[Security] CVE-2024-31449: Stack buffer overflow in Lua bit.tohex()

[jinchengyang98]

Summary[/+]

[+]Kvrocks uses a Lua library (RocksLabs/lua) that contains a stack buffer overflow vulnerability (CVE-2024-31449), originally from Redis's Lua bit library. The bit.tohex() function does not check for INT32_MIN before negation, causing signed integer overflow and stack buffer overflow.[/+]
[+]## Details[/+]
[+]- CVE: CVE-2024-31449[/+]
[+]- Vulnerable Code: src/lua_bit.c in RocksLabs/lua (commit f458c3d7)[/+]
[+]- Root Cause: INT32_MIN negation causes undefined behavior and buffer overflow[/+]
[+]## Reproduction[/+]
[+][/+] [+]redis-cli -p 6666 EVAL "return bit.tohex(65535, -2147483648)" 0[/+] [+][/+]
[+]## Fix[/+]
[+]Add if (n == INT32_MIN) n = INT32_MIN+1; before if (n < 0) { n = -n; ... } in bit_tohex().[/+]
[+]Upstream Redis fix: redis/redis@1f7c148

[jihuayu]

Thank you for your report!

[jinchengyang98]

Thank you for confirming and addressing this vulnerability.

Since this is a security-sensitive issue (CVE-2024-31449, CVSS 8.8 High), would you consider creating a GitHub Security Advisory for it? As an Apache project, you can request a CVE ID through GitHub's CNA service:

1. Go to Security tab → Advisories → New draft advisory
2. Fill in the vulnerability details and affected versions
3. Check Request CVE ID
4. Publish the advisory

This would help downstream users and package managers (e.g., Dependabot, OSV) automatically detect and track the vulnerability.

Thank you for your quick response on this!

[jinchengyang98]

Hi @jihuayu @git-hulk,

I noticed that this repository does not have Private Vulnerability Reporting enabled and has no GitHub Security Advisories (GHSA) published yet.

Since CVE-2024-31449 and CVE-2025-49844 are confirmed security vulnerabilities (one of which was discovered at Pwn2Own), would the team consider:

1. Enabling Private Vulnerability Reporting in Settings → Code security → Private vulnerability reporting
2. Creating GitHub Security Advisories for these two CVEs and requesting CVE IDs through GitHub CNA

This would help the ecosystem (package managers, vulnerability scanners like Trivy/Snyk/Dependabot) automatically detect and flag affected Kvrocks installations.

As an Apache project, having formal security advisories would also align with Apache Security Team best practices.

Thank you!