[dunfell][PATCH] vim: fix 2021-3796

[dunfell][PATCH] vim: fix 2021-3796

[Minjae Kim]

vim is vulnerable to Use After Free
Problem: Checking first character of url twice.

reference:
https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
---
 .../vim/files/CVE-2021-3796.patch             | 70 +++++++++++++++++++
 meta/recipes-support/vim/vim.inc              |  1 +
 2 files changed, 71 insertions(+)
 create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch

diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
new file mode 100644
index 0000000000..08becb4d9a
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
@@ -0,0 +1,70 @@
+From 296bf20889e66e3235e199838c6e360db2c4166d Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Fri, 22 Oct 2021 02:24:32 +0000
+Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
+
+Problem:    Using freed memory when replacing. (Dhiraj Mishra)
+Solution:   Get the line pointer after calling ins_copychar().
+
+Upstream-Status: Accepted [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
+CVE: CVE-2021-3796
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ src/normal.c              | 11 +++++++----
+ src/testdir/test_edit.vim | 12 ++++++++++++
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c4963e621..277c92595 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -5009,19 +5009,22 @@ nv_replace(cmdarg_T *cap)
+           {
+               /*
+                * Get ptr again, because u_save and/or showmatch() will have
+-               * released the line.  At the same time we let know that the
++               * released the line. This may also happen in ins_copychar().
++               * At the same time we let know that the
+                * line will be changed.
+                */
+-              ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+               if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+               {
+                 int c = ins_copychar(curwin->w_cursor.lnum
+                                          + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++                ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+                 if (c != NUL)
+                   ptr[curwin->w_cursor.col] = c;
+-              }
+-              else
++              } else {
+                   ptr[curwin->w_cursor.col] = cap->nchar;
++                  ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
++              }
+               if (p_sm && msg_silent == 0)
+                   showmatch(cap->nchar);
+               ++curwin->w_cursor.col;
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index 4e29e7fe1..d7565e1ea 100644
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1519,3 +1519,15 @@ func Test_edit_noesckeys()
+   bwipe!
+   set esckeys
+ endfunc
++
++" Test for getting the character of the line below after "p"
++func Test_edit_put_CTRL_E()
++  set encoding=latin1
++  new
++  let @" = ''
++  sil! norm orggRx
++  sil! norm pr
++  call assert_equal(['r', 'r'], getline(1, 2))
++  bwipe!
++  set encoding=utf-8
++endfunc
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index fc4e205b74..0973a368c0 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/vim/vim.git \
            file://racefix.patch \
            file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
 	   file://CVE-2021-3778.patch \
+           file://CVE-2021-3796.patch \
 "
 
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
-- 
2.30.1 (Apple Git-130)

Re: [OE-core] [dunfell][PATCH] vim: fix 2021-3796

[Steve Sakoman]

On Thu, Oct 21, 2021 at 5:42 PM Minjae Kim <flowergom@gmail.com> wrote:
>
> vim is vulnerable to Use After Free
> Problem: Checking first character of url twice.
>
> reference:
> https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3

Missing your Signed-off-by:

The patch also fails to apply on dunfell:

stdio: ERROR: vim-native-8.2-r0 do_patch: Applying patch
'CVE-2021-3796.patch' on target directory
'/home/pokybuild/yocto-worker/reproducible-centos/build/build-st-2929716/tmp/work/x86_64-linux/vim-native/8.2-r0/git'
stdio: ERROR: Logfile of failure stored in:
/home/pokybuild/yocto-worker/reproducible-centos/build/build-st-2929716/tmp/work/x86_64-linux/vim-native/8.2-r0/temp/log.do_patch.2931142
stdio: ERROR: Task
(virtual:native:/home/pokybuild/yocto-worker/reproducible-centos/build/meta/recipes-support/vim/vim_8.2.bb:do_patch)
failed with exit code '1'
stdio: ERROR: vim-native-8.2-r0 do_patch: Applying patch
'CVE-2021-3796.patch' on target directory
'/home/pokybuild/yocto-worker/reproducible-centos/build/build-st-2929716/tmp/work/x86_64-linux/vim-native/8.2-r0/git'
stdio: ERROR: Logfile of failure stored in:
/home/pokybuild/yocto-worker/reproducible-centos/build/build-st-2929716/tmp/work/x86_64-linux/vim-native/8.2-r0/temp/log.do_patch.2931142
stdio: ERROR: Task
(virtual:native:/home/pokybuild/yocto-worker/reproducible-centos/build/meta/recipes-support/vim/vim_8.2.bb:do_patch)
failed with exit code '1'
stdio: ERROR: Command . ./oe-init-build-env; ${SCRIPTSDIR}/checkvnc;
OEQA_DEBUGGING_SAVED_OUTPUT=/srv/autobuilder/autobuilder.yoctoproject.org/pub/repro-fail/
DISPLAY=:1 oe-selftest -r reproducible -j 1 failed with exit code 1,
see errors above. (1635095597.6: 33.1)

