[BUG] server accessing uninitialized memory when SCRIPT, INTERSTORE and UNIONSTORE commands are processed

[hoyhoy]

The valkey server appears to be reading from uninitialized memory in several places. Sometimes, random bits are XOR'd together for "entropy" and it doesn't matter -- which is possibly the case with lz4, but the sinterGenericCommand() and sunionDiffGenericCommand() look bad and possibly exploitable.

SUMMARY: MemorySanitizer: use-of-uninitialized-value /p/b/redis2e2c76e50e46b/b/src/lzf_c.c:164 in lzf_compress
==redis-server==1707645==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55e7c37ac0d7 in lzf_compress /p/b/redis2e2c76e50e46b/b/src/lzf_c.c:164
    #1 0x55e7c3871379 in rdbSaveRawString /p/b/redis2e2c76e50e46b/b/src/rdb.c:378
    #2 0x55e7c387c0d8 in rdbSaveObject /p/b/redis2e2c76e50e46b/b/src/rdb.c:951
    #3 0x55e7c39c73c0 in createDumpPayload /p/b/redis2e2c76e50e46b/b/src/cluster.c:6528
    #4 0x55e7c39c79e6 in dumpCommand /p/b/redis2e2c76e50e46b/b/src/cluster.c:6593
    #5 0x55e7c37706c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519
    #6 0x55e7c3b9975b in scriptCall /p/b/redis2e2c76e50e46b/b/src/script.c:566
    #7 0x55e7c3b94739 in luaRedisGenericCommand /p/b/redis2e2c76e50e46b/b/src/script_lua.c:933
    #8 0x55e7c3c08cf9 in luaD_precall :?
    #9 0x55e7c3c5b319 in luaV_execute :?
    #10 0x55e7c3c0e3a6 in luaD_call :?
    #11 0x55e7c3c06b10 in luaD_rawrunprotected :?
    #12 0x55e7c3c0f622 in luaD_pcall :?
    #13 0x55e7c3bf92d6 in lua_pcall ??:?
    #14 0x55e7c3b9220f in luaCallFunction /p/b/redis2e2c76e50e46b/b/src/script_lua.c:?
    #15 0x55e7c39dcd8c in evalGenericCommand /p/b/redis2e2c76e50e46b/b/src/eval.c:536
    #16 0x55e7c37706c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519
    #17 0x55e7c37783dc in processCommand /p/b/redis2e2c76e50e46b/b/src/server.c:4160
    #18 0x55e7c37fe6f6 in processInputBuffer /p/b/redis2e2c76e50e46b/b/src/networking.c:2466
    #19 0x55e7c37d9951 in readQueryFromClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2713
    #20 0x55e7c3b79301 in connSocketEventHandler /p/b/redis2e2c76e50e46b/b/src/./connhelpers.h:79
    #21 0x55e7c373b4c2 in aeProcessEvents /p/b/redis2e2c76e50e46b/b/src/ae.c:436
    #22 0x55e7c373ce81 in aeMain /p/b/redis2e2c76e50e46b/b/src/ae.c:496
    #23 0x55e7c3797088 in main /p/b/redis2e2c76e50e46b/b/src/server.c:7360
    #24 0x7ff623561d84 in __libc_start_main ??:?
    #25 0x55e7c36900bd in _start ??:?

  raw origin id: -2147480726
  Uninitialized value was created by an allocation of 'htab' in the stack frame
    #0 0x55e7c37ab5a9 in lzf_compress /p/b/redis2e2c76e50e46b/b/src/lzf_c.c:117

