vim-patch:9.0.2106: [security]: Use-after-free in win_close()

Problem: [security]: Use-after-free in win_close() Solution: Check window is valid, before accessing it If the current window structure is no longer valid (because a previous autocommand has already freed this window), fail and return before attempting to set win->w_closing variable. Add a test to trigger ASAN in CI https://github.com/vim/vim/commit/25aabc2b8ee1e19ced6f4da9d866cf9378fc4c5a Co-authored-by: Christian Brabandt <cb@256bit.org>
author: zeertzjq <zeertzjq@outlook.com> 2023-11-17 09:47:04 +0800
committer: zeertzjq <zeertzjq@outlook.com> 2023-11-17 09:59:22 +0800
commit: 790bd4d5858713e8503825892c7d08340d189370 (patch)
tree: ad5cc30e6ddb2202fb7e15aa081d9a7c7efb06d4
parent: d49be1cd2893ad583361ac058279a471ad7877e5 (diff)
download: rneovim-790bd4d5858713e8503825892c7d08340d189370.tar.gz
rneovim-790bd4d5858713e8503825892c7d08340d189370.tar.bz2
rneovim-790bd4d5858713e8503825892c7d08340d189370.zip
7 files changed, 36 insertions, 0 deletions
diff --git a/src/nvim/window.c b/src/nvim/window.c
index 89bdd7f5e0..00524b2f56 100644
--- a/src/nvim/window.c
+++ b/src/nvim/window.c
@@ -2661,6 +2661,9 @@ int win_close(win_T *win, bool free_buf, bool force)
       reset_VIsual_and_resel();  // stop Visual mode
 
       other_buffer = true;
+      if (!win_valid(win)) {
+        return FAIL;
+      }
       win->w_closing = true;
       apply_autocmds(EVENT_BUFLEAVE, NULL, NULL, false, curbuf);
       if (!win_valid(win)) {
diff --git a/test/old/testdir/crash/poc1 b/test/old/testdir/crash/poc1
new file mode 100644
index 0000000000..ec223f16b8
--- /dev/null
+++ b/test/old/testdir/crash/poc1
diff --git a/test/old/testdir/crash/poc_huaf1 b/test/old/testdir/crash/poc_huaf1
new file mode 100644
index 0000000000..0d0ea475c1
--- /dev/null
+++ b/test/old/testdir/crash/poc_huaf1
diff --git a/test/old/testdir/crash/poc_huaf2 b/test/old/testdir/crash/poc_huaf2
new file mode 100644
index 0000000000..4867e0f956
--- /dev/null
+++ b/test/old/testdir/crash/poc_huaf2
diff --git a/test/old/testdir/crash/poc_huaf3 b/test/old/testdir/crash/poc_huaf3
new file mode 100644
index 0000000000..7e38a9a17c
--- /dev/null
+++ b/test/old/testdir/crash/poc_huaf3
diff --git a/test/old/testdir/crash/vim_regsub_both_poc b/test/old/testdir/crash/vim_regsub_both_poc
new file mode 100644
index 0000000000..19a57114be
--- /dev/null
+++ b/test/old/testdir/crash/vim_regsub_both_poc
diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
index 5cd07e2a3f..b093b053c5 100644
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -110,6 +110,39 @@ func Test_crash1()
   call delete('X_crash1_result.txt')
 endfunc
 
+func Test_crash1_2()
+  CheckNotBSD
+  CheckExecutable dash
+
+  " The following used to crash Vim
+  let opts = #{cmd: 'sh'}
+  let vim  = GetVimProg()
+  let result = 'X_crash1_1_result.txt'
+
+  let buf = RunVimInTerminal('sh', opts)
+
+  let file = 'crash/poc1'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ '  && echo "crash 1: [OK]" > '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
+  " clean up
+  exe buf .. "bw!"
+
+  exe "sp " .. result
+
+  let expected = [
+      \ 'crash 1: [OK]',
+      \ ]
+
+  call assert_equal(expected, getline(1, '$'))
+  bw!
+
+  call delete(result)
+endfunc
+
 func Test_crash2()
   " The following used to crash Vim
   let opts = #{wait_for_ruler: 0, rows: 20}
author	zeertzjq <zeertzjq@outlook.com>	2023-11-17 09:47:04 +0800
committer	zeertzjq <zeertzjq@outlook.com>	2023-11-17 09:59:22 +0800
commit	790bd4d5858713e8503825892c7d08340d189370 (patch)
tree	ad5cc30e6ddb2202fb7e15aa081d9a7c7efb06d4
parent	d49be1cd2893ad583361ac058279a471ad7877e5 (diff)
download	rneovim-790bd4d5858713e8503825892c7d08340d189370.tar.gz rneovim-790bd4d5858713e8503825892c7d08340d189370.tar.bz2 rneovim-790bd4d5858713e8503825892c7d08340d189370.zip