patch 9.1.0764: [security]: use-after-free when closing a buffer

Problem:  [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
          check whether the newly to be edited buffer has been marked
          for deletion and abort in this case

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg

Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
Christian Brabandt
2024-10-06 17:31:10 +02:00
parent 818c641b6f
commit 51b62387be
5 changed files with 40 additions and 0 deletions

View File

@ -497,6 +497,12 @@ can_unload_buffer(buf_T *buf)
return can_unload;
}
int
buf_locked(buf_T *buf)
{
return buf->b_locked || buf->b_locked_split;
}
/*
* Close the link to a buffer.
* "action" is used when there is no longer a window for the buffer.

View File

@ -2743,6 +2743,18 @@ do_ecmd(
}
if (buf == NULL)
goto theend;
// autocommands try to edit a file that is goind to be removed,
// abort
if (buf_locked(buf))
{
// window was split, but not editing the new buffer,
// reset b_nwindows again
if (oldwin == NULL
&& curwin->w_buffer != NULL
&& curwin->w_buffer->b_nwindows > 1)
--curwin->w_buffer->b_nwindows;
goto theend;
}
if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
// reusing the buffer, keep the old alternate file
curwin->w_alt_fnum = prev_alt_fnum;

View File

@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
void set_buflisted(int on);
int buf_contents_changed(buf_T *buf);
void wipe_buffer(buf_T *buf, int aucmd);
int buf_locked(buf_T *buf);
/* vim: set ft=c : */

View File

@ -4883,4 +4883,23 @@ func Test_GuiEnter_Turkish_locale()
endtry
endfunc
" This was using freed memory
func Test_autocmd_BufWinLeave_with_vsp()
new
let fname = 'XXXBufWinLeaveUAF.txt'
let dummy = 'XXXDummy.txt'
call writefile([], fname)
call writefile([], dummy)
defer delete(fname)
defer delete(dummy)
exe "e " fname
vsp
augroup testing
exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
augroup END
bw
call CleanUpTestAuGroup()
exe "bw! " .. dummy
endfunc
" vim: shiftwidth=2 sts=2 expandtab

View File

@ -704,6 +704,8 @@ static char *(features[]) =
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
764,
/**/
763,
/**/