!668 [sync] PR-664: fix-CVE-2024-47814
From: @openeuler-sync-bot Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
This commit is contained in:
openeuler-ci-bot
Gitee
commit
a90f26f536
118
fix-CVE-2024-47814.patch
Normal file
118
fix-CVE-2024-47814.patch
Normal file
@ -0,0 +1,118 @@
|
||||
From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Tue, 8 Oct 2024 09:09:11 +0800
|
||||
Subject: [PATCH] fix CVE-2024-47814
|
||||
|
||||
Problem: [security]: use-after-free when closing a buffer
|
||||
Solution: When splitting the window and editing a new buffer,
|
||||
check whether the newly to be edited buffer has been marked
|
||||
for deletion and abort in this case
|
||||
|
||||
Github Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
|
||||
---
|
||||
src/buffer.c | 7 +++++++
|
||||
src/ex_cmds.c | 12 ++++++++++++
|
||||
src/proto/buffer.pro | 1 +
|
||||
src/testdir/test_autocmd.vim | 19 +++++++++++++++++++
|
||||
src/version.c | 2 ++
|
||||
5 files changed, 41 insertions(+)
|
||||
|
||||
diff --git a/src/buffer.c b/src/buffer.c
|
||||
index 8ea57f7..1f71e38 100644
|
||||
--- a/src/buffer.c
|
||||
+++ b/src/buffer.c
|
||||
@@ -470,6 +470,13 @@ can_unload_buffer(buf_T *buf)
|
||||
return can_unload;
|
||||
}
|
||||
|
||||
+ int
|
||||
+buf_locked(buf_T *buf)
|
||||
+{
|
||||
+ return buf->b_locked || buf->b_locked_split;
|
||||
+}
|
||||
+
|
||||
+
|
||||
/*
|
||||
* Close the link to a buffer.
|
||||
* "action" is used when there is no longer a window for the buffer.
|
||||
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
|
||||
index 853df4b..92b5e9f 100644
|
||||
--- a/src/ex_cmds.c
|
||||
+++ b/src/ex_cmds.c
|
||||
@@ -2692,6 +2692,18 @@ do_ecmd(
|
||||
}
|
||||
if (buf == NULL)
|
||||
goto theend;
|
||||
+ // autocommands try to edit a file that is goind to be removed,
|
||||
+ // abort
|
||||
+ if (buf_locked(buf))
|
||||
+ {
|
||||
+ // window was split, but not editing the new buffer,
|
||||
+ // reset b_nwindows again
|
||||
+ if (oldwin == NULL
|
||||
+ && curwin->w_buffer != NULL
|
||||
+ && curwin->w_buffer->b_nwindows > 1)
|
||||
+ --curwin->w_buffer->b_nwindows;
|
||||
+ goto theend;
|
||||
+ }
|
||||
if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
|
||||
// reusing the buffer, keep the old alternate file
|
||||
curwin->w_alt_fnum = prev_alt_fnum;
|
||||
diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
|
||||
index 094feed..031e64a 100644
|
||||
--- a/src/proto/buffer.pro
|
||||
+++ b/src/proto/buffer.pro
|
||||
@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
|
||||
void set_buflisted(int on);
|
||||
int buf_contents_changed(buf_T *buf);
|
||||
void wipe_buffer(buf_T *buf, int aucmd);
|
||||
+int buf_locked(buf_T *buf);
|
||||
/* vim: set ft=c : */
|
||||
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
|
||||
index d8738c8..e251112 100644
|
||||
--- a/src/testdir/test_autocmd.vim
|
||||
+++ b/src/testdir/test_autocmd.vim
|
||||
@@ -3633,4 +3633,23 @@ func Test_autocmd_split_dummy()
|
||||
call delete('Xerr')
|
||||
endfunc
|
||||
|
||||
+" This was using freed memory
|
||||
+func Test_autocmd_BufWinLeave_with_vsp()
|
||||
+ new
|
||||
+ let fname = 'XXXBufWinLeaveUAF.txt'
|
||||
+ let dummy = 'XXXDummy.txt'
|
||||
+ call writefile([], fname)
|
||||
+ call writefile([], dummy)
|
||||
+ defer delete(fname)
|
||||
+ defer delete(dummy)
|
||||
+ exe "e " fname
|
||||
+ vsp
|
||||
+ augroup testing
|
||||
+ exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
|
||||
+ augroup END
|
||||
+ bw
|
||||
+ call CleanUpTestAuGroup()
|
||||
+ exe "bw! " .. dummy
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
diff --git a/src/version.c b/src/version.c
|
||||
index 2de8fd2..5946644 100644
|
||||
--- a/src/version.c
|
||||
+++ b/src/version.c
|
||||
@@ -735,6 +735,8 @@ static char *(features[]) =
|
||||
|
||||
static int included_patches[] =
|
||||
{ /* Add new patch number below this line */
|
||||
+/**/
|
||||
+ 679,
|
||||
/**/
|
||||
678,
|
||||
/**/
|
||||
--
|
||||
2.43.0
|
||||
|
||||
9
vim.spec
9
vim.spec
@ -12,7 +12,7 @@
|
||||
Name: vim
|
||||
Epoch: 2
|
||||
Version: 9.0
|
||||
Release: 27
|
||||
Release: 28
|
||||
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
|
||||
License: Vim and MIT
|
||||
URL: http://www.vim.org
|
||||
@ -129,6 +129,7 @@ Patch6099: backport-CVE-2024-43802.patch
|
||||
|
||||
Patch9000: bugfix-rm-modify-info-version.patch
|
||||
Patch9001: vim-Add-sw64-architecture.patch
|
||||
Patch9002: fix-CVE-2024-47814.patch
|
||||
|
||||
BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
|
||||
BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
|
||||
@ -536,6 +537,12 @@ LANG=en_US.UTF-8 make -j1 test
|
||||
%{_mandir}/man1/evim.*
|
||||
|
||||
%changelog
|
||||
* Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0-28
|
||||
- Type:CVE
|
||||
- ID:CVE-2024-47814
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2024-47814
|
||||
|
||||
* Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0-27
|
||||
- Type:CVE
|
||||
- ID:CVE-2024-43802
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user