CVE.patch \
file://0001-Fix-out-of-bounds-write-in-hyperloglog-commands-CVE-.patch \
file://0001-Retry-accept-even-if-accepted-connection-reports-an-.patch \
"
SRC_URI[sha256sum] = "6be4fdfcdb2e5ac91454438246d00842d2671f792673390e742dfcaf1bf01574"