Memory safety / crash prevention due to concurrent modification during dictionary iteration

MEDIUM
redis/redis
Commit: 4604407fdd06
Affected: <=8.6.1
2026-04-04 11:53 UTC

Description

The commit replaces a normal dict iterator with a safe iterator for enumerating module configurations. This mitigates a class of memory-safety bugs that occur when the module configuration dictionary is mutated during iteration (e.g., another module or code path adds/removes config entries while iterating). Without a safe iterator, concurrent modification can lead to invalid memory access or a crash, which is a security-relevant DoS/stability issue. The change is a targeted hardening of the iteration path used when enumerating module configurations.

Proof of Concept

PoC concept (illustrative, not a full exploit): - Context: Prior to this fix, module configuration enumeration used a non-safe iterator (dictGetIterator) over the global configs dictionary. If code executed inside the enumeration added or removed entries from the same dict, the iterator could be invalidated, potentially causing a crash. - Scenario: An attacker module or handler triggers a configuration enumeration (e.g., via CONFIG/MODULE-related commands that enumerate module options) while mutating the configs dict in the same timeframe. - PoC sketch (C-like pseudocode): // Unsafe path that could crash prior to the fix void vuln_enumerate_configs(void) { dictIterator *iter = dictGetIterator(configs); // unsafe before fix dictEntry *de; while ((de = dictNext(iter)) != NULL) { // During enumeration, mutate the same dict dictAdd(configs, sdsnew("evil_config"), NULL); } dictReleaseIterator(iter); } // Expected outcome without the safe iterator: potential crash when the dict mutates during iteration. // The patch replaces dictGetIterator with dictGetSafeIterator in moduleGetConfigIterator, preventing the crash.

Commit Details

Author: YaacovHazan

Date: 2025-07-31 08:51 UTC

Message:

Use safe Iterator for modules (#14239)

Triage Assessment

Vulnerability Type: Memory safety / crash prevention

Confidence: MEDIUM

Reasoning:

The change switches to a safe iterator when enumerating module configurations. This mitigates a class of bugs where concurrent modification during iteration could lead to invalid memory access or crashes, which are security-relevant as they can be exploited for DoS or stability breaches.

Verification Assessment

Vulnerability Type: Memory safety / crash prevention due to concurrent modification during dictionary iteration

Confidence: MEDIUM

Affected Versions: <=8.6.1

Code Diff

diff --git a/src/config.c b/src/config.c index 4c30fd953de..2555cf79e94 100644 --- a/src/config.c +++ b/src/config.c @@ -3482,7 +3482,7 @@ static standardConfig *getMutableConfig(client *c, const sds name, const char ** } dictIterator *moduleGetConfigIterator(void) { - return dictGetIterator(configs); + return dictGetSafeIterator(configs); } const char *moduleConfigIteratorNext(dictIterator **iter, sds pattern, int is_glob, configType *typehint) {
← Back to Alerts View on GitHub →