CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c

Resolves: CVE-2022-0443
2022-02-10 09:01:01 +01:00 · 2022-02-10 09:01:01 +01:00 · 9084c65312
commit 9084c65312
parent b3c80bdcc6
2 changed files with 79 additions and 0 deletions
--- a/0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
+++ b/0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
@ -0,0 +1,75 @@
 diff -up vim82/src/buffer.c.cve0443 vim82/src/buffer.c
 --- vim82/src/buffer.c.cve0443	2021-03-22 10:02:42.000000000 +0100
 +++ vim82/src/buffer.c	2022-02-10 08:33:19.159488384 +0100
@@ -1710,6 +1710,7 @@ set_curbuf(buf_T *buf, int action)
 #endif
     bufref_T	newbufref;
     bufref_T	prevbufref;
 +    int		valid;
     setpcmark();
     if ((cmdmod.cmod_flags & CMOD_KEEPALT) == 0)
@@ -1763,13 +1764,19 @@ set_curbuf(buf_T *buf, int action)
     // An autocommand may have deleted "buf", already entered it (e.g., when
     // it did ":bunload") or aborted the script processing.
     // If curwin->w_buffer is null, enter_buffer() will make it valid again
 -    if ((buf_valid(buf) && buf != curbuf
 +    valid = buf_valid(buf);
 +    if ((valid && buf != curbuf
 #ifdef FEAT_EVAL
 		&& !aborting()
 #endif
 	) || curwin->w_buffer == NULL)
     {
 -	enter_buffer(buf);
 +	// If the buffer is not valid but curwin->w_buffer is NULL we must
 +	// enter some buffer.  Using the last one is hopefully OK.
 +	if (!valid)
 +	    enter_buffer(lastbuf);
 +	else
 +	    enter_buffer(buf);
 #ifdef FEAT_SYN_HL
 	if (old_tw != curbuf->b_p_tw)
 	    check_colorcolumn(curwin);
@@ -2286,8 +2293,7 @@ free_buf_options(
     clear_string_option(&buf->b_p_vsts);
     vim_free(buf->b_p_vsts_nopaste);
     buf->b_p_vsts_nopaste = NULL;
 -    vim_free(buf->b_p_vsts_array);
 -    buf->b_p_vsts_array = NULL;
 +    VIM_CLEAR(buf->b_p_vsts_array);
     clear_string_option(&buf->b_p_vts);
     VIM_CLEAR(buf->b_p_vts_array);
 #endif
 diff -up vim82/src/testdir/test_quickfix.vim.cve0443 vim82/src/testdir/test_quickfix.vim
 --- vim82/src/testdir/test_quickfix.vim.cve0443	2021-03-22 10:02:42.000000000 +0100
 +++ vim82/src/testdir/test_quickfix.vim	2022-02-10 08:34:10.288204457 +0100
@@ -923,6 +923,7 @@ func Test_locationlist_curwin_was_closed
   call assert_fails('lrewind', 'E924:')
   augroup! testgroup
 +  delfunc R
 endfunc
 func Test_locationlist_cross_tab_jump()
@@ -5372,4 +5373,20 @@ func Test_vimgrep_noswapfile()
   set swapfile
 endfunc
 +" Weird sequence of commands that caused entering a wiped-out buffer
 +func Test_lopen_bwipe()
 +  func R()
 +    silent! tab lopen
 +    e x
 +    silent! lfile
 +  endfunc
 +
 +  cal R()
 +  cal R()
 +  cal R()
 +  bw!
 +  delfunc R
 +endfunc
 +
 +
 " vim: shiftwidth=2 sts=2 expandtab
--- a/vim.spec
+++ b/vim.spec
@ -106,6 +106,8 @@ Patch3036: 0001-patch-8.2.4245-retab-0-may-cause-illegal-memory-acce.patch
 Patch3037: 0001-patch-8.2.4247-stack-corruption-when-looking-for-spe.patch
 # CVE-2022-0413 vim: use after free in src/ex_cmds.c
 Patch3038: 0001-patch-8.2.4253-using-freed-memory-when-substitute-wi.patch
 # CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
 Patch3039: 0001-patch-8.2.4281-using-freed-memory-with-lopen-and-bwi.patch
 # gcc is no longer in buildroot by default
 BuildRequires: gcc
@ -331,6 +333,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk
 %patch3036 -p1 -b .cve0417
 %patch3037 -p1 -b .cve0408
 %patch3038 -p1 -b .cve0413
 %patch3039 -p1 -b .cve0443
 %build
 cd src
@ -890,6 +893,7 @@ touch %{buildroot}/%{_datadir}/%{name}/vimfiles/doc/tags
 %changelog
 * Thu Feb 10 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0413 vim: use after free in src/ex_cmds.c
 - CVE-2022-0443 vim: heap-use-after-free in enter_buffer() of src/buffer.c
 * Wed Feb 09 2022 Zdenek Dohnal <zdohnal@redhat.com> - 2:8.2.2637-12
 - CVE-2022-0368 vim: Out-of-bounds Read in vim