From d00454f458e362587f8c4c834d85fc0483a0e24c Mon Sep 17 00:00:00 2001 From: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> Date: Tue, 8 Jul 2025 15:14:07 +0800 Subject: [PATCH] [CVE] CVE-2025-48367 to #22548 add patch to fix CVE-2025-48367 Project: TC2024080204 Signed-off-by: tomcruiseqi <10762123+tomcruiseqi@user.noreply.gitee.com> --- 3-bugfix-for-CVE-2025-48367.patch | 111 ++++++++++++++++++++++++++++++ redis.spec | 7 +- 2 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 3-bugfix-for-CVE-2025-48367.patch diff --git a/3-bugfix-for-CVE-2025-48367.patch b/3-bugfix-for-CVE-2025-48367.patch new file mode 100644 index 0000000..9a5b3e2 --- /dev/null +++ b/3-bugfix-for-CVE-2025-48367.patch @@ -0,0 +1,111 @@ +From bde62951accfc4bb0a516276fd0b4b307e140ce2 Mon Sep 17 00:00:00 2001 +From: Ozan Tezcan +Date: Wed, 14 May 2025 11:02:30 +0300 +Subject: [PATCH] Retry accept() even if accepted connection reports an error + (CVE-2025-48367) + +In case of accept4() returns an error, we should check errno value and decide if we should retry accept4() without waiting next event loop iteration. +--- + src/anet.c | 24 ++++++++++++++++++++++++ + src/anet.h | 1 + + src/cluster.c | 2 ++ + src/socket.c | 2 ++ + src/tls.c | 2 ++ + src/unix.c | 2 ++ + 6 files changed, 33 insertions(+) + +diff --git a/src/anet.c b/src/anet.c +index ad4ac49d89a..d79434cef03 100644 +--- a/src/anet.c ++++ b/src/anet.c +@@ -787,3 +787,27 @@ int anetIsFifo(char *filepath) { + if (stat(filepath, &sb) == -1) return 0; + return S_ISFIFO(sb.st_mode); + } ++ ++/* This function must be called after accept4() fails. It returns 1 if 'err' ++ * indicates accepted connection faced an error, and it's okay to continue ++ * accepting next connection by calling accept4() again. Other errors either ++ * indicate programming errors, e.g. calling accept() on a closed fd or indicate ++ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been ++ * reached. In the latter case, caller might wait until resources are available. ++ * See accept4() documentation for details. */ ++int anetAcceptFailureNeedsRetry(int err) { ++ if (err == ECONNABORTED) ++ return 1; ++ ++#if defined(__linux__) ++ /* For details, see 'Error Handling' section on ++ * https://man7.org/linux/man-pages/man2/accept.2.html */ ++ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT || ++ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH || ++ err == EOPNOTSUPP || err == ENETUNREACH) ++ { ++ return 1; ++ } ++#endif ++ return 0; ++} +diff --git a/src/anet.h b/src/anet.h +index 211421940dd..1d3aec9cdf5 100644 +--- a/src/anet.h ++++ b/src/anet.h +@@ -53,5 +53,6 @@ int anetPipe(int fds[2], int read_flags, int write_flags); + int anetSetSockMarkId(char *err, int fd, uint32_t id); + int anetGetError(int fd); + int anetIsFifo(char *filepath); ++int anetAcceptFailureNeedsRetry(int err); + + #endif +diff --git a/src/cluste.c b/src/cluster.c +index 88dc9969190..6f1635e9e5d 100644 +--- a/src/cluster.c ++++ b/src/cluster.c +@@ -1309,6 +1309,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) { + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_VERBOSE, + "Error accepting cluster node: %s", server.neterr); +diff --git a/src/socket.c b/src/socket.c +index 241a541080d..226b414f85e 100644 +--- a/src/socket.c ++++ b/src/socket.c +@@ -318,6 +318,8 @@ static void connSocketAcceptHandler(aeEventLoop *el, int fd, void *privdata, int + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +diff --git a/src/tls.c b/src/tls.c +index 65526c04f7d..a0733a4b636 100644 +--- a/src/tls.c ++++ b/src/tls.c +@@ -774,6 +774,8 @@ static void tlsAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) + while(max--) { + cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); +diff --git a/src/unix.c b/src/unix.c +index b61cb6d4959..e26f0d27ad1 100644 +--- a/src/unix.c ++++ b/src/unix.c +@@ -100,6 +100,8 @@ static void connUnixAcceptHandler(aeEventLoop *el, int fd, void *privdata, int m + while(max--) { + cfd = anetUnixAccept(server.neterr, fd); + if (cfd == ANET_ERR) { ++ if (anetAcceptFailureNeedsRetry(errno)) ++ continue; + if (errno != EWOULDBLOCK) + serverLog(LL_WARNING, + "Accepting client connection: %s", server.neterr); diff --git a/redis.spec b/redis.spec index 12d091c..1cc2498 100644 --- a/redis.spec +++ b/redis.spec @@ -1,4 +1,4 @@ -%define anolis_release 1 +%define anolis_release 2 # temp workaround to https://bugzilla.redhat.com/2059488 %undefine _package_note_file @@ -30,6 +30,7 @@ Source10: https://github.com/%{name}/%{name}-doc/archive/%{doc_commit}/ Patch0001: 0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch Patch0002: 0002-add-sw_64-support.patch +Patch3: 3-bugfix-for-CVE-2025-48367.patch BuildRequires: make BuildRequires: gcc @@ -131,6 +132,7 @@ sed -i -e 's|^dir .*$|dir /var/lib/redis|g' redis.conf %ifarch x86_64 sed -e 's/--with-lg-quantum/--with-lg-page=12 --with-lg-quantum/' -i deps/Makefile %endif +%patch -P3 -p1 %ifarch aarch64 sed -e 's/--with-lg-quantum/--with-lg-page=16 --with-lg-quantum/' -i deps/Makefile %endif @@ -288,6 +290,9 @@ fi %changelog +* Tue Jul 08 2025 tomcruiseqi - 7.2.8-2 +- Fix CVE-2025-48367 + * Fri May 16 2025 mgb01105731 - 7.2.8-1 - Update to 7.2.8 to fix CVE-2025-21605 -- Gitee