patch 9.0.2158: [security]: use-after-free in check_argument_type

Problem:  [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
          list

function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.

So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer

closes: #13652

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/proto/vim9type.pro b/src/proto/vim9type.pro
index 85cc96fb23087ef4c390e7a0269f5dfce9177aea..1643e0c0fb9dedab3bd2682fa4e3ea923707dd1c 100644 (file)
--- a/src/proto/vim9type.pro
+++ b/src/proto/vim9type.pro
@@ -2,6 +2,7 @@
 type_T *get_type_ptr(garray_T *type_gap);
 type_T *copy_type(type_T *type, garray_T *type_gap);
 void clear_type_list(garray_T *gap);
+void clear_func_type_list(garray_T *gap, type_T **func_type);
 type_T *alloc_type(type_T *type);
 void free_type(type_T *type);
 void set_tv_type(typval_T *tv, type_T *type);

diff --git a/src/testdir/crash/poc_uaf_check_argument_types b/src/testdir/crash/poc_uaf_check_argument_types
new file mode 100644 (file)
index 0000000..83a2e7b
Binary files /dev/null and b/src/testdir/crash/poc_uaf_check_argument_types differ

diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 242da8e5db457be333f7a17cb708689a34bb5711..fd786e5d545eefacedef4b5cef66198b3bb4d50f 100644 (file)
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -184,6 +184,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/poc_uaf_check_argument_types'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
   bw!

diff --git a/src/userfunc.c b/src/userfunc.c
index e2b1bc3226d52444f2031d241e426cbf142d0c6e..410658b1eacc1bfa67678c66601cb0b5ac6c1b88 100644 (file)
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -2533,7 +2533,7 @@ func_clear_items(ufunc_T *fp)
     VIM_CLEAR(fp->uf_arg_types);
     VIM_CLEAR(fp->uf_block_ids);
     VIM_CLEAR(fp->uf_va_name);
-    clear_type_list(&fp->uf_type_list);
+    clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
 
     // Increment the refcount of this function to avoid it being freed
     // recursively when the partial is freed.
@@ -5435,7 +5435,7 @@ errret_2:
     {
        VIM_CLEAR(fp->uf_arg_types);
        VIM_CLEAR(fp->uf_va_name);
-       clear_type_list(&fp->uf_type_list);
+       clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
     }
     if (free_fp)
        VIM_CLEAR(fp);

diff --git a/src/version.c b/src/version.c
index 919f42f2d3647eb8c15e40beb07979b12174b8b6..4bb1c90bae4753714f9b553c0f260d6dee7ff247 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2158,
 /**/
     2157,
 /**/

diff --git a/src/vim9type.c b/src/vim9type.c
index a142a7b9c3b9500d1c1c031aa3a51ee82ee23c6c..fec2bf9d3ed6c454eb5afe7bf2a812fb1e13573a 100644 (file)
--- a/src/vim9type.c
+++ b/src/vim9type.c
@@ -122,6 +122,19 @@ clear_type_list(garray_T *gap)
     ga_clear(gap);
 }
 
+    void
+clear_func_type_list(garray_T *gap, type_T **func_type)
+{
+    while (gap->ga_len > 0)
+    {
+       // func_type pointing to the uf_type_list, so reset pointer
+       if (*func_type == ((type_T **)gap->ga_data)[--gap->ga_len])
+           *func_type = &t_func_any;
+       vim_free(((type_T **)gap->ga_data)[gap->ga_len]);
+    }
+    ga_clear(gap);
+}
+
 /*
  * Take a type that is using entries in a growarray and turn it into a type
  * with allocated entries.