[PATCH v2] vim: fix 2021-3796

[PATCH v2] vim: fix 2021-3796

[Minjae Kim]

vim is vulnerable to Use After Free
Problem: Checking first character of url twice.

reference:
https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
---
 .../vim/files/CVE-2021-3796.patch             | 50 +++++++++++++++++++
 meta/recipes-support/vim/vim.inc              |  3 +-
 2 files changed, 52 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch

diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
new file mode 100644
index 0000000000..666bd5c48b
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
@@ -0,0 +1,50 @@
+From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 24 Sep 2021 16:01:09 +0800
+Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
+
+Problem:    Using freed memory when replacing. (Dhiraj Mishra)
+Solution:   Get the line pointer after calling ins_copychar().
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
+CVE: CVE-2021-3796
+
+Signed-off-by: Minjae Kim  <flowergom@gmail.com>
+---
+ src/normal.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c4963e621..305b514bc 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
+           {
+               /*
+                * Get ptr again, because u_save and/or showmatch() will have
+-               * released the line.  At the same time we let know that the
+-               * line will be changed.
++               * released the line. This may also happen in ins_copychar().
++               * At the same time we let know that the line will be changed.
+                */
+-              ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+               if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+               {
+                 int c = ins_copychar(curwin->w_cursor.lnum
+                                          + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++                ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+                 if (c != NUL)
+                   ptr[curwin->w_cursor.col] = c;
+               }
+               else
++              {
++                  ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+                   ptr[curwin->w_cursor.col] = cap->nchar;
++              }
+               if (p_sm && msg_silent == 0)
+                   showmatch(cap->nchar);
+               ++curwin->w_cursor.col;
+-- 
+2.17.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index db1e9caf4d..917f82404b 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,7 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git \
            file://no-path-adjust.patch \
            file://racefix.patch \
            file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
-          file://CVE-2021-3778.patch \
+           file://CVE-2021-3778.patch \
+          file://CVE-2021-3796.patch \
 "
 
 SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
-- 
2.30.1 (Apple Git-130)

Re: [OE-core] [PATCH v2] vim: fix 2021-3796

[Alexandre Belloni]

Hello,

Unless I'm doing something wrong, this still fails to apply:

https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/4207/steps/11/logs/stdio

On 24/10/2021 15:40:42+0900, Minjae Kim wrote:
> vim is vulnerable to Use After Free
> Problem: Checking first character of url twice.
> 
> reference:
> https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
> ---
>  .../vim/files/CVE-2021-3796.patch             | 50 +++++++++++++++++++
>  meta/recipes-support/vim/vim.inc              |  3 +-
>  2 files changed, 52 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
> 
> diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> new file mode 100644
> index 0000000000..666bd5c48b
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> @@ -0,0 +1,50 @@
> +From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001
> +From: Bram Moolenaar <Bram@vim.org>
> +Date: Fri, 24 Sep 2021 16:01:09 +0800
> +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
> +
> +Problem:    Using freed memory when replacing. (Dhiraj Mishra)
> +Solution:   Get the line pointer after calling ins_copychar().
> +
> +Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
> +CVE: CVE-2021-3796
> +
> +Signed-off-by: Minjae Kim  <flowergom@gmail.com>
> +---
> + src/normal.c | 10 +++++++---
> + 1 file changed, 7 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/normal.c b/src/normal.c
> +index c4963e621..305b514bc 100644
> +--- a/src/normal.c
> ++++ b/src/normal.c
> +@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
> +           {
> +               /*
> +                * Get ptr again, because u_save and/or showmatch() will have
> +-               * released the line.  At the same time we let know that the
> +-               * line will be changed.
> ++               * released the line. This may also happen in ins_copychar().
> ++               * At the same time we let know that the line will be changed.
> +                */
> +-              ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> +               if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
> +               {
> +                 int c = ins_copychar(curwin->w_cursor.lnum
> +                                          + (cap->nchar == Ctrl_Y ? -1 : 1));
> ++
> ++                ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> +                 if (c != NUL)
> +                   ptr[curwin->w_cursor.col] = c;
> +               }
> +               else
> ++              {
> ++                  ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> +                   ptr[curwin->w_cursor.col] = cap->nchar;
> ++              }
> +               if (p_sm && msg_silent == 0)
> +                   showmatch(cap->nchar);
> +               ++curwin->w_cursor.col;
> +-- 
> +2.17.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
> index db1e9caf4d..917f82404b 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -18,7 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git \
>             file://no-path-adjust.patch \
>             file://racefix.patch \
>             file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
> -          file://CVE-2021-3778.patch \
> +           file://CVE-2021-3778.patch \
> +          file://CVE-2021-3796.patch \
>  "
>  
>  SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
> -- 
> 2.30.1 (Apple Git-130)
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157321): https://lists.openembedded.org/g/openembedded-core/message/157321
> Mute This Topic: https://lists.openembedded.org/mt/86550275/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com