Probably a similar issue to the master version.

Thanks!

Steve
> ---
>  .../vim/files/CVE-2021-3796.patch             | 70 +++++++++++++++++++
>  meta/recipes-support/vim/vim.inc              |  1 +
>  2 files changed, 71 insertions(+)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> new file mode 100644
> index 0000000000..08becb4d9a
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> @@ -0,0 +1,70 @@
> +From 296bf20889e66e3235e199838c6e360db2c4166d Mon Sep 17 00:00:00 2001
> +From: Minjae Kim <flowergom@gmail.com>
> +Date: Fri, 22 Oct 2021 02:24:32 +0000
> +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
> +
> +Problem:    Using freed memory when replacing. (Dhiraj Mishra)
> +Solution:   Get the line pointer after calling ins_copychar().
> +
> +Upstream-Status: Accepted [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
> +CVE: CVE-2021-3796
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> +---
> + src/normal.c              | 11 +++++++----
> + src/testdir/test_edit.vim | 12 ++++++++++++
> + 2 files changed, 19 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/normal.c b/src/normal.c
> +index c4963e621..277c92595 100644
> +--- a/src/normal.c
> ++++ b/src/normal.c
> +@@ -5009,19 +5009,22 @@ nv_replace(cmdarg_T *cap)
> +           {
> +               /*
> +                * Get ptr again, because u_save and/or showmatch() will have
> +-               * released the line.  At the same time we let know that the
> ++               * released the line. This may also happen in ins_copychar().
> ++               * At the same time we let know that the
> +                * line will be changed.
> +                */
> +-              ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> +               if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
> +               {
> +                 int c = ins_copychar(curwin->w_cursor.lnum
> +                                          + (cap->nchar == Ctrl_Y ? -1 : 1));
> ++
> ++                ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> +                 if (c != NUL)
> +                   ptr[curwin->w_cursor.col] = c;
> +-              }
> +-              else
> ++              } else {
> +                   ptr[curwin->w_cursor.col] = cap->nchar;
> ++                  ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> ++              }
> +               if (p_sm && msg_silent == 0)
> +                   showmatch(cap->nchar);
> +               ++curwin->w_cursor.col;
> +diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
> +index 4e29e7fe1..d7565e1ea 100644
> +--- a/src/testdir/test_edit.vim
> ++++ b/src/testdir/test_edit.vim
> +@@ -1519,3 +1519,15 @@ func Test_edit_noesckeys()
> +   bwipe!
> +   set esckeys
> + endfunc
> ++
> ++" Test for getting the character of the line below after "p"
> ++func Test_edit_put_CTRL_E()
> ++  set encoding=latin1
> ++  new
> ++  let @" = ''
> ++  sil! norm orggRx
> ++  sil! norm pr
> ++  call assert_equal(['r', 'r'], getline(1, 2))
> ++  bwipe!
> ++  set encoding=utf-8
> ++endfunc
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
> index fc4e205b74..0973a368c0 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -19,6 +19,7 @@ SRC_URI = "git://github.com/vim/vim.git \
>             file://racefix.patch \
>             file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
>            file://CVE-2021-3778.patch \
> +           file://CVE-2021-3796.patch \
>  "
>
>  SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
> --
> 2.30.1 (Apple Git-130)
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157293): https://lists.openembedded.org/g/openembedded-core/message/157293
> Mute This Topic: https://lists.openembedded.org/mt/86506415/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>

Re: [dunfell][PATCH] vim: fix 2021-3796

[Minjae Kim]

[-- Attachment #1: Type: text/plain, Size: 76 bytes --]

Hi Steve!

I also updated the patch for dunfell.

Thanks,
Minjae Kim.

[-- Attachment #2: Type: text/html, Size: 102 bytes --]