thac0/vim
1
0
Fork 0
forked from aniani/vim
Code Activity

patch 9.0.2158: [security]: use-after-free in check_argument_type

Browse Source 
Problem:  [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
          list

function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.

So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer

closes: #13652

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2023-12-11 17:53:25 +01:00
parent e4a450a87b
commit 0f28791b21
6 changed files with 24 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
src/proto/vim9type.pro
View File

@@ -2,6 +2,7 @@
type_T *get_type_ptr(garray_T *type_gap); type_T *get_type_ptr(garray_T *type_gap);
type_T *copy_type(type_T *type, garray_T *type_gap); type_T *copy_type(type_T *type, garray_T *type_gap);
void clear_type_list(garray_T *gap); void clear_type_list(garray_T *gap);
void clear_func_type_list(garray_T *gap, type_T **func_type);
type_T *alloc_type(type_T *type); type_T *alloc_type(type_T *type);
void free_type(type_T *type); void free_type(type_T *type);
void set_tv_type(typval_T *tv, type_T *type); void set_tv_type(typval_T *tv, type_T *type);

BIN
src/testdir/crash/poc_uaf_check_argument_types Normal file
View File

Binary file not shown.

6
src/testdir/test_crash.vim
View File

@@ -184,6 +184,12 @@ func Test_crash1_3()
call term_sendkeys(buf, args) call term_sendkeys(buf, args)
call TermWait(buf, 150) call TermWait(buf, 150)
let file = 'crash/poc_uaf_check_argument_types'
let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
let args = printf(cmn_args, vim, file)
call term_sendkeys(buf, args)
call TermWait(buf, 150)
" clean up " clean up
exe buf .. "bw!" exe buf .. "bw!"
bw! bw!

4
src/userfunc.c
View File

@@ -2533,7 +2533,7 @@ func_clear_items(ufunc_T *fp)
VIM_CLEAR(fp->uf_arg_types); VIM_CLEAR(fp->uf_arg_types);
VIM_CLEAR(fp->uf_block_ids); VIM_CLEAR(fp->uf_block_ids);
VIM_CLEAR(fp->uf_va_name); VIM_CLEAR(fp->uf_va_name);
clear_type_list(&fp->uf_type_list); clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
// Increment the refcount of this function to avoid it being freed // Increment the refcount of this function to avoid it being freed
// recursively when the partial is freed. // recursively when the partial is freed.
@@ -5435,7 +5435,7 @@ errret_2:
{ {
VIM_CLEAR(fp->uf_arg_types); VIM_CLEAR(fp->uf_arg_types);
VIM_CLEAR(fp->uf_va_name); VIM_CLEAR(fp->uf_va_name);
clear_type_list(&fp->uf_type_list); clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
} }
if (free_fp) if (free_fp)
VIM_CLEAR(fp); VIM_CLEAR(fp);

2
src/version.c
View File

@@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] = static int included_patches[] =
{ /* Add new patch number below this line */ { /* Add new patch number below this line */
/**/
2158,
/**/ /**/
2157, 2157,
/**/ /**/

13
src/vim9type.c
View File

@@ -122,6 +122,19 @@ clear_type_list(garray_T *gap)
ga_clear(gap); ga_clear(gap);
} }
void
clear_func_type_list(garray_T *gap, type_T **func_type)
{
while (gap->ga_len > 0)
{
// func_type pointing to the uf_type_list, so reset pointer
if (*func_type == ((type_T **)gap->ga_data)[--gap->ga_len])
*func_type = &t_func_any;
vim_free(((type_T **)gap->ga_data)[gap->ga_len]);
}
ga_clear(gap);
}
/* /*
* Take a type that is using entries in a growarray and turn it into a type * Take a type that is using entries in a growarray and turn it into a type
* with allocated entries. * with allocated entries.