patch 9.1.0764: [security]: use-after-free when closing a buffer

Problem:  [security]: use-after-free when closing a buffer
Solution: When splitting the window and editing a new buffer,
          check whether the newly to be edited buffer has been marked
          for deletion and abort in this case

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/buffer.c b/src/buffer.c
index 34500e4abc28215cb85574147ba34b7dceac6bed..90be301e857083f0f51d319e2627a1ddddf1980b 100644 (file)
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -497,6 +497,12 @@ can_unload_buffer(buf_T *buf)
     return can_unload;
 }
 
+    int
+buf_locked(buf_T *buf)
+{
+    return buf->b_locked || buf->b_locked_split;
+}
+
 /*
  * Close the link to a buffer.
  * "action" is used when there is no longer a window for the buffer.

diff --git a/src/ex_cmds.c b/src/ex_cmds.c
index acddd9c38ea5e1764c9a354fa2abf5759327f905..b990de444b8712332a7f768d58473b6c276f5c82 100644 (file)
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2743,6 +2743,18 @@ do_ecmd(
        }
        if (buf == NULL)
            goto theend;
+       // autocommands try to edit a file that is goind to be removed,
+       // abort
+       if (buf_locked(buf))
+       {
+           // window was split, but not editing the new buffer,
+           // reset b_nwindows again
+           if (oldwin == NULL
+                   && curwin->w_buffer != NULL
+                   && curwin->w_buffer->b_nwindows > 1)
+               --curwin->w_buffer->b_nwindows;
+           goto theend;
+       }
        if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
            // reusing the buffer, keep the old alternate file
            curwin->w_alt_fnum = prev_alt_fnum;

diff --git a/src/proto/buffer.pro b/src/proto/buffer.pro
index 3a6102789ed5cf6e5c57082b8f96e1ba624c1986..dc68ca8fc123f4e730e33f16b49481c51038251f 100644 (file)
--- a/src/proto/buffer.pro
+++ b/src/proto/buffer.pro
@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
 void set_buflisted(int on);
 int buf_contents_changed(buf_T *buf);
 void wipe_buffer(buf_T *buf, int aucmd);
+int buf_locked(buf_T *buf);
 /* vim: set ft=c : */

diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
index fc6f377cf50555381c9184b34bc397315ce0000c..31ebc1bcbbcf9ce43cf09e8128ab609c4245a447 100644 (file)
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -4883,4 +4883,23 @@ func Test_GuiEnter_Turkish_locale()
   endtry
 endfunc
 
+" This was using freed memory
+func Test_autocmd_BufWinLeave_with_vsp()
+  new
+  let fname = 'XXXBufWinLeaveUAF.txt'
+  let dummy = 'XXXDummy.txt'
+  call writefile([], fname)
+  call writefile([], dummy)
+  defer delete(fname)
+  defer delete(dummy)
+  exe "e " fname
+  vsp
+  augroup testing
+    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
+  augroup END
+  bw
+  call CleanUpTestAuGroup()
+  exe "bw! " .. dummy
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 2f37123e482cd757bf861f580f869ca6a106eb77..c8559ef452d43e17146d37d577943541e0a8ed48 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    764,
 /**/
     763,
 /**/