fix CVE-2024-47814
This commit is contained in:
changtao
parent
7670ef8265
commit
53395f0e5f
117
fix-CVE-2024-47814.patch
Normal file
117
fix-CVE-2024-47814.patch
Normal file
@ -0,0 +1,117 @@
|
||||
From 51b62387be93c65fa56bbabe1c3c1ea5df187641 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Brabandt <cb@256bit.org>
|
||||
Date: Tue, 8 Oct 2024 09:24:30 +0800
|
||||
Subject: [PATCH] fix CVE-2024-47814
|
||||
|
||||
Problem: [security]: use-after-free when closing a buffer
|
||||
Solution: When splitting the window and editing a new buffer,
|
||||
check whether the newly to be edited buffer has been marked
|
||||
for deletion and abort in this case
|
||||
|
||||
Github Advisory:
|
||||
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
|
||||
|
||||
Signed-off-by: Christian Brabandt <cb@256bit.org>
|
||||
|
||||
---
|
||||
src/buffer.c | 6 ++++++
|
||||
src/ex_cmds.c | 12 ++++++++++++
|
||||
src/proto/buffer.pro | 1 +
|
||||
src/testdir/test_autocmd.vim | 19 +++++++++++++++++++
|
||||
src/version.c | 2 ++
|
||||
5 files changed, 40 insertions(+)
|
||||
|
||||
diff --git a/src/buffer.c b/src/buffer.c
|
||||
index 260d22e..6bdb7a6 100644
|
||||
--- a/src/buffer.c
|
||||
+++ b/src/buffer.c
|
||||
@@ -496,6 +496,12 @@ can_unload_buffer(buf_T *buf)
|
||||
return can_unload;
|
||||
}
|
||||
|
||||
+ int
|
||||
+buf_locked(buf_T *buf)
|
||||
+{
|
||||
+ return buf->b_locked || buf->b_locked_split;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Close the link to a buffer.
|
||||
* "action" is used when there is no longer a window for the buffer.
|
||||
diff --git a/src/ex_cmds.c b/src/ex_cmds.c
|
||||
index 46c4503..31cef2a 100644
|
||||
--- a/src/ex_cmds.c
|
||||
+++ b/src/ex_cmds.c
|
||||
@@ -2740,6 +2740,18 @@ do_ecmd(
|
||||
}
|
||||
if (buf == NULL)
|
||||
goto theend;
|
||||
+ // autocommands try to edit a file that is goind to be removed,
|
||||
+ // abort
|
||||
+ if (buf_locked(buf))
|
||||
+ {
|
||||
+ // window was split, but not editing the new buffer,
|
||||
+ // reset b_nwindows again
|
||||
+ if (oldwin == NULL
|
||||
+ && curwin->w_buffer != NULL
|
||||
+ && curwin->w_buffer->b_nwindows > 1)
|
||||
+ --curwin->w_buffer->b_nwindows;
|
||||
+ goto theend;
|
||||
+ }
|
||||
if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
|
||||
// reusing the buffer, keep the old alternate file
|
||||
curwin->w_alt_fnum = prev_alt_fnum;
|
||||
diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
|
||||
index 3a61027..dc68ca8 100644
|
||||
--- a/src/proto/buffer.pro
|
||||
+++ b/src/proto/buffer.pro
|
||||
@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
|
||||
void set_buflisted(int on);
|
||||
int buf_contents_changed(buf_T *buf);
|
||||
void wipe_buffer(buf_T *buf, int aucmd);
|
||||
+int buf_locked(buf_T *buf);
|
||||
/* vim: set ft=c : */
|
||||
diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
|
||||
index 0652a6f..3abde1e 100644
|
||||
--- a/src/testdir/test_autocmd.vim
|
||||
+++ b/src/testdir/test_autocmd.vim
|
||||
@@ -4311,4 +4311,23 @@ func Test_autocmd_shortmess()
|
||||
delfunc SetupVimTest_shm
|
||||
endfunc
|
||||
|
||||
+" This was using freed memory
|
||||
+func Test_autocmd_BufWinLeave_with_vsp()
|
||||
+ new
|
||||
+ let fname = 'XXXBufWinLeaveUAF.txt'
|
||||
+ let dummy = 'XXXDummy.txt'
|
||||
+ call writefile([], fname)
|
||||
+ call writefile([], dummy)
|
||||
+ defer delete(fname)
|
||||
+ defer delete(dummy)
|
||||
+ exe "e " fname
|
||||
+ vsp
|
||||
+ augroup testing
|
||||
+ exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
|
||||
+ augroup END
|
||||
+ bw
|
||||
+ call CleanUpTestAuGroup()
|
||||
+ exe "bw! " .. dummy
|
||||
+endfunc
|
||||
+
|
||||
" vim: shiftwidth=2 sts=2 expandtab
|
||||
diff --git a/src/version.c b/src/version.c
|
||||
index 10916ed..286a45f 100644
|
||||
--- a/src/version.c
|
||||
+++ b/src/version.c
|
||||
@@ -704,6 +704,8 @@ static char *(features[]) =
|
||||
|
||||
static int included_patches[] =
|
||||
{ /* Add new patch number below this line */
|
||||
+/**/
|
||||
+ 679,
|
||||
/**/
|
||||
678,
|
||||
/**/
|
||||
--
|
||||
2.43.0
|
||||
|
||||
9
vim.spec
9
vim.spec
@ -14,7 +14,7 @@
|
||||
Name: vim
|
||||
Epoch: 2
|
||||
Version: %{baseversion}.%{patchlevel}
|
||||
Release: 11
|
||||
Release: 12
|
||||
Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
|
||||
License: Vim and MIT
|
||||
URL: http://www.vim.org
|
||||
@ -52,6 +52,7 @@ Patch6017: backport-CVE-2024-43374.patch
|
||||
Patch6018: backport-CVE-2024-43802.patch
|
||||
|
||||
Patch9000: bugfix-rm-modify-info-version.patch
|
||||
Patch9001: fix-CVE-2024-47814.patch
|
||||
|
||||
BuildRequires: autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
|
||||
BuildRequires: perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
|
||||
@ -457,6 +458,12 @@ LC_ALL=en_US.UTF-8 make -j1 test || echo "Warning: Please check tests."
|
||||
%{_mandir}/man1/evim.*
|
||||
|
||||
%changelog
|
||||
* Tue Oct 08 2024 changtao <changtao@kylinos.cn> - 2:9.0.2092-12
|
||||
- Type:CVE
|
||||
- ID:CVE-2024-47814
|
||||
- SUG:NA
|
||||
- DESC:fix CVE-2024-47814
|
||||
|
||||
* Thu Aug 29 2024 wangjiang <app@cameyan.com> - 2:9.0.2092-11
|
||||
- Type:CVE
|
||||
- ID:CVE-2024-43802
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user