patch 9.2.0671: [security]: possible out-of-bounds read with sodium encrypted files

Problem:  [security]: possible out-of-bounds read with sodium encrypted
          files (cipher-creator)
Solution: Verify that there is enough space before calling
          crypto_secretstream_xchacha20poly1305_init_pull()

Github Security Advisory:
https://github.com/vim/vim/security/advisories/GHSA-c4j9-wr9j-4486

Supported by AI

Signed-off-by: Christian Brabandt <cb@256bit.org>

diff --git a/src/crypt.c b/src/crypt.c
index 2fade5db9d6cf5ae1db1621feef452ca67d244d7..879ecbf6ce3f64ed76206768d45d16773bf4d5cd 100644 (file)
--- a/src/crypt.c
+++ b/src/crypt.c
@@ -1262,7 +1262,8 @@ crypt_sodium_buffer_decode(
 
     if (sod_st->count == 0)
     {
-       if (crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state,
+       if (len < crypto_secretstream_xchacha20poly1305_HEADERBYTES ||
+               crypto_secretstream_xchacha20poly1305_init_pull(&sod_st->state,
                                                       from, sod_st->key) != 0)
        {
            emsg(_(e_libsodium_decryption_failed_header_incomplete));

diff --git a/src/testdir/test_crypt.vim b/src/testdir/test_crypt.vim
index d540fbbd626abda712e3d890f3f2990a25940d22..5c9dfe3bafc8ff821ee21daa347856763ae7e715 100644 (file)
--- a/src/testdir/test_crypt.vim
+++ b/src/testdir/test_crypt.vim
@@ -491,4 +491,28 @@ func Test_crypt_off_by_one()
   bwipe!
 endfunc
 
+func Test_crypt_sodium_short_body()
+  CheckFeature sodium
+  " A VimCrypt~04! file with a complete 36-byte header (12 magic + 16 salt +
+  " 8 seed) but a body shorter than one secretstream header (24 bytes) used to
+  " underflow the body length and crash with a wild out-of-bounds read in
+  " crypto_secretstream_xchacha20poly1305_pull().  It must now fail cleanly.
+  " Bytes: "VimCrypt~04!" + 16 salt + 8 seed + 8-byte body = 44 bytes.
+  call writefile(0z56696D43727970747E303421
+        \ + 0zA0A1A2A3A4A5A6A7A8A9AAABACADAEAF
+        \ + 0zB0B1B2B3B4B5B6B7
+        \ + 0z0000000000000000, 'Xtest_sodium_short')
+
+  let v:errmsg = ''
+  try
+  call feedkeys(":split Xtest_sodium_short\<CR>foobar\<CR>", "xt")
+  catch /^Vim\%((\S\+)\)\=:E1198:/
+    " no-op
+  endtry
+
+  bwipe!
+  call delete('Xtest_sodium_short')
+  set key=
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab

diff --git a/src/version.c b/src/version.c
index 7d1c8885b68a02f141f6a24b166dae9e29390364..ba2f392d18b268bbe137f4bbef00f2ee437146a5 100644 (file)
--- a/src/version.c
+++ b/src/version.c
@@ -759,6 +759,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    671,
 /**/
     670,
 /**/