diff options
author | Petr Vaněk <arkamar@atlas.cz> | 2022-10-22 11:52:31 +0200 |
---|---|---|
committer | Joonas Niilola <juippis@gentoo.org> | 2022-11-11 17:10:06 +0200 |
commit | 85442e23f002bbdbfe137a7fc15314eb6b048982 (patch) | |
tree | 5793a34bf38c3ca33c6deec5f71a362b90ff622b /dev-db/redis | |
parent | dev-db/redis: apply recommended patch for CVE-2022-3647 to 7.0.5 (diff) | |
download | gentoo-85442e23f002bbdbfe137a7fc15314eb6b048982.tar.gz gentoo-85442e23f002bbdbfe137a7fc15314eb6b048982.tar.bz2 gentoo-85442e23f002bbdbfe137a7fc15314eb6b048982.zip |
dev-db/redis: backport recommended patch for CVE-2022-3647 to 6.2.7
The original patch does not apply cleanly, it was necessary to backport it.
Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3
Bug: https://bugs.gentoo.org/877863
Signed-off-by: Petr Vaněk <arkamar@atlas.cz>
Closes: https://github.com/gentoo/gentoo/pull/27893
Signed-off-by: Joonas Niilola <juippis@gentoo.org>
Diffstat (limited to 'dev-db/redis')
-rw-r--r-- | dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch | 173 | ||||
-rw-r--r-- | dev-db/redis/redis-6.2.7-r2.ebuild | 198 |
2 files changed, 371 insertions, 0 deletions
diff --git a/dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch b/dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch new file mode 100644 index 000000000000..8c3a2358c8eb --- /dev/null +++ b/dev-db/redis/files/redis-6.2.7-cve-2022-3647.patch @@ -0,0 +1,173 @@ +This is backported patch from upstream commit for version 6.2.7 which fixes CVE-2022-3647. + +Upstream-commit: https://github.com/redis/redis/commit/0bf90d944313919eb8e63d3588bf63a367f020a3 +Bug: https://bugs.gentoo.org/877863 + +diff --git a/src/debug.c b/src/debug.c +index 71ef51f8b..40fffec52 100644 +--- a/src/debug.c ++++ b/src/debug.c +@@ -1019,61 +1019,88 @@ void bugReportStart(void) { + } + + #ifdef HAVE_BACKTRACE +-static void *getMcontextEip(ucontext_t *uc) { ++ ++/* Returns the current eip and set it to the given new value (if its not NULL) */ ++static void* getAndSetMcontextEip(ucontext_t *uc, void *eip) { ++#define NOT_SUPPORTED() do {\ ++ UNUSED(uc);\ ++ UNUSED(eip);\ ++ return NULL;\ ++} while(0) ++#define GET_SET_RETURN(target_var, new_val) do {\ ++ void *old_val = (void*)target_var; \ ++ if (new_val) { \ ++ void **temp = (void**)&target_var; \ ++ *temp = new_val; \ ++ } \ ++ return old_val; \ ++} while(0) + #if defined(__APPLE__) && !defined(MAC_OS_X_VERSION_10_6) + /* OSX < 10.6 */ + #if defined(__x86_64__) +- return (void*) uc->uc_mcontext->__ss.__rip; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip); + #elif defined(__i386__) +- return (void*) uc->uc_mcontext->__ss.__eip; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip); + #else +- return (void*) uc->uc_mcontext->__ss.__srr0; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__srr0, eip); + #endif + #elif defined(__APPLE__) && defined(MAC_OS_X_VERSION_10_6) + /* OSX >= 10.6 */ + #if defined(_STRUCT_X86_THREAD_STATE64) && !defined(__i386__) +- return (void*) uc->uc_mcontext->__ss.__rip; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__rip, eip); + #elif defined(__i386__) +- return (void*) uc->uc_mcontext->__ss.__eip; ++ GET_SET_RETURN(uc->uc_mcontext->__ss.