Headline
CVE-2023-47003: Query crashes in `DataBlock_ItemIsDeleted` · Issue #3063 · RedisGraph/RedisGraph
An issue in RedisGraph v.2.12.10 allows an attacker to execute arbitrary code and cause a denial of service via a crafted string in DataBlock_ItemIsDeleted.
=== REDIS BUG REPORT START: Cut & paste starting from here ===
10:M 24 Apr 2023 18:54:43.433 # Redis 7.0.11 crashed by signal: 11, si_code: 128
10:M 24 Apr 2023 18:54:43.433 # Accessing address: (nil)
10:M 24 Apr 2023 18:54:43.433 # Crashed running the instruction at: 0x7f283d48aef5
------ STACK TRACE ------
EIP:
/app/bin/linux-x64-debug-asan/src/redisgraph.so(DataBlock_ItemIsDeleted+0x25)[0x7f283d48aef5]
Backtrace:
redis-server *:6379(sigsegvHandler+0x8a)[0x56216429294a]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x13140)[0x7f28452a2140]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(DataBlock_ItemIsDeleted+0x25)[0x7f283d48aef5]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(Graph_EntityIsDeleted+0x40)[0x7f283d3a9000]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x6a02ee)[0x7f283d3212ee]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x69f5d0)[0x7f283d3205d0]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(OpBase_Free+0x7d)[0x7f283d307f5d]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x671bd7)[0x7f283d2f2bd7]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(ExecutionPlan_Free+0x4d)[0x7f283d2f2a2d]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x6407d4)[0x7f283d2c17d4]
/app/bin/linux-x64-debug-asan/src/redisgraph.so(+0x831d8a)[0x7f283d4b2d8a]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x7ea7)[0x7f2845296ea7]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f)[0x7f28451b4a2f]
------ REGISTERS ------
10:M 24 Apr 2023 18:54:43.436 #
RAX:ffffffffffffffff RBX:00007f28371a44c0
RCX:1fffffffffffffff RDX:0000000000000000
RDI:0000000000000000 RSI:00007f28371a3520
RBP:00007f28371a3e40 RSP:00007f28371a3e20
R8 :0000000000000001 R9 :000000000000000a
R10:000000000000001e R11:00007f28369a7000
R12:00007ffc3cf1c2ce R13:00007ffc3cf1c2cf
R14:00007f28371a46c0 R15:0000000000802000
RIP:00007f283d48aef5 EFL:0000000000010a07
CSGSFS:002b000000000033
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2f) -> 00007f2831828178
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2e) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2d) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2c) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2b) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e2a) -> 00007f2831828180
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e29) -> 00007f283d3212ee
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e28) -> 00007f28371a3fd0
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e27) -> 00007f2831834a0c
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e26) -> 00007f2831834a0c
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e25) -> 00007f283d3a9000
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e24) -> 00007f28371a3e60
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e23) -> 0000000000000000
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e22) -> ffffffffffffffff
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e21) -> 834cfcd8e8894900
10:M 24 Apr 2023 18:54:43.436 # (00007f28371a3e20) -> 00007f28371a3d70
------ INFO OUTPUT ------
# Server
redis_version:7.0.11
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:5c712dc4cb9cfb70
redis_mode:standalone
os:Linux 6.2.10-arch1-1 x86_64
arch_bits:64
monotonic_clock:POSIX clock_gettime
multiplexing_api:epoll
atomicvar_api:c11-builtin
gcc_version:10.2.1
process_id:10
process_supervised:no
run_id:567d37ab65b9a1eff8459ee690db4f259efbed00
tcp_port:6379
server_time_usec:1682362483432067
uptime_in_seconds:7
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:4640883
executable:/redis/redis-server
config_file:
io_threads_active:0
# Clients
connected_clients:1
cluster_connections:0
maxclients:10000
client_recent_max_input_buffer:0
client_recent_max_output_buffer:0
blocked_clients:1
tracking_clients:0
clients_in_timeout_table:0
# Memory
used_memory:1497320
used_memory_human:1.43M
used_memory_rss:42692608
used_memory_rss_human:40.71M
used_memory_peak:1497320
used_memory_peak_human:1.43M
used_memory_peak_perc:110.76%
used_memory_overhead:929048
used_memory_startup:928792
used_memory_dataset:568272
used_memory_dataset_perc:99.95%
allocator_allocated:1223920
allocator_active:1409024
allocator_resident:4825088
total_system_memory:8039120896
total_system_memory_human:7.49G
used_memory_lua:31744
used_memory_vm_eval:31744
used_memory_lua_human:31.00K
used_memory_scripts_eval:0
number_of_cached_scripts:0
number_of_functions:0
number_of_libraries:0
used_memory_vm_functions:32768
used_memory_vm_total:64512
used_memory_vm_total_human:63.00K
used_memory_functions:184
used_memory_scripts:184
used_memory_scripts_human:184B