SUMMARY: MemorySanitizer: use-of-uninitialized-value /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557 in sunionDiffGenericCommand
SUMMARY: MemorySanitizer: use-of-uninitialized-value /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557 in sunionDiffGenericCommand
SUMMARY: =redis-server==1707645==WARNING: MemorySanitizer: use-of-uninitialized-value
 #0 0x55e7c38c812d in sinterGenericCommand /p/b/redis2e2c76e50e46b/b/src/t_set.c:1366
 #1 0x55e7c37706c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519
 #2 0x55e7c37783dc in processCommand /p/b/redis2e2c76e50e46b/b/src/server.c:4160
 #3 0x55e7c37fe6f6 in processInputBuffer /p/b/redis2e2c76e50e46b/b/src/networking.c:2466
 #4 0x55e7c37d9951 in readQueryFromClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2713
 #5 0x55e7c3b79301 in connSocketEventHandler /p/b/redis2e2c76e50e46b/b/src/./connhelpers.h:79
 #6 0x55e7c373b4c2 in aeProcessEvents /p/b/redis2e2c76e50e46b/b/src/ae.c:436
 #7 0x55e7c373ce81 in aeMain /p/b/redis2e2c76e50e46b/b/src/ae.c:496
 #8 0x55e7c3797088 in main /p/b/redis2e2c76e50e46b/b/src/server.c:7360
 #9 0x7ff623561d84 in __libc_start_main ??:?
 #10 0x55e7c36900bd in _start ??:?

SUMMARY: MemorySanitizer: use-of-uninitialized-value /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557:32 in sunionDiffGenericCommand
==redis-server==3048125==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55a5c93b959e in sunionDiffGenericCommand /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557:32
    #1 0x55a5c92676c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519:5
    #2 0x55a5c926f3dc in processCommand /p/b/redis2e2c76e50e46b/b/src/server.c:4160:9
    #3 0x55a5c92f56f6 in processCommandAndResetClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2466:9
    #4 0x55a5c92f56f6 in processInputBuffer /p/b/redis2e2c76e50e46b/b/src/networking.c:2574:17
    #5 0x55a5c92d0951 in readQueryFromClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2713:9
    #6 0x55a5c9670301 in callHandler /p/b/redis2e2c76e50e46b/b/src/./connhelpers.h:79:18
    #7 0x55a5c9670301 in connSocketEventHandler /p/b/redis2e2c76e50e46b/b/src/socket.c:298:14
    #8 0x55a5c92324c2 in aeProcessEvents /p/b/redis2e2c76e50e46b/b/src/ae.c:436:17
    #9 0x55a5c9233e81 in aeMain /p/b/redis2e2c76e50e46b/b/src/ae.c:496:9
    #10 0x55a5c928e088 in main /p/b/redis2e2c76e50e46b/b/src/server.c:7360:5
    #11 0x7fde96abed84 in __libc_start_main ../csu/libc-start.c:302:16
    #12 0x55a5c91870bd in _start (build/debug/bin/redis-server+0x1730bd)

  raw origin id: -1879047711
  Uninitialized value was stored to memory at
    #0 0x55a5c93b9597 in sunionDiffGenericCommand /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557:64
    #1 0x55a5c92676c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519:5
    #2 0x55a5c926f3dc in processCommand /p/b/redis2e2c76e50e46b/b/src/server.c:4160:9
    #3 0x55a5c92f56f6 in processCommandAndResetClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2466:9
    #4 0x55a5c92f56f6 in processInputBuffer /p/b/redis2e2c76e50e46b/b/src/networking.c:2574:17
    #5 0x55a5c92d0951 in readQueryFromClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2713:9
    #6 0x55a5c9670301 in callHandler /p/b/redis2e2c76e50e46b/b/src/./connhelpers.h:79:18
    #7 0x55a5c9670301 in connSocketEventHandler /p/b/redis2e2c76e50e46b/b/src/socket.c:298:14
    #8 0x55a5c92324c2 in aeProcessEvents /p/b/redis2e2c76e50e46b/b/src/ae.c:436:17
    #9 0x55a5c9233e81 in aeMain /p/b/redis2e2c76e50e46b/b/src/ae.c:496:9
    #10 0x55a5c928e088 in main /p/b/redis2e2c76e50e46b/b/src/server.c:7360:5
    #11 0x7fde96abed84 in __libc_start_main ../csu/libc-start.c:302:16

[madolson]

@hoyhoy Can you paste the commands you ran to cause this use? I wasn't able to naively reproduce it.

[hoyhoy]

@madolson you have a MSAN build? It's clang on linux only. Seems to happen immediately. We have a very simple test that does a minimum union and intersection, and clang -fsanitize=memory flags it. Redis is reading and writing uninitialized memory.

[madolson]

Will take a look.