[AutoPR- Security] Patch redis for CVE-2025-32023 (microsoft#14236)

azurelinux-security · Kanishk Bansal · jslobodzian · web-flow · commit 0802fcd8b319 · 2025-07-10T10:30:19.000-07:00
Signed-off-by: Kanishk Bansal &lt;kanbansal@microsoft.com&gt;
Co-authored-by: Kanishk Bansal &lt;kanbansal@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/redis/CVE-2025-32023.patch b/SPECS/redis/CVE-2025-32023.patch
@@ -0,0 +1,212 @@
+From 4faf8424d0dddb95792b7111cfd1b8f87f91f111 Mon Sep 17 00:00:00 2001
+From: Azure Linux Security Servicing Account
+ <azurelinux-security@microsoft.com>
+Date: Wed, 9 Jul 2025 07:19:35 +0000
+Subject: [PATCH] Fix CVE CVE-2025-32023 in redis
+
+Upstream Patch Reference: https://github.com/redis/redis/commit/50188747cbfe43528d2719399a2a3c9599169445.diff
+---
+
+ src/hyperloglog.c          | 47 +++++++++++++++++++++++++++++++----
+ tests/unit/hyperloglog.tcl | 51 ++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 93 insertions(+), 5 deletions(-)
+
+diff --git a/src/hyperloglog.c b/src/hyperloglog.c
+index 2f8c02e2cf2..d6a87822d19 100644
+--- a/src/hyperloglog.c
++++ b/src/hyperloglog.c
+@@ -579,6 +579,7 @@ int hllSparseToDense(robj *o) {
+     struct hllhdr *hdr, *oldhdr = (struct hllhdr*)sparse;
+     int idx = 0, runlen, regval;
+     uint8_t *p = (uint8_t*)sparse, *end = p+sdslen(sparse);
++    int valid = 1;
+ 
+     /* If the representation is already the right one return ASAP. */
+     hdr = (struct hllhdr*) sparse;
+@@ -598,16 +599,27 @@ int hllSparseToDense(robj *o) {
+     while(p < end) {
+         if (HLL_SPARSE_IS_ZERO(p)) {
+             runlen = HLL_SPARSE_ZERO_LEN(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             p++;
+         } else if (HLL_SPARSE_IS_XZERO(p)) {
+             runlen = HLL_SPARSE_XZERO_LEN(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             p += 2;
+         } else {
+             runlen = HLL_SPARSE_VAL_LEN(p);
+             regval = HLL_SPARSE_VAL_VALUE(p);
+-            if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             while(runlen--) {
+                 HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
+                 idx++;
+@@ -618,7 +630,7 @@ int hllSparseToDense(robj *o) {
+ 
+     /* If the sparse representation was valid, we expect to find idx
+      * set to HLL_REGISTERS. */
+-    if (idx != HLL_REGISTERS) {
++    if (!valid || idx != HLL_REGISTERS) {
+         sdsfree(dense);
+         return C_ERR;
+     }
+@@ -915,27 +927,40 @@ int hllSparseAdd(robj *o, unsigned char *ele, size_t elesize) {
+ void hllSparseRegHisto(uint8_t *sparse, int sparselen, int *invalid, int* reghisto) {
+     int idx = 0, runlen, regval;
+     uint8_t *end = sparse+sparselen, *p = sparse;
++    int valid = 1;
+ 
+     while(p < end) {
+         if (HLL_SPARSE_IS_ZERO(p)) {
+             runlen = HLL_SPARSE_ZERO_LEN(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             reghisto[0] += runlen;
+             p++;
+         } else if (HLL_SPARSE_IS_XZERO(p)) {
+             runlen = HLL_SPARSE_XZERO_LEN(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             reghisto[0] += runlen;
+             p += 2;
+         } else {
+             runlen = HLL_SPARSE_VAL_LEN(p);
+             regval = HLL_SPARSE_VAL_VALUE(p);
++            if ((runlen + idx) > HLL_REGISTERS) { /* Overflow. */
++                valid = 0;
++                break;
++            }
+             idx += runlen;
+             reghisto[regval] += runlen;
+             p++;
+         }
+     }
+-    if (idx != HLL_REGISTERS && invalid) *invalid = 1;
++    if ((!valid || idx != HLL_REGISTERS) && invalid) *invalid = 1;
+ }
+ 
+ /* ========================= HyperLogLog Count ==============================
+@@ -1204,22 +1229,34 @@ int hllMerge(uint8_t *max, robj *hll) {
+     } else {
+         uint8_t *p = hll->ptr, *end = p + sdslen(hll->ptr);
+         long runlen, regval;
++        int valid = 1;
+ 
+         p += HLL_HDR_SIZE;
+         i = 0;
+         while(p < end) {
+             if (HLL_SPARSE_IS_ZERO(p)) {
+                 runlen = HLL_SPARSE_ZERO_LEN(p);
++                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
++                    valid = 0;
++                    break;
++                }
+                 i += runlen;
+                 p++;
+             } else if (HLL_SPARSE_IS_XZERO(p)) {