__eip, eip); + #else + /* OSX ARM64 */ +- return (void*) arm_thread_state64_get_pc(uc->uc_mcontext->__ss); ++ void *old_val = (void*)arm_thread_state64_get_pc(uc->uc_mcontext->__ss); ++ if (eip) { ++ arm_thread_state64_set_pc_fptr(uc->uc_mcontext->__ss, eip); ++ } ++ return old_val; + #endif + #elif defined(__linux__) + /* Linux */ + #if defined(__i386__) || ((defined(__X86_64__) || defined(__x86_64__)) && defined(__ILP32__)) +- return (void*) uc->uc_mcontext.gregs[14]; /* Linux 32 */ ++ GET_SET_RETURN(uc->uc_mcontext.gregs[14], eip); + #elif defined(__X86_64__) || defined(__x86_64__) +- return (void*) uc->uc_mcontext.gregs[16]; /* Linux 64 */ ++ GET_SET_RETURN(uc->uc_mcontext.gregs[16], eip); + #elif defined(__ia64__) /* Linux IA64 */ +- return (void*) uc->uc_mcontext.sc_ip; ++ GET_SET_RETURN(uc->uc_mcontext.sc_ip, eip); + #elif defined(__arm__) /* Linux ARM */ +- return (void*) uc->uc_mcontext.arm_pc; ++ GET_SET_RETURN(uc->uc_mcontext.arm_pc, eip); + #elif defined(__aarch64__) /* Linux AArch64 */ +- return (void*) uc->uc_mcontext.pc; ++ GET_SET_RETURN(uc->uc_mcontext.pc, eip); ++ #else ++ NOT_SUPPORTED(); + #endif + #elif defined(__FreeBSD__) + /* FreeBSD */ + #if defined(__i386__) +- return (void*) uc->uc_mcontext.mc_eip; ++ GET_SET_RETURN(uc->uc_mcontext.mc_eip, eip); + #elif defined(__x86_64__) +- return (void*) uc->uc_mcontext.mc_rip; ++ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip); ++ #else ++ NOT_SUPPORTED(); + #endif + #elif defined(__OpenBSD__) + /* OpenBSD */ + #if defined(__i386__) +- return (void*) uc->sc_eip; ++ GET_SET_RETURN(uc->sc_eip, eip); + #elif defined(__x86_64__) +- return (void*) uc->sc_rip; ++ GET_SET_RETURN(uc->sc_rip, eip); ++ #else ++ NOT_SUPPORTED(); + #endif + #elif defined(__NetBSD__) + #if defined(__i386__) +- return (void*) uc->uc_mcontext.__gregs[_REG_EIP]; ++ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_EIP], eip); + #elif defined(__x86_64__) +- return (void*) uc->uc_mcontext.__gregs[_REG_RIP]; ++ GET_SET_RETURN(uc->uc_mcontext.__gregs[_REG_RIP], eip); ++ #else ++ NOT_SUPPORTED(); + #endif + #elif defined(__DragonFly__) +- return (void*) uc->uc_mcontext.mc_rip; ++ GET_SET_RETURN(uc->uc_mcontext.mc_rip, eip); + #else + return NULL; + #endif +@@ -1800,6 +1827,10 @@ void dumpCodeAroundEIP(void *eip) { + } + } + ++void invalidFunctionWasCalled() {} ++ ++typedef void (*invalidFunctionWasCalledType)(); ++ + void sigsegvHandler(int sig, siginfo_t *info, void *secret) { + UNUSED(secret); + UNUSED(info); +@@ -1817,13 +1848,30 @@ void sigsegvHandler(int sig, siginfo_t *info, void *secret) { + + #ifdef HAVE_BACKTRACE + ucontext_t *uc = (ucontext_t*) secret; +- void *eip = getMcontextEip(uc); ++ void *eip = getAndSetMcontextEip(uc, NULL); + if (eip != NULL) { + serverLog(LL_WARNING, + "Crashed running the instruction at: %p", eip); + } + +- logStackTrace(getMcontextEip(uc), 1); ++ if (eip == info->si_addr) { ++ /* When eip matches the bad address, it's an indication that we crashed when calling a non-mapped ++ * function pointer. In that case the call to backtrace will crash trying to access that address and we ++ * won't get a crash report logged. Set it to a valid point to avoid that crash. */ ++ ++ /* This trick allow to avoid compiler warning */ ++ void *ptr; ++ invalidFunctionWasCalledType *ptr_ptr = (invalidFunctionWasCalledType*)&ptr; ++ *ptr_ptr = invalidFunctionWasCalled; ++ getAndSetMcontextEip(uc, ptr); ++ } ++ ++ logStackTrace(eip, 1); ++ ++ if (eip == info->si_addr) { ++ /* Restore old eip */ ++ getAndSetMcontextEip(uc, eip); ++ } + + logRegisters(uc); + #endif +@@ -1918,7 +1966,7 @@ void watchdogSignalHandler(int sig, siginfo_t *info, void *secret) { + + serverLogFromHandler(LL_WARNING,"\n--- WATCHDOG TIMER EXPIRED ---"); + #ifdef HAVE_BACKTRACE +- logStackTrace(getMcontextEip(uc), 1); ++ logStackTrace(getAndSetMcontextEip(uc, NULL), 1); + #else + serverLogFromHandler(LL_WARNING,"Sorry: no support for backtrace()."); + #endif +-- +2.37.4 + diff --git a/dev-db/redis/redis-6.2.7-r2.ebuild b/dev-db/redis/redis-6.2.7-r2.ebuild new file mode 100644 index 000000000000..012ad4d40847 --- /dev/null +++ b/dev-db/redis/redis-6.2.7-r2.ebuild @@ -0,0 +1,198 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +# Redis does NOT build with Lua 5.2 or newer at this time: +# - 5.3 and 5.4 give: +# lua_bit.c:83:2: error: #error "Unknown number type, check LUA_NUMBER_* in luaconf.h" +# - 5.2 fails with: +# scripting.c:(.text+0x1f9b): undefined reference to `lua_open' +# because lua_open became lua_newstate in 5.2 +LUA_COMPAT=( lua5-1 luajit ) + +# Upstream have deviated too far from vanilla Lua, adding their own APIs +# like lua_enablereadonlytable, but we still need the eclass and such +# for bug #841422. +inherit autotools edo flag-o-matic lua-single multiprocessing systemd tmpfiles toolchain-funcs + +DESCRIPTION="A persistent caching system, key-value, and data structures database" +HOMEPAGE="https://redis.io" +SRC_URI="https://download.redis.io/releases/${P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~x86-solaris" +IUSE="+jemalloc selinux ssl systemd tcmalloc test" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + ${LUA_DEPS} + jemalloc? ( >=dev-libs/jemalloc-5.1:= ) + ssl? ( dev-libs/openssl:0= ) + systemd? ( sys-apps/systemd:= ) + tcmalloc? ( dev-util/google-perftools ) +" + +RDEPEND=" + ${COMMON_DEPEND} + acct-group/redis + acct-user/redis + selinux? ( sec-policy/selinux-redis ) +" + +BDEPEND=" + ${COMMON_DEPEND} + virtual/pkgconfig +" + +# Tcl is only needed in the CHOST test env +DEPEND=" + ${COMMON_DEPEND} + test? ( + dev-lang/tcl:0= + ssl? ( dev-tcltk/tls ) + )" + +REQUIRED_USE="?? ( jemalloc tcmalloc ) + ${LUA_REQUIRED_USE}" + +PATCHES=( + "${FILESDIR}"/${PN}-6.2.1-config.patch + "${FILESDIR}"/${PN}-5.0-shared.patch + "${FILESDIR}"/${PN}-6.2.3-ppc-atomic.patch + "${FILESDIR}"/${PN}-sentinel-5.0-config.patch + + # see bug 877863 + "${FILESDIR}/${PN}-6.2.7-cve-2022-3647.patch" +) + +src_prepare() { + default + + # Copy lua modules into build dir + #cp "${S}"/deps/lua/src/{fpconv,lua_bit,lua_cjson,lua_cmsgpack,lua_struct,strbuf}.c "${S}"/src || die + #cp "${S}"/deps/lua/src/{fpconv,strbuf}.h "${S}"/src || die + # Append cflag for lua_cjson + # https://github.com/antirez/redis/commit/4fdcd213#diff-3ba529ae517f6b57803af0502f52a40bL61 + append-cflags "-DENABLE_CJSON_GLOBAL" + + # now we will rewrite present Makefiles + local makefiles="" MKF + for MKF in $(find -name 'Makefile' | cut -b 3-); do + mv "${MKF}" "${MKF}.in" + sed -i -e 's:$(CC):@CC@:g' \ + -e 's:$(CFLAGS):@AM_CFLAGS@:g' \ + -e 's: $(DEBUG)::g' \ + -e 's:$(OBJARCH)::g' \ + -e 's:ARCH:TARCH:g' \ + -e '/^CCOPT=/s:$: $(LDFLAGS):g' \ + "${MKF}.in" \ + || die "Sed failed for ${MKF}" + makefiles+=" ${MKF}" + done + # autodetection of compiler and settings; generates the modified Makefiles + cp "${FILESDIR}"/configure.ac-3.2 configure.ac || die + + # Use the correct pkgconfig name for Lua. + # The upstream configure script handles luajit specially, and is not + # affected by these changes. + sed -i \ + -e "/^AC_INIT/s|, [0-9].+, |, $PV, |" \ + -e "s:AC_CONFIG_FILES(\[Makefile\]):AC_CONFIG_FILES([${makefiles}]):g" \ + -e "/PKG_CHECK_MODULES.*\<LUA\>/s,lua5.1,${ELUA},g" \ + configure.ac || die "Sed failed for configure.ac" + eautoreconf +} + +src_configure() { + econf #$(use_with lua_single_target_luajit luajit) + + # Linenoise can't be built with -std=c99, see https://bugs.gentoo.org/451164 + # also, don't define ANSI/c99 for lua twice + sed -i -e "s:-std=c99::g" deps/linenoise/Makefile deps/Makefile || die +} + +src_compile() { + local myconf="" + + if use jemalloc; then + myconf+="MALLOC=jemalloc" + elif use tcmalloc; then + myconf+="MALLOC=tcmalloc" + else + myconf+="MALLOC=libc" + fi + + if use ssl; then + myconf+=" BUILD_TLS=yes" + fi + + export USE_SYSTEMD=$(usex systemd) + + tc-export AR CC RANLIB + emake V=1 ${myconf} AR="${AR}" CC="${CC}" RANLIB="${RANLIB}" +} + +src_test() { + local runtestargs=( + --clients "$(makeopts_jobs)" # see bug #649868 + ) + + if has usersandbox ${FEATURES} || ! has userpriv ${FEATURES}; then + ewarn "unit/oom-score-adj test will be skipped." \ + "It is known to fail with FEATURES usersandbox or -userpriv. See bug #756382." + + # unit/oom-score-adj was introduced in version 6.2.0 + runtestargs+=( --skipunit unit/oom-score-adj ) # see bug #756382 + fi + + if use ssl; then + edo ./utils/gen-test-certs.sh + runtestargs+=( --tls ) + fi + + edo ./runtest "${runtestargs[@]}" +} + +src_install() { + insinto /etc/redis + doins redis.conf sentinel.conf + use prefix || fowners -R redis:redis /etc/redis /etc/redis/{redis,sentinel}.conf + fperms 0750 /etc/redis + fperms 0644 /etc/redis/{redis,sentinel}.conf + + newconfd "${FILESDIR}/redis.confd-r2" redis + newinitd "${FILESDIR}/redis.initd-6" redis + + systemd_newunit "${FILESDIR}/redis.service-4" redis.service + newtmpfiles "${FILESDIR}/redis.tmpfiles-2" redis.conf + + newconfd "${FILESDIR}/redis-sentinel.confd-r1" redis-sentinel + newinitd "${FILESDIR}/redis-sentinel.initd-r1" redis-sentinel + + insinto /etc/logrotate.d/ + newins "${FILESDIR}/${PN}.logrotate" ${PN} + + dodoc 00-RELEASENOTES BUGS CONTRIBUTING MANIFESTO README.md + + dobin src/redis-cli + dosbin src/redis-benchmark src/redis-server src/redis-check-aof src/redis-check-rdb + fperms 0750 /usr/sbin/redis-benchmark + dosym redis-server /usr/sbin/redis-sentinel + + if use prefix; then + diropts -m0750 + else + diropts -m0750 -o redis -g redis + fi + keepdir /var/{log,lib}/redis +} + +pkg_postinst() { + tmpfiles_process redis.conf + + ewarn "The default redis configuration file location changed to:" + ewarn " /etc/redis/{redis,sentinel}.conf" + ewarn "Please apply your changes to the new configuration files." +} |