RedisBloom Integer Overflow Vulnerability Leading to Out-of-Bounds Write and Information Leak

An integer overflow vulnerability has been identified in RedisBloom, a module that adds probabilistic data structures to Redis. This vulnerability allows a Redis client with knowledge of the password to manipulate memory allocation in the heap. The issue arises in the CMS.INITBYDIM command, which initializes a Count-Min Sketch by accepting user-specified width and depth values. The lack of validation on these inputs can lead to a wraparound effect, causing the allocated memory to be less than required. Exploitation of this vulnerability enables out-of-bounds writes and information leaks.

Impact

Exploitation of this vulnerability causes a segmentation fault in the Redis server, indicating a crash. However, the vulnerability also allows for out-of-bounds writes and information leaks prior to the crash, creating a potential for more severe consequences, such as arbitrary code execution.

Reproduction

To reproduce this vulnerability, first, load the RedisBloom module into a Redis server instance. Then, use the CMS.INITBYDIM command to create a Count-Min Sketch with crafted width and depth values that trigger the integer overflow. After the sketch is created, the CMS.QUERY command can be used to read data beyond the allocated memory, demonstrating the out-of-bounds read. Finally, the CMS.INCRBY command can be employed to write data outside the allocated bounds, showcasing the out-of-bounds write vulnerability.

Remediation

Users can upgrade to RedisBloom versions 2.2.19, 2.4.12, 2.6.14, or 2.8.2, where this vulnerability has been patched.