+                 runlen = HLL_SPARSE_XZERO_LEN(p);
++                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
++                    valid = 0;
++                    break;
++                }
+                 i += runlen;
+                 p += 2;
+             } else {
+                 runlen = HLL_SPARSE_VAL_LEN(p);
+                 regval = HLL_SPARSE_VAL_VALUE(p);
+-                if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
++                if ((runlen + i) > HLL_REGISTERS) { /* Overflow. */
++                    valid = 0;
++                    break;
++                }
+                 while(runlen--) {
+                     if (regval > max[i]) max[i] = regval;
+                     i++;
+@@ -1227,7 +1264,7 @@ int hllMerge(uint8_t *max, robj *hll) {
+                 p++;
+             }
+         }
+-        if (i != HLL_REGISTERS) return C_ERR;
++        if (!valid || i != HLL_REGISTERS) return C_ERR;
+     }
+     return C_OK;
+ }
+diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl
+index f1bbeace9d1..76c0a8d8d2c 100644
+--- a/tests/unit/hyperloglog.tcl
++++ b/tests/unit/hyperloglog.tcl
+@@ -137,6 +137,57 @@ start_server {tags {"hll"}} {
+         set e
+     } {*WRONGTYPE*}
+ 
++    test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with XZERO opcode} {
++        r del hll
++        
++        # Create a sparse-encoded HyperLogLog header
++        set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
++
++        # Create an XZERO opcode with the maximum run length of 16384(2^14)
++        set runlen [expr 16384 - 1]
++        set chunk [binary format cc [expr {0b01000000 | ($runlen >> 8)}] [expr {$runlen & 0xff}]]
++        # Fill the HLL with more than 131072(2^17) XZERO opcodes to make the total
++        # run length exceed 4GB, will cause an integer overflow.
++        set repeat [expr 131072 + 1000]
++        for {set i 0} {$i < $repeat} {incr i} {
++            append pl $chunk
++        }
++
++        # Create a VAL opcode with a value that will cause out-of-bounds.
++        append pl [binary format c 0b11111111]
++        r set hll $pl
++
++        # This should not overflow and out-of-bounds.
++        assert_error {*INVALIDOBJ*} {r pfcount hll hll}
++        assert_error {*INVALIDOBJ*} {r pfdebug getreg hll}
++        r ping
++    }
++
++    test {Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with ZERO opcode} {
++        r del hll
++        
++        # Create a sparse-encoded HyperLogLog header
++        set pl [string cat "HYLL" [binary format c12 {1 0 0 0 0 0 0 0 0 0 0 0}]]
++
++        # # Create an ZERO opcode with the maximum run length of 64(2^6)
++        set chunk [binary format c [expr {0b00000000 | 0x3f}]]
++        # Fill the HLL with more than 33554432(2^17) ZERO opcodes to make the total
++        # run length exceed 4GB, will cause an integer overflow.
++        set repeat [expr 33554432 + 1000]
++        for {set i 0} {$i < $repeat} {incr i} {
++            append pl $chunk
++        }
++
++        # Create a VAL opcode with a value that will cause out-of-bounds.
++        append pl [binary format c 0b11111111]
++        r set hll $pl
++
++        # This should not overflow and out-of-bounds.
++        assert_error {*INVALIDOBJ*} {r pfcount hll hll}
++        assert_error {*INVALIDOBJ*} {r pfdebug getreg hll}
++        r ping
++    }
++
+     test {Corrupted dense HyperLogLogs are detected: Wrong length} {
+         r del hll
+         r pfadd hll a b c
diff --git a/SPECS/redis/redis.spec b/SPECS/redis/redis.spec
@@ -1,7 +1,7 @@
 Summary:        advanced key-value store
 Name:           redis
 Version:        6.2.18
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            https://redis.io/
 Source0:        https://download.redis.io/releases/%{name}-%{version}.tar.gz
 Patch0:         redis-conf.patch
 Patch1:         disable_active_defrag_big_keys.patch
+Patch2:         CVE-2025-32023.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  openssl-devel
@@ -84,6 +85,9 @@ exit 0
 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf
 
 %changelog
+* Wed Jul 09 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 6.2.18-2
+- Patch for CVE-2025-32023
+
 * Wed Apr 30 2025 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.2.18-1
 - Auto-upgrade to 6.2.18 - for CVE-2025-21605
 
