patch 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer
Commit:
https://github.com/vim/vim/commit/b4074ead5cd8751f0460e157471028dbb77ca1e9
Author: Sean Dewar <6256228+seande...@users.noreply.github.com>
Date: Sat May 10 14:30:36 2025 +0200
patch 9.1.1375: [security]: possible heap UAF with quickfix dummy buffer
Problem: heap use-after-free possible when autocommands switch away from
the
quickfix dummy buffer, but leave it open in a window.
Solution: close its windows first before attempting the wipe.
(Sean Dewar)
related: #17283
Signed-off-by: Sean Dewar <6256228+seande...@users.noreply.github.com>
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/quickfix.c b/src/quickfix.c
index 2271ae088..9fe79784f 100644
--- a/src/quickfix.c
+++ b/src/quickfix.c
@@ -7026,7 +7026,11 @@ load_dummy_buffer(
aucmd_restbuf(&aco);
if (newbuf_to_wipe.br_buf != NULL && bufref_valid(&newbuf_to_wipe))
- wipe_buffer(newbuf_to_wipe.br_buf, FALSE);
+ {
+ block_autocmds();
+ wipe_dummy_buffer(newbuf_to_wipe.br_buf, NULL);
+ unblock_autocmds();
+ }
}
// Add back the "dummy" flag, otherwise buflist_findname_stat() won't
@@ -7052,8 +7056,8 @@ load_dummy_buffer(
/*
* Wipe out the dummy buffer that load_dummy_buffer() created. Restores
- * directory to "dirname_start" prior to returning, if autocmds or the
- * 'autochdir' option have changed it.
+ * directory to "dirname_start" if not NULL prior to returning, if autocmds or
+ * the 'autochdir' option have changed it.
*/
static void
wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
@@ -7095,8 +7099,9 @@ wipe_dummy_buffer(buf_T *buf, char_u *dirname_start)
// new aborting error, interrupt, or uncaught exception.
leave_cleanup(&cs);
#endif
- // When autocommands/'autochdir' option changed directory: go back.
- restore_start_dir(dirname_start);
+ if (dirname_start != NULL)
+ // When autocommands/'autochdir' option changed directory: go back.
+ restore_start_dir(dirname_start);
}
}
diff --git a/src/testdir/test_quickfix.vim b/src/testdir/test_quickfix.vim
index 54e3bb770..df4cc8011 100644
--- a/src/testdir/test_quickfix.vim
+++ b/src/testdir/test_quickfix.vim
@@ -6899,4 +6899,26 @@ func Test_quickfix_close_buffer_crash()
wincmd q
endfunc
+func Test_vimgrep_dummy_buffer_crash()
+ augroup DummyCrash
+ autocmd!
+ " Make the dummy buffer non-current, but still open in a window.
+ autocmd BufReadCmd * ++once let s:dummy_buf = bufnr()
+ \| split | wincmd p | enew
+
+ " Autocmds from cleaning up the dummy buffer in this case should be
blocked.
+ autocmd BufWipeout *
+ \ call assert_notequal(s:dummy_buf, str2nr(expand('<abuf>')))
+ augroup END
+
+ silent! vimgrep /./ .
+ redraw! " Window to freed dummy buffer used to remain; heap UAF.
+ call assert_equal([], win_findbuf(s:dummy_buf))
+ call assert_equal(0, bufexists(s:dummy_buf))
+
+ unlet! s:dummy_buf
+ autocmd! DummyCrash
+ %bw!
+endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
diff --git a/src/version.c b/src/version.c
index 236306eb2..11d75207a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 1375,
/**/
1374,
/**/
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion visit
https://groups.google.com/d/msgid/vim_dev/E1uDjZe-001wrD-TV%40256bit.org.