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.15
allocator_frag_bytes:185104
allocator_rss_ratio:3.42
allocator_rss_bytes:3416064
rss_overhead_ratio:8.85
rss_overhead_bytes:37867520
mem_fragmentation_ratio:45.96
mem_fragmentation_bytes:41763672
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_total_replication_buffers:0
mem_clients_slaves:0
mem_clients_normal:0
mem_cluster_links:0
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0
lazyfreed_objects:0
# Persistence
loading:0
async_loading:0
current_cow_peak:0
current_cow_size:0
current_cow_size_age:0
current_fork_perc:0.00
current_save_keys_processed:0
current_save_keys_total:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1682362476
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_saves:0
rdb_last_cow_size:0
rdb_last_load_keys_expired:0
rdb_last_load_keys_loaded:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_rewrites:0
aof_rewrites_consecutive_failures:0
aof_last_write_status:ok
aof_last_cow_size:0
module_fork_in_progress:0
module_fork_last_cow_size:0
# Stats
total_connections_received:1
total_commands_processed:2
instantaneous_ops_per_sec:0
total_net_input_bytes:246
total_net_output_bytes:93
total_net_repl_input_bytes:0
total_net_repl_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
instantaneous_input_repl_kbps:0.00
instantaneous_output_repl_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
expire_cycle_cpu_milliseconds:0
evicted_keys:0
evicted_clients:0
total_eviction_exceeded_time:0
current_eviction_exceeded_time:0
keyspace_hits:3
keyspace_misses:1
pubsub_channels:0
pubsub_patterns:0
pubsubshard_channels:0
latest_fork_usec:0
total_forks:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
total_active_defrag_time:0
current_active_defrag_time:0
tracking_total_keys:0
tracking_total_items:0
tracking_total_prefixes:0
unexpected_error_replies:0
total_error_replies:0
dump_payload_sanitizations:0
total_reads_processed:2
total_writes_processed:1
io_threaded_reads_processed:0
io_threaded_writes_processed:0
reply_buffer_shrinks:0
reply_buffer_expands:0
# Replication
role:master
connected_slaves:0
master_failover_state:no-failover
master_replid:545e76b89a7a511fa91ced8a5dfd8c5b7429f8ee
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:0.015967
used_cpu_user:0.031885
used_cpu_sys_children:0.000000
used_cpu_user_children:0.000000
used_cpu_sys_main_thread:0.000000
used_cpu_user_main_thread:0.002797
# Modules
module:name=graph,ver=21200,api=1,filters=0,usedby=[],using=[],options=[]
# Commandstats
cmdstat_graph.QUERY:calls=2,usec=1751,usec_per_call=875.50,rejected_calls=0,failed_calls=0
# Errorstats
# Latencystats
latency_percentiles_usec_graph.QUERY:p50=1630.207,p99=1630.207,p99.9=1630.207
# Cluster
cluster_enabled:0
# Keyspace
db0:keys=1,expires=0,avg_ttl=0
------ CLIENT LIST OUTPUT ------
id=6 addr=172.17.0.1:49156 laddr=172.17.0.2:6379 fd=8 name= age=0 idle=0 flags=b db=0 sub=0 psub=0 ssub=0 multi=-1 qbuf=0 qbuf-free=20474 argv-mem=140 multi-mem=0 rbs=16384 rbp=16384 obl=0 oll=0 omem=0 tot-mem=37804 events=r cmd=graph.QUERY user=default redir=-1 resp=2
------ MODULES INFO OUTPUT ------
# graph_executing commands
graph_command:GRAPH.QUERY CYPHER TIMEOUT_DEFAULT="30000" CREATE (x) CREATE ()-[:A{n1:size([n2 IN [n3 IN [0] | x.n4] | 0])}]->()-[y:B]->() DELETE y
------ CONFIG DEBUG OUTPUT ------
io-threads-do-reads no
repl-diskless-sync yes
lazyfree-lazy-expire no
lazyfree-lazy-user-del no
client-query-buffer-limit 1gb
activedefrag no
proto-max-bulk-len 512mb
lazyfree-lazy-eviction no
io-threads 1
sanitize-dump-payload no
lazyfree-lazy-server-del no
repl-diskless-load disabled
replica-read-only yes
slave-read-only yes
list-compress-depth 0
lazyfree-lazy-user-flush no
------ FAST MEMORY TEST ------
10:M 24 Apr 2023 18:54:43.437 # main thread terminated
10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #0 terminated
10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #1 terminated
10:M 24 Apr 2023 18:54:43.437 # Bio thread for job type #2 terminated
Fast memory test PASSED, however your memory can still be broken. Please run a memory test for several hours if possible.
------ DUMPING CODE AROUND EIP ------
Symbol: DataBlock_ItemIsDeleted (base: 0x7f283d48aed0)
Module: /app/bin/linux-x64-debug-asan/src/redisgraph.so (base 0x7f283cc81000)
$ xxd -r -p /tmp/dump.hex /tmp/dump.bin
$ objdump --adjust-vma=0x7f283d48aed0 -D -b binary -m i386:x86-64 /tmp/dump.bin
------
10:M 24 Apr 2023 18:54:43.437 # dump of function (hexdump of 165 bytes):
554889e54883ec2048897df8488b45f84805ffffffff488945f0488b45f04889c148c1e9038a910080ff7f80fa00488945e88855e70f8423000000488b45e84825070000008a4de738c80f8c09000000488b7de8e87794d5ffe900000000488b45e88a0880e1010fb6d183e20183fa000f95c180e1010fb6d189d04883c4205dc3662e0f1f8400000000000f1f440000554889e54883ec3048897df8488975f0488b7df848
=== REDIS BUG REPORT END. Make sure to include from START to END. ===