Memory safety / crash prevention due to concurrent modification during dictionary iteration
Description
The commit replaces a normal dict iterator with a safe iterator for enumerating module configurations. This mitigates a class of memory-safety bugs that occur when the module configuration dictionary is mutated during iteration (e.g., another module or code path adds/removes config entries while iterating). Without a safe iterator, concurrent modification can lead to invalid memory access or a crash, which is a security-relevant DoS/stability issue. The change is a targeted hardening of the iteration path used when enumerating module configurations.
Proof of Concept
PoC concept (illustrative, not a full exploit):
- Context: Prior to this fix, module configuration enumeration used a non-safe iterator (dictGetIterator) over the global configs dictionary. If code executed inside the enumeration added or removed entries from the same dict, the iterator could be invalidated, potentially causing a crash.
- Scenario: An attacker module or handler triggers a configuration enumeration (e.g., via CONFIG/MODULE-related commands that enumerate module options) while mutating the configs dict in the same timeframe.
- PoC sketch (C-like pseudocode):
// Unsafe path that could crash prior to the fix
void vuln_enumerate_configs(void) {
dictIterator *iter = dictGetIterator(configs); // unsafe before fix
dictEntry *de;
while ((de = dictNext(iter)) != NULL) {
// During enumeration, mutate the same dict
dictAdd(configs, sdsnew("evil_config"), NULL);
}
dictReleaseIterator(iter);
}
// Expected outcome without the safe iterator: potential crash when the dict mutates during iteration.
// The patch replaces dictGetIterator with dictGetSafeIterator in moduleGetConfigIterator, preventing the crash.
Commit Details
Author: YaacovHazan
Date: 2025-07-31 08:51 UTC
Message:
Use safe Iterator for modules (#14239)
Triage Assessment
Vulnerability Type: Memory safety / crash prevention
Confidence: MEDIUM
Reasoning:
The change switches to a safe iterator when enumerating module configurations. This mitigates a class of bugs where concurrent modification during iteration could lead to invalid memory access or crashes, which are security-relevant as they can be exploited for DoS or stability breaches.
Verification Assessment
Vulnerability Type: Memory safety / crash prevention due to concurrent modification during dictionary iteration
Confidence: MEDIUM
Affected Versions: <=8.6.1
Code Diff
diff --git a/src/config.c b/src/config.c
index 4c30fd953de..2555cf79e94 100644
--- a/src/config.c
+++ b/src/config.c
@@ -3482,7 +3482,7 @@ static standardConfig *getMutableConfig(client *c, const sds name, const char **
}
dictIterator *moduleGetConfigIterator(void) {
- return dictGetIterator(configs);
+ return dictGetSafeIterator(configs);
}
const char *moduleConfigIteratorNext(dictIterator **iter, sds pattern, int is_glob, configType *typehint) {