* [PATCH v2] vim: fix 2021-3796
@ 2021-10-24 6:40 Minjae Kim
2021-10-25 16:33 ` [OE-core] " Alexandre Belloni
0 siblings, 1 reply; 2+ messages in thread
From: Minjae Kim @ 2021-10-24 6:40 UTC (permalink / raw)
To: openembedded-core; +Cc: Minjae Kim
vim is vulnerable to Use After Free
Problem: Checking first character of url twice.
reference:
https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
---
.../vim/files/CVE-2021-3796.patch | 50 +++++++++++++++++++
meta/recipes-support/vim/vim.inc | 3 +-
2 files changed, 52 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
new file mode 100644
index 0000000000..666bd5c48b
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
@@ -0,0 +1,50 @@
+From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Fri, 24 Sep 2021 16:01:09 +0800
+Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
+
+Problem: Using freed memory when replacing. (Dhiraj Mishra)
+Solution: Get the line pointer after calling ins_copychar().
+
+Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
+CVE: CVE-2021-3796
+
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ src/normal.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c4963e621..305b514bc 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
+ {
+ /*
+ * Get ptr again, because u_save and/or showmatch() will have
+- * released the line. At the same time we let know that the
+- * line will be changed.
++ * released the line. This may also happen in ins_copychar().
++ * At the same time we let know that the line will be changed.
+ */
+- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+ {
+ int c = ins_copychar(curwin->w_cursor.lnum
+ + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (c != NUL)
+ ptr[curwin->w_cursor.col] = c;
+ }
+ else
++ {
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ ptr[curwin->w_cursor.col] = cap->nchar;
++ }
+ if (p_sm && msg_silent == 0)
+ showmatch(cap->nchar);
+ ++curwin->w_cursor.col;
+--
+2.17.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index db1e9caf4d..917f82404b 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,7 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git \
file://no-path-adjust.patch \
file://racefix.patch \
file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
- file://CVE-2021-3778.patch \
+ file://CVE-2021-3778.patch \
+ file://CVE-2021-3796.patch \
"
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
--
2.30.1 (Apple Git-130)
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [OE-core] [PATCH v2] vim: fix 2021-3796
2021-10-24 6:40 [PATCH v2] vim: fix 2021-3796 Minjae Kim
@ 2021-10-25 16:33 ` Alexandre Belloni
0 siblings, 0 replies; 2+ messages in thread
From: Alexandre Belloni @ 2021-10-25 16:33 UTC (permalink / raw)
To: Minjae Kim; +Cc: openembedded-core
Hello,
Unless I'm doing something wrong, this still fails to apply:
https://autobuilder.yoctoproject.org/typhoon/#/builders/52/builds/4207/steps/11/logs/stdio
On 24/10/2021 15:40:42+0900, Minjae Kim wrote:
> vim is vulnerable to Use After Free
> Problem: Checking first character of url twice.
>
> reference:
> https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
> ---
> .../vim/files/CVE-2021-3796.patch | 50 +++++++++++++++++++
> meta/recipes-support/vim/vim.inc | 3 +-
> 2 files changed, 52 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> new file mode 100644
> index 0000000000..666bd5c48b
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> @@ -0,0 +1,50 @@
> +From 6d02e1429771c00046b48f26e53ca4123c3ce4e1 Mon Sep 17 00:00:00 2001
> +From: Bram Moolenaar <Bram@vim.org>
> +Date: Fri, 24 Sep 2021 16:01:09 +0800
> +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
> +
> +Problem: Using freed memory when replacing. (Dhiraj Mishra)
> +Solution: Get the line pointer after calling ins_copychar().
> +
> +Upstream-Status: Backport [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
> +CVE: CVE-2021-3796
> +
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
> +---
> + src/normal.c | 10 +++++++---
> + 1 file changed, 7 insertions(+), 3 deletions(-)
> +
> +diff --git a/src/normal.c b/src/normal.c
> +index c4963e621..305b514bc 100644
> +--- a/src/normal.c
> ++++