# HG changeset patch # User Christian Brabandt # Date 1702314003 -3600 # Node ID a49ae967e9ed2684c8a0c79d0ca431c379f1e419 # Parent 966a1af141b0a5f219cfdefb03b7b1dd8def7ff2 patch 9.0.2158: [security]: use-after-free in check_argument_type Commit: https://github.com/vim/vim/commit/0f28791b215bd4c22ed580839409c2f7d39d8140 Author: Christian Brabandt Date: Mon Dec 11 17:53:25 2023 +0100 patch 9.0.2158: [security]: use-after-free in check_argument_type Problem: [security]: use-after-free in check_argument_type Solution: Reset function type pointer when freeing the function type list function pointer fp->uf_func_type may point to the same memory, that was allocated for fp->uf_type_list. However, when cleaning up a function definition (e.g. because it was invalid), fp->uf_type_list will be freed, but fp->uf_func_type may still point to the same (now) invalid memory address. So when freeing the fp->uf_type_list, check if fp->func_type points to any of those types and if it does, reset the fp->uf_func_type pointer to the t_func_any (default) type pointer closes: #13652 Signed-off-by: Christian Brabandt diff --git a/src/proto/vim9type.pro b/src/proto/vim9type.pro --- a/src/proto/vim9type.pro +++ b/src/proto/vim9type.pro @@ -2,6 +2,7 @@ type_T *get_type_ptr(garray_T *type_gap); type_T *copy_type(type_T *type, garray_T *type_gap); void clear_type_list(garray_T *gap); +void clear_func_type_list(garray_T *gap, type_T **func_type); type_T *alloc_type(type_T *type); void free_type(type_T *type); void set_tv_type(typval_T *tv, type_T *type); diff --git a/src/testdir/crash/poc_uaf_check_argument_types b/src/testdir/crash/poc_uaf_check_argument_types new file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..83a2e7b0a69305a319dde36451416092f5153ef2 GIT binary patch literal 43 yc$`Z~O;ZTcNVDbAWZ+88OG!yh<0{sVQB~K}kFgEX(BvvB<}xTwF5)WAX8-{DR|{DH diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim --- a/src/testdir/test_crash.vim +++ b/src/testdir/test_crash.vim @@ -184,6 +184,12 @@ func Test_crash1_3() call term_sendkeys(buf, args) call TermWait(buf, 150) + let file = 'crash/poc_uaf_check_argument_types' + let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\" + let args = printf(cmn_args, vim, file) + call term_sendkeys(buf, args) + call TermWait(buf, 150) + " clean up exe buf .. "bw!" bw! diff --git a/src/userfunc.c b/src/userfunc.c --- a/src/userfunc.c +++ b/src/userfunc.c @@ -2533,7 +2533,7 @@ func_clear_items(ufunc_T *fp) VIM_CLEAR(fp->uf_arg_types); VIM_CLEAR(fp->uf_block_ids); VIM_CLEAR(fp->uf_va_name); - clear_type_list(&fp->uf_type_list); + clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type); // Increment the refcount of this function to avoid it being freed // recursively when the partial is freed. @@ -5435,7 +5435,7 @@ errret_2: { VIM_CLEAR(fp->uf_arg_types); VIM_CLEAR(fp->uf_va_name); - clear_type_list(&fp->uf_type_list); + clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type); } if (free_fp) VIM_CLEAR(fp); diff --git a/src/version.c b/src/version.c --- a/src/version.c +++ b/src/version.c @@ -705,6 +705,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 2158, +/**/ 2157, /**/ 2156, diff --git a/src/vim9type.c b/src/vim9type.c --- a/src/vim9type.c +++ b/src/vim9type.c @@ -122,6 +122,19 @@ clear_type_list(garray_T *gap) ga_clear(gap); } + void +clear_func_type_list(garray_T *gap, type_T **func_type) +{ + while (gap->ga_len > 0) + { + // func_type pointing to the uf_type_list, so reset pointer + if (*func_type == ((type_T **)gap->ga_data)[--gap->ga_len]) + *func_type = &t_func_any; + vim_free(((type_T **)gap->ga_data)[gap->ga_len]); + } + ga_clear(gap); +} + /* * Take a type that is using entries in a growarray and turn it into a type * with allocated entries.