patch 9.1.0647: [security] use-after-free in tagstack_clear_entry
Commit:
https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5
Author: Christian Brabandt <c...@256bit.org>
Date: Thu Aug 1 20:16:51 2024 +0200
patch 9.1.0647: [security] use-after-free in tagstack_clear_entry
Problem: [security] use-after-free in tagstack_clear_entry
(Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
entries, let's use tagstack_clear_entry(), which will
also free the stack, but using the VIM_CLEAR macro,
which prevents a use-after-free by setting those pointers
to NULL
This addresses CVE-2024-41957
Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4
Signed-off-by: Christian Brabandt <c...@256bit.org>
diff --git a/src/testdir/crash/double_free b/src/testdir/crash/double_free
new file mode 100644
index
0000000000000000000000000000000000000000..895c4a04b6ab1c2eabc80a486e52cabd7a99a5ea
GIT binary patch
literal 561
zcmY+BL2DC16vtm$FL@r)OM?`VNi5idX;=tFTegZ#(3FA_g$iA9XET#zWiz{-+3kcR
z+8h)-c<|7hpT_Uv_ZVMH6#QM@@PBXKoA)1nT!N}!;A@rCk*nK{qi~J@P`Y><JR?x0
zAV|1&|FSA+^(FFrgz2ezF`;5iu43ohexuRo5_JaC>8t4q{~#Di*6H;w(jtG~j{r!x
z#3aqYpoj+pgIo_KYyg;mrs*+t$*`Q-X0v(1u%E^Ti}j5W!>AYtFB0B)5P^C!=IhEP
z!)mp9s)zTK=uG0=i|@l@%s<Sw#dpkiFtYeivUf;Wt9iDdzH+a;E5nfHv39U$u+p`-
zy`X8qU9<7m3w*P+TyH$oGUGzb%*<mqBQ2Svvu4cyALoFdE!Q~b$sLclJbYQ^$ED35
zlxbTnLw|+^nXM$Le-y@;3h4_-ZT)Jk(9SOc!S(YbHsXk0xOUdTE%H10Np3G$lvvxI
zeCz1RRo+w5qD5FNyOP$cgZc_*xNoxLTA;~f?ZGGHMU9!I<@34hvoFKX(ax4FHgB9$
b@#Ju~e()5!l?r~Wt$4JK6w)H|eN?{zo!qIG
literal 0
HcmV?d00001
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index fd786e5d5..29061aa42 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -190,6 +190,12 @@ func Test_crash1_3()
call term_sendkeys(buf, args)
call TermWait(buf, 150)
+ let file = 'crash/double_free'
+ let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args)
+ call TermWait(buf, 50)
+
" clean up
exe buf .. "bw!"
bw!
diff --git a/src/version.c b/src/version.c
index 4dc9948d9..0e49ebd7a 100644
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 647,
/**/
646,
/**/
diff --git a/src/window.c b/src/window.c
index 7ca29d46a..70c72bca7 100644
--- a/src/window.c
+++ b/src/window.c
@@ -5837,10 +5837,7 @@ win_free(
win_free_lsize(wp);
for (i = 0; i < wp->w_tagstacklen; ++i)
- {
- vim_free(wp->w_tagstack[i].tagname);
- vim_free(wp->w_tagstack[i].user_data);
- }
+ tagstack_clear_entry(&wp->w_tagstack[i]);
vim_free(wp->w_localdir);
vim_free(wp->w_prevdir);
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/E1sZcfb-008jVG-68%40256bit.org.
