CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c

Resolves: CVE-2022-0443
2022-02-10 09:01:01 +01:00 · 2022-02-10 09:01:01 +01:00 · 9084c65312
commit 9084c65312
parent b3c80bdcc6
2 changed files with 79 additions and 0 deletions
--- a/0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
+++ b/0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
@ -0,0 +1,75 @@
+diff -up vim82/src/buffer.c.cve0443 vim82/src/buffer.c
+--- vim82/src/buffer.c.cve0443	2021-03-22 10:02:42.000000000 +0100
+++ vim82/src/buffer.c	2022-02-10 08:33:19.159488384 +0100
+@@ -1710,6 +1710,7 @@ set_curbuf(buf_T *buf, int action)
+ #endif
+     bufref_T	newbufref;
+     bufref_T	prevbufref;
+    int		valid;
+ 
+     setpcmark();
+     if ((cmdmod.cmod_flags & CMOD_KEEPALT) == 0)
+@@ -1763,13 +1764,19 @@ set_curbuf(buf_T *buf, int action)
+     // An autocommand may have deleted "buf", already entered it (e.g., when
+     // it did ":bunload") or aborted the script processing.
+     // If curwin->w_buffer is null, enter_buffer() will make it valid again
+-    if ((buf_valid(buf) && buf != curbuf
+    valid = buf_valid(buf);
+    if ((valid && buf != curbuf
+ #ifdef FEAT_EVAL
+ 		&& !aborting()
+ #endif
+ 	) || curwin->w_buffer == NULL)
+     {
+-	enter_buffer(buf);
+	// If the buffer is not valid but curwin->w_buffer is NULL we must
+	// enter some buffer.  Using the last one is hopefully OK.
+	if (!valid)
+	    enter_buffer(lastbuf);
+	else
+	    enter_buffer(buf);
+ #ifdef FEAT_SYN_HL
+ 	if (old_tw != curbuf->b_p_tw)
+ 	    check_colorcolumn(curwin);
+@@ -2286,8 +2293,7 @@ free_buf_options(
+     clear_string_option(&buf->b_p_vsts);
+     vim_free(buf->b_p_vsts_nopaste);
+     buf->b_p_vsts_nopaste = NULL;
+-    vim_free(buf->b_p_vsts_array);
+-    buf->b_p_vsts_array = NULL;
+    VIM_CLEAR(buf->b_p_vsts_array);
+     clear_string_option(&buf->b_p_vts);
+     VIM_CLEAR(buf->b_p_vts_array);
+ #endif
+diff -up vim82/src/testdir/test_quickfix.vim.cve0443 vim82/src/testdir/test_quickfix.vim
+--- vim82/src/testdir/test_quickfix.vim.cve0443	2021-03-22 10:02:42.000000000 +0100
+++ vim82/src/testdir/test_quickfix.vim	2022-02-10 08:34:10.288204457 +0100
+@@ -923,6 +923,7 @@ func Test_locationlist_curwin_was_closed
+   call assert_fails('lrewind', 'E924:')
+ 
+   augroup! testgroup
+  delfunc R
+ endfunc
+ 
+ func Test_locationlist_cross_tab_jump()
+@@ -5372,4 +5373,20 @@ func Test_vimgrep_noswapfile()
+   set swapfile
+ endfunc
+ 
+" Weird sequence of commands that caused entering a wiped-out buffer
+func Test_lopen_bwipe()
+  func R()
+    silent! tab lopen
+    e x
+    silent! lfile
+  endfunc
+
+  cal R()
+  cal R()
+  cal R()
+  bw!
+  delfunc R
+endfunc
+
+
+ " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -106,6 +106,8 @@ Patch3036: 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
 Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
 # CVE-2022-0413 vim: use after free in src/ex_cmds.c
 Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
+# CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
+Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch

 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -331,6 +333,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3036 -p1 -b .cve0417
 %patch3037 -p1 -b .cve0408
 %patch3038 -p1 -b .cve0413
+%patch3039 -p1 -b .cve0443

 %build
 cd src
@ -890,6 +893,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %changelog
 * Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0413 vim: use after free in src/ex_cmds.c
+- CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c

 * Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0368 vim: Out-of-bounds Read in vim