Mercurial > vim
annotate src/testdir/test_crash.vim @ 33187:201c54cdde82 v9.0.1873
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Commit: https://github.com/vim/vim/commit/f6d28fe2c95c678cc3202cc5dc825a3fcc709e93
Author: Christian Brabandt <cb@256bit.org>
Date: Tue Sep 5 20:18:06 2023 +0200
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Problem: heap-buffer-overflow in vim_regsub_both
Solution: Disallow exchanging windows when textlock is active
Signed-off-by: Christian Brabandt <cb@256bit.org>
| author | Christian Brabandt <cb@256bit.org> |
|---|---|
| date | Tue, 05 Sep 2023 20:30:04 +0200 |
| parents | 1ee65fdbd791 |
| children | 256febd1cbf0 |
| rev | line source |
|---|---|
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
1 " Some tests, that used to crash Vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
2 source check.vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
3 source screendump.vim |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
4 |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
5 CheckScreendump |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
6 |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
7 func Test_crash1() |
|
33185
1ee65fdbd791
patch 9.0.1872: CI: test_crash() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33176
diff
changeset
|
8 CheckNotBSD |
|
1ee65fdbd791
patch 9.0.1872: CI: test_crash() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33176
diff
changeset
|
9 |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
10 if !executable('sh') |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
11 throw 'Skipped: sh not executable!' |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
12 endif |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
13 " The following used to crash Vim |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
14 let opts = #{cmd: 'sh'} |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
15 let vim = GetVimProg() |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
16 |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
17 let buf = RunVimInTerminal('sh', opts) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
18 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
19 let file = 'crash/poc_huaf1' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
20 let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'" |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
21 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
22 call term_sendkeys(buf, args .. |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
23 \ ' && echo "crash 1: [OK]" > X_crash1_result.txt' .. "\<cr>") |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
24 call TermWait(buf, 50) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
25 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
26 let file = 'crash/poc_huaf2' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
27 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
28 call term_sendkeys(buf, args .. |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
29 \ ' && echo "crash 2: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
30 call TermWait(buf, 50) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
31 |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
32 let file = 'crash/poc_huaf3' |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
33 let args = printf(cmn_args, vim, file) |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
34 call term_sendkeys(buf, args .. |
|
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
35 \ ' && echo "crash 3: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
36 call TermWait(buf, 100) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
37 |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
38 let file = 'crash/bt_quickfix_poc' |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
39 let args = printf(cmn_args, vim, file) |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
40 call term_sendkeys(buf, args .. |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
41 \ ' && echo "crash 4: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
42 " clean up |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
43 call delete('Xerr') |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
44 " This test takes a bit longer |
|
33165
74fcf8a0846b
patch 9.0.1864: still crash with bt_quickfix1_poc
Christian Brabandt <cb@256bit.org>
parents:
33156
diff
changeset
|
45 call TermWait(buf, 1000) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
46 |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
47 let file = 'crash/poc_tagfunc.vim' |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
48 let args = printf(cmn_args, vim, file) |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
49 " using || because this poc causes vim to exit with exitstatus != 0 |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
50 call term_sendkeys(buf, args .. |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
51 \ ' || echo "crash 5: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
52 |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
53 call TermWait(buf, 100) |
|
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
54 |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
55 let file = 'crash/bt_quickfix1_poc' |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
56 let args = printf(cmn_args, vim, file) |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
57 call term_sendkeys(buf, args .. |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
58 \ ' && echo "crash 6: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
59 " clean up |
|
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
60 call delete('X') |
|
33176
8ac10cee18f3
patch 9.0.1868: test_crash still fails for circle ci
Christian Brabandt <cb@256bit.org>
parents:
33165
diff
changeset
|
61 call TermWait(buf, 3000) |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
62 |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
63 let file = 'crash/vim_regsub_both_poc' |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
64 let args = printf(cmn_args, vim, file) |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
65 " using || because this poc causes vim to exit with exitstatus != 0 |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
66 call term_sendkeys(buf, args .. |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
67 \ ' && echo "crash 7: [OK]" >> X_crash1_result.txt' .. "\<cr>") |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
68 call TermWait(buf, 1000) |
|
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
69 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
70 " clean up |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
71 exe buf .. "bw!" |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
72 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
73 sp X_crash1_result.txt |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
74 |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
75 let expected = [ |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
76 \ 'crash 1: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
77 \ 'crash 2: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
78 \ 'crash 3: [OK]', |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
79 \ 'crash 4: [OK]', |
|
33152
8c9c79b00316
patch 9.0.1858: [security] heap use after free in ins_compl_get_exp()
Christian Brabandt <cb@256bit.org>
parents:
33150
diff
changeset
|
80 \ 'crash 5: [OK]', |
|
33154
faeeed7df688
patch 9.0.1859: heap-use-after-free in bt_normal()
Christian Brabandt <cb@256bit.org>
parents:
33152
diff
changeset
|
81 \ 'crash 6: [OK]', |
|
33187
201c54cdde82
patch 9.0.1873: [security] heap-buffer-overflow in vim_regsub_both
Christian Brabandt <cb@256bit.org>
parents:
33185
diff
changeset
|
82 \ 'crash 7: [OK]', |
|
33150
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
83 \ ] |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
84 |
|
cdc797578b8b
patch 9.0.1857: [security] heap-use-after-free in is_qf_win()
Christian Brabandt <cb@256bit.org>
parents:
33144
diff
changeset
|
85 call assert_equal(expected, getline(1, '$')) |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
86 bw! |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
87 |
|
33144
9c34366acd4e
patch 9.0.1854: test_crash1() fails on CI
Christian Brabandt <cb@256bit.org>
parents:
33132
diff
changeset
|
88 call delete('X_crash1_result.txt') |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
89 endfunc |
|
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
90 |
|
33132
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
91 func Test_crash2() |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
92 " The following used to crash Vim |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
93 let opts = #{wait_for_ruler: 0, rows: 20} |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
94 let args = ' -u NONE -i NONE -n -e -s -S ' |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
95 let buf = RunVimInTerminal(args .. ' crash/vim_regsub_both', opts) |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
96 call VerifyScreenDump(buf, 'Test_crash_01', {}) |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
97 exe buf .. "bw!" |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
98 endfunc |
|
811555b5ab8b
patch 9.0.1848: [security] buffer-overflow in vim_regsub_both()
Christian Brabandt <cb@256bit.org>
parents:
33115
diff
changeset
|
99 |
|
33115
e64f3ab1a8b9
patch 9.0.1840: [security] use-after-free in do_ecmd
Christian Brabandt <cb@256bit.org>
parents:
diff
changeset
|
100 " vim: shiftwidth=2 sts=2 expandtab |