[AUTO-CHERRYPICK] [High] Patch redis for CVE-2025-48367 - branch main (microsoft#14270)

Co-authored-by: Kevin Lockwood <[email protected]>
Co-authored-by: jslobodzian <[email protected]>

Author: 3 people

SPECS/redis/CVE-2025-48367.patch

@@ -0,0 +1,104 @@
+From 0fe67435935cc5724ff6eb9c4ca4120c58a15765 Mon Sep 17 00:00:00 2001
+From: Ozan Tezcan <[email protected]>
+Date: Wed, 14 May 2025 11:02:30 +0300
+Subject: [PATCH] Retry accept() even if accepted connection reports an error
+ (CVE-2025-48367)
+
+Upstream Patch Link: https://github.com/redis/redis/commit/0fe67435935cc5724ff6eb9c4ca4120c58a15765.patch
+
+In case of accept4() returns an error, we should check errno value and
+decide if we should retry accept4() without waiting next event loop iteration.
+---
+ src/anet.c       | 24 ++++++++++++++++++++++++
+ src/anet.h       |  2 +-
+ src/cluster.c    |  2 ++
+ src/networking.c |  6 ++++++
+ 4 files changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/src/anet.c b/src/anet.c
+index 91f61718ef3..2e42fc572c3 100644
+--- a/src/anet.c
++++ b/src/anet.c
+@@ -594,3 +594,27 @@ int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type) {
+     anetFdToString(fd,ip,sizeof(ip),&port,fd_to_str_type);
+     return anetFormatAddr(buf, buf_len, ip, port);
+ }
++
++/* This function must be called after accept4() fails. It returns 1 if 'err'
++ * indicates accepted connection faced an error, and it's okay to continue
++ * accepting next connection by calling accept4() again. Other errors either
++ * indicate programming errors, e.g. calling accept() on a closed fd or indicate
++ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been
++ * reached. In the latter case, caller might wait until resources are available.
++ * See accept4() documentation for details. */
++int anetAcceptFailureNeedsRetry(int err) {
++    if (err == ECONNABORTED)
++        return 1;
++
++#if defined(__linux__)
++    /* For details, see 'Error Handling' section on
++     * https://man7.org/linux/man-pages/man2/accept.2.html */
++    if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT ||
++        err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH ||
++        err == EOPNOTSUPP || err == ENETUNREACH)
++    {
++        return 1;
++    }
++#endif
++    return 0;
++}
+diff --git a/src/anet.h b/src/anet.h
+index 2a685cc0169..adedaf3e1a8 100644
+--- a/src/anet.h
++++ b/src/anet.h
+@@ -72,5 +72,5 @@ int anetFdToString(int fd, char *ip, size_t ip_len, int *port, int fd_to_str_typ
+ int anetKeepAlive(char *err, int fd, int interval);
+ int anetFormatAddr(char *fmt, size_t fmt_len, char *ip, int port);
+ int anetFormatFdAddr(int fd, char *buf, size_t buf_len, int fd_to_str_type);
+-
++int anetAcceptFailureNeedsRetry(int err);
+ #endif
+diff --git a/src/cluster.c b/src/cluster.c
+index 8807fe2c8c3..030897c6ab1 100644
+--- a/src/cluster.c
++++ b/src/cluster.c
+@@ -691,6 +691,8 @@ void clusterAcceptHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
+     while(max--) {
+         cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
+         if (cfd == ANET_ERR) {
++            if (anetAcceptFailureNeedsRetry(errno))
++                continue;
+             if (errno != EWOULDBLOCK)
+                 serverLog(LL_VERBOSE,
+                     "Error accepting cluster node: %s", server.neterr);
+diff --git a/src/networking.c b/src/networking.c
+index 11891d3e970..2598a58baa8 100644
+--- a/src/networking.c
++++ b/src/networking.c
+@@ -1190,6 +1190,8 @@ void acceptTcpHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
+     while(max--) {
+         cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
+         if (cfd == ANET_ERR) {
++            if (anetAcceptFailureNeedsRetry(errno))
++                continue;
+             if (errno != EWOULDBLOCK)
+                 serverLog(LL_WARNING,
+                     "Accepting client connection: %s", server.neterr);
+@@ -1211,6 +1213,8 @@ void acceptTLSHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
+     while(max--) {
+         cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
+         if (cfd == ANET_ERR) {
++            if (anetAcceptFailureNeedsRetry(errno))
++                continue;
+             if (errno != EWOULDBLOCK)
+                 serverLog(LL_WARNING,
+                     "Accepting client connection: %s", server.neterr);
+@@ -1231,6 +1235,8 @@ void acceptUnixHandler(aeEventLoop *el, int fd, void *privdata, int mask) {
+     while(max--) {
+         cfd = anetUnixAccept(server.neterr, fd);
+         if (cfd == ANET_ERR) {
++            if (anetAcceptFailureNeedsRetry(errno))
++                continue;
+             if (errno != EWOULDBLOCK)
+                 serverLog(LL_WARNING,
+                     "Accepting client connection: %s", server.neterr);

SPECS/redis/redis.spec

@@ -1,7 +1,7 @@
 Summary:        advanced key-value store
 Name:           redis
 Version:        6.2.18
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -11,6 +11,7 @@ Source0:        https://download.redis.io/releases/%{name}-%{version}.tar.gz
 Patch0:         redis-conf.patch
 Patch1:         disable_active_defrag_big_keys.patch
 Patch2:         CVE-2025-32023.patch
+Patch3:         CVE-2025-48367.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  openssl-devel
@@ -85,6 +86,12 @@ exit 0
 %config(noreplace) %attr(0640, %{name}, %{name}) %{_sysconfdir}/redis.conf
 
 %changelog
+* Wed Jul 09 2025 Kevin Lockwood <[email protected]> - 6.2.18-3
+- Patch for CVE-2025-48367
+
+* Wed Jul 09 2025 Azure Linux Security Servicing Account <[email protected]> - 6.2.18-2
+- Patch for CVE-2025-32023
+
 * Wed Jul 09 2025 Azure Linux Security Servicing Account <[email protected]> - 6.2.18-2
 - Patch for CVE-2025-32023