From: Rahul Chauhan <rahulchauhankitps@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Rahul Chauhan <rahulchauhankitps@gmail.com>
Subject: [PATCH 1/2] vim: Security Fix For CVE-2022-1381
Date: Mon, 2 May 2022 18:20:11 +0530 [thread overview]
Message-ID: <20220502125012.11630-1-rahulchauhankitps@gmail.com> (raw)
CVE: CVE-2022-1381
Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
---
.../vim/files/CVE-2022-1381.patch | 111 ++++++++++++++++++
meta/recipes-support/vim/vim.inc | 1 +
2 files changed, 112 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2022-1381.patch
diff --git a/meta/recipes-support/vim/files/CVE-2022-1381.patch b/meta/recipes-support/vim/files/CVE-2022-1381.patch
new file mode 100644
index 0000000000..1b0e129746
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2022-1381.patch
@@ -0,0 +1,111 @@
+From 6a6cb529c7a8bda2c45964137d7c8df9c2623d51 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Sat, 16 Apr 2022 18:52:17 +0100
+Subject: [PATCH] patch 8.2.4763: using invalid pointer with "V:" in Ex mode
+
+Problem: Using invalid pointer with "V:" in Ex mode.
+Solution: Correctly handle the command being changed to "+".
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47]
+CVE-2022-1381
+
+Signed-off-by: Rahul Chauhan <rahulchauhankitps@gmail.com>
+---
+ src/ex_docmd.c | 29 ++++++++++++++++++++++++-----
+ src/testdir/test_ex_mode.vim | 13 +++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index c12f151c3..9d3f1b420 100644
+--- a/src/ex_docmd.c
++++ b/src/ex_docmd.c
+@@ -2782,7 +2782,9 @@ parse_command_modifiers(
+ cmdmod_T *cmod,
+ int skip_only)
+ {
++ char_u *orig_cmd = eap->cmd;
+ char_u *cmd_start = NULL;
++ int did_plus_cmd = FALSE;
+ char_u *p;
+ int starts_with_colon = FALSE;
+ int vim9script = in_vim9script();
+@@ -2818,6 +2820,7 @@ parse_command_modifiers(
+ && curwin->w_cursor.lnum < curbuf->b_ml.ml_line_count)
+ {
+ eap->cmd = (char_u *)"+";
++ did_plus_cmd = TRUE;
+ if (!skip_only)
+ ex_pressedreturn = TRUE;
+ }
+@@ -3100,13 +3103,29 @@ parse_command_modifiers(
+ // Since the modifiers have been parsed put the colon on top of the
+ // space: "'<,'>mod cmd" -> "mod:'<,'>cmd
+ // Put eap->cmd after the colon.
+- mch_memmove(cmd_start - 5, cmd_start, eap->cmd - cmd_start);
+- eap->cmd -= 5;
+- mch_memmove(eap->cmd - 1, ":'<,'>", 6);
++ if (did_plus_cmd)
++ {
++ size_t len = STRLEN(cmd_start);
++
++ // Special case: empty command may have been changed to "+":
++ // "'<,'>mod" -> "mod'<,'>+
++ mch_memmove(orig_cmd, cmd_start, len);
++ STRCPY(orig_cmd + len, "'<,'>+");
++ }
++ else
++ {
++ mch_memmove(cmd_start - 5, cmd_start, eap->cmd - cmd_start);
++ eap->cmd -= 5;
++ mch_memmove(eap->cmd - 1, ":'<,'>", 6);
++ }
+ }
+ else
+- // no modifiers, move the pointer back
+- eap->cmd -= 5;
++ // No modifiers, move the pointer back.
++ // Special case: empty command may have been changed to "+".
++ if (did_plus_cmd)
++ eap->cmd = (char_u *)"'<,'>+";
++ else
++ eap->cmd = orig_cmd;
+ }
+
+ return OK;
+diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim
+index 2642a16d2..d981ced6b 100644
+--- a/src/testdir/test_ex_mode.vim
++++ b/src/testdir/test_ex_mode.vim
+@@ -250,5 +250,18 @@ func Test_ex_mode_large_indent()
+ bwipe!
+ endfunc
+
++" This was accessing illegal memory when using "+" for eap->cmd.
++func Test_empty_command_visual_mode()
++ let lines =<< trim END
++ r<sfile>
++ 0norm0V:^[
++ :qall!
++ END
++ call writefile(lines, 'Xexmodescript')
++ call assert_equal(1, RunVim([], [], '-u NONE -e -s -S Xexmodescript'))
++
++ call delete('Xexmodescript')
++endfunc
++
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 79a3bad67..38c3e69b6 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -750,6 +750,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 4763,
+ /**/
+ 4681,
+ /**/
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 21ff036cf4..c78e53007e 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,6 +19,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
file://racefix.patch \
+ file://CVE-2022-1381.patch \
"
PV .= ".4681"
--
2.17.1
next reply other threads:[~2022-05-02 12:50 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-05-02 12:50 Rahul Chauhan [this message]
2022-05-02 12:50 ` [PATCH 2/2] vim: Security Fix For CVE-2022-1420 Rahul Chauhan
2022-05-03 19:57 ` [OE-core] [PATCH 1/2] vim: Security Fix For CVE-2022-1381 Richard Purdie
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220502125012.11630-1-rahulchauhankitps@gmail.com \
--to=rahulchauhankitps@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox