vim-patch:9.0.2149: [security]: use-after-free in exec_instructions()

Problem: [security]: use-after-free in exec_instructions() Solution: get tv pointer again [security]: use-after-free in exec_instructions() exec_instructions may access freed memory, if the GA_GROWS_FAILS() re-allocates memory. When this happens, the typval tv may still point to now already freed memory. So let's get that pointer again and compare it with tv. If those two pointers differ, tv is now invalid and we have to refresh the tv pointer. closes: vim/vim#13621 5dd41d4b63 Co-authored-by: Christian Brabandt <cb@256bit.org> (cherry picked from commit 9f2d793068)
2025-07-15 16:51:49 +00:00 · 2024-08-02 05:56:27 +08:00
parent c43dd3ef6f
commit 7550947157
2 changed files with 25 additions and 14 deletions
--- a/test/old/testdir/crash/poc_uaf_exec_instructions
+++ b/test/old/testdir/crash/poc_uaf_exec_instructions
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@ -113,6 +113,7 @@ endfunc
 func Test_crash1_2()
  CheckNotBSD
  CheckExecutable dash
+  let g:test_is_flaky = 1

  " The following used to crash Vim
  let opts = #{cmd: 'sh'}
@ -149,22 +150,9 @@ func Test_crash1_2()
    \ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
  call TermWait(buf, 150)

-  let file = 'crash/poc_ex_substitute'
-  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
-  let args = printf(cmn_args, vim, file)
-  " just make sure it runs, we don't care about the resulting echo
-  call term_sendkeys(buf, args .. "\<cr>")
-  " There is no output generated in Github CI for the asan clang build.
-  " so just skip generating the ouput.
-  " call term_sendkeys(buf, args ..
-  "   \ ' &&  echo "crash 5: [OK]" >> '.. result .. "\<cr>")
-  call TermWait(buf, 150)
-
  " clean up
  exe buf .. "bw!"
-
  exe "sp " .. result
-
  let expected = [
      \ 'crash 1: [OK]',
      \ 'crash 2: [OK]',
@ -174,10 +162,33 @@ func Test_crash1_2()

  call assert_equal(expected, getline(1, '$'))
  bw!
-
  call delete(result)
 endfunc

+" This test just runs various scripts, that caused issues before.
+" We are not really asserting anything here, it's just important
+" that ASAN does not detect any issues.
+func Test_crash1_3()
+  let vim  = GetVimProg()
+  let buf = RunVimInTerminal('sh', #{cmd: 'sh'})
+
+  let file = 'crash/poc_ex_substitute'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
+  let file = 'crash/poc_uaf_exec_instructions'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
+  " clean up
+  exe buf .. "bw!"
+  bw!
+endfunc
+
 func Test_crash2()
  " The following used to crash Vim
  let opts = #{wait_for_ruler: 0, rows: 20}