From 2c3387fc06bc28cb113701dd71ae8c772755df29 Mon Sep 17 00:00:00 2001 From: Katie Holly Date: Wed, 18 Jun 2025 17:23:46 +0000 Subject: [PATCH 1/7] Ensure empty error tables in scripts don't crash Valkey (#2229) When calling the command `EVAL error{} 0`, Valkey crashes with the following stack trace. This patch ensures we never leave the `err_info.msg` field null when we fail to extract a proper error message. --------- Signed-off-by: Fusl Signed-off-by: Binbin Co-authored-by: Binbin --- src/script_lua.c | 5 +++++ tests/unit/scripting.tcl | 17 +++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/src/script_lua.c b/src/script_lua.c index c1979abfb6..3289de8789 100644 --- a/src/script_lua.c +++ b/src/script_lua.c @@ -1645,6 +1645,11 @@ void luaExtractErrorInformation(lua_State *lua, errorInfo *err_info) { err_info->ignore_err_stats_update = lua_toboolean(lua, -1); } lua_pop(lua, 1); + + if (err_info->msg == NULL) { + /* Ensure we never return a NULL msg. */ + err_info->msg = sdsnew("ERR unknown error"); + } } void luaCallFunction(scriptRunCtx* run_ctx, lua_State *lua, robj** keys, size_t nkeys, robj** args, size_t nargs, int debug_enabled) { diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl index 641d761224..831c33a236 100644 --- a/tests/unit/scripting.tcl +++ b/tests/unit/scripting.tcl @@ -2266,4 +2266,21 @@ start_server {tags {"scripting"}} { assert { [r memory usage foo] <= $expected_memory}; } } + + test {EVAL - explicit error() call handling} { + # error("simple string error") + assert_error {ERR user_script:1: simple string error script: *} { + r eval "error('simple string error')" 0 + } + + # error({"err": "ERR table error"}) + assert_error {ERR table error script: *} { + r eval "error({err='ERR table error'})" 0 + } + + # error({}) + assert_error {ERR unknown error script: *} { + r eval "error({})" 0 + } + } } From e7d9749f69b345713ce7550b4fbb62eaad775687 Mon Sep 17 00:00:00 2001 From: Harkrishn Patro Date: Tue, 26 Mar 2024 08:26:22 -0700 Subject: [PATCH 2/7] Cleanup tcl tmp directory leaking resources (#34) Few of the servers log are stored as `server1/2/3.log` . Various type of acl files are created and weren't getting cleaned up prior to this change. --- tests/test_helper.tcl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/test_helper.tcl b/tests/test_helper.tcl index e4173782d5..449e6b4356 100644 --- a/tests/test_helper.tcl +++ b/tests/test_helper.tcl @@ -322,7 +322,9 @@ proc cleanup {} { if {!$::quiet} {puts -nonewline "Cleanup: may take some time... "} flush stdout catch {exec rm -rf {*}[glob tests/tmp/valkey.conf.*]} - catch {exec rm -rf {*}[glob tests/tmp/server.*]} + catch {exec rm -rf {*}[glob tests/tmp/redis.conf.*]} + catch {exec rm -rf {*}[glob tests/tmp/server*.*]} + catch {exec rm -rf {*}[glob tests/tmp/*.acl.*]} if {!$::quiet} {puts "OK"} } From a190b581daf6ae54cd00930b92d903d3e562f008 Mon Sep 17 00:00:00 2001 From: Zeroday BYTE Date: Mon, 26 May 2025 18:57:00 +0700 Subject: [PATCH 3/7] Fix unsigned difference expression compared to zero (#2101) https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886-L886 Fix the issue need to ensure that the subtraction `prev->size - prev->used` does not underflow. This can be achieved by explicitly checking that `prev->used` is less than `prev->size` before performing the subtraction. This approach avoids relying on unsigned arithmetic and ensures the logic is clear and robust. The specific changes are: 1. Replace the condition `prev->size - prev->used > 0` with `prev->used < prev->size`. 2. This change ensures that the logic checks whether there is remaining space in the buffer without risking underflow. **References** [INT02-C. Understand integer conversion rules](https://wiki.sei.cmu.edu/confluence/display/c/INT02-C.+Understand+integer+conversion+rules) [CWE-191](https://cwe.mitre.org/data/definitions/191.html) --- Signed-off-by: Zeroday BYTE --- src/networking.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/networking.c b/src/networking.c index 986daef995..3a2706720d 100644 --- a/src/networking.c +++ b/src/networking.c @@ -791,7 +791,7 @@ void setDeferredReply(client *c, void *node, const char *s, size_t length) { * - It has enough room already allocated * - And not too large (avoid large memmove) */ if (ln->prev != NULL && (prev = listNodeValue(ln->prev)) && - prev->size - prev->used > 0) + prev->used < prev->size) { size_t len_to_copy = prev->size - prev->used; if (len_to_copy > length) From 4065be13225f85d446aba80546fd9c2aaafb33af Mon Sep 17 00:00:00 2001 From: Ted Lyngmo Date: Wed, 20 Aug 2025 22:48:31 +0200 Subject: [PATCH 4/7] Fix assumptions that pthread functions set errno (#2526) pthread functions return the error instead of setting errno. Fixes #2525 Signed-off-by: Ted Lyngmo --- src/bio.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/src/bio.c b/src/bio.c index 10ecf8db29..66570809ee 100644 --- a/src/bio.c +++ b/src/bio.c @@ -140,9 +140,10 @@ void bioInit(void) { * function accepts in order to pass the job ID the thread is * responsible for. */ for (j = 0; j < BIO_WORKER_NUM; j++) { - void *arg = (void*)(unsigned long) j; - if (pthread_create(&thread,&attr,bioProcessBackgroundJobs,arg) != 0) { - serverLog(LL_WARNING, "Fatal: Can't initialize Background Jobs. Error message: %s", strerror(errno)); + void *arg = (void *)(unsigned long)j; + int err = pthread_create(&thread, &attr, bioProcessBackgroundJobs, arg); + if (err) { + serverLog(LL_WARNING, "Fatal: Can't initialize Background Jobs. Error message: %s", strerror(err)); exit(1); } bio_threads[j] = thread; @@ -221,9 +222,9 @@ void *bioProcessBackgroundJobs(void *arg) { * receive the watchdog signal. */ sigemptyset(&sigset); sigaddset(&sigset, SIGALRM); - if (pthread_sigmask(SIG_BLOCK, &sigset, NULL)) - serverLog(LL_WARNING, - "Warning: can't mask SIGALRM in bio.c thread: %s", strerror(errno)); + int err = pthread_sigmask(SIG_BLOCK, &sigset, NULL); + if (err) + serverLog(LL_WARNING, "Warning: can't mask SIGALRM in bio.c thread: %s", strerror(err)); while(1) { listNode *ln; From 8cfd062e944203c3915848fefd88f50221a3fb0f Mon Sep 17 00:00:00 2001 From: Ran Shidlansik Date: Mon, 14 Jul 2025 19:19:13 +0300 Subject: [PATCH 5/7] update build-debian-old to use Bullseye instead of EOL buster (#2345) Signed-off-by: Ran Shidlansik --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7f2721b520..37e83d1e5c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,7 +48,7 @@ jobs: build-debian-old: runs-on: ubuntu-latest - container: debian:buster + container: debian:bullseye steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: make From 82f1a90c5a211d626388d8673fb091dbff4ce07d Mon Sep 17 00:00:00 2001 From: Binbin Date: Tue, 22 Jul 2025 17:19:02 +0800 Subject: [PATCH 6/7] Fix client tracking memory overhead calculation (#2360) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This should be + instread of *, otherwise it does not make any sense. Otherwise we would have to calculate 20 more bytes for each prefix rax node in 64 bits build. Signed-off-by: Binbin Signed-off-by: Viktor Söderqvist --- src/networking.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/networking.c b/src/networking.c index 3a2706720d..330418e7a2 100644 --- a/src/networking.c +++ b/src/networking.c @@ -3817,7 +3817,7 @@ size_t getClientMemoryUsage(client *c, size_t *output_buffer_mem_usage) { /* Add memory overhead of the tracking prefixes, this is an underestimation so we don't need to traverse the entire rax */ if (c->client_tracking_prefixes) - mem += c->client_tracking_prefixes->numnodes * (sizeof(raxNode) * sizeof(raxNode*)); + mem += c->client_tracking_prefixes->numnodes * (sizeof(raxNode) + sizeof(raxNode *)); return mem; } From e7b6e4e8d2403b18a8e05f4aac11564cd965eb8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20S=C3=B6derqvist?= Date: Tue, 30 Sep 2025 14:45:35 +0200 Subject: [PATCH 7/7] WIP release notes for 7.2.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Viktor Söderqvist --- 00-RELEASENOTES | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/00-RELEASENOTES b/00-RELEASENOTES index 6d2caeaa83..f163ab42bb 100644 --- a/00-RELEASENOTES +++ b/00-RELEASENOTES @@ -11,6 +11,19 @@ CRITICAL: There is a critical bug affecting MOST USERS. Upgrade ASAP. SECURITY: There are security fixes in the release. -------------------------------------------------------------------------------- +================================================================================ +Valkey 7.2.11 - Released TBD (not released yet) +================================================================================ + +Upgrade urgency SECURITY: This release includes security fixes we recommend you +apply as soon as possible. + +Bug fixes +========= + +* Ensure empty error tables in Lua scripts don't crash Valkey (#2229) +* Fix client tracking memory overhead calculation (#2360) + ================================================================================ Valkey 7.2.10 - Released Fri 20 June 2025 ================================================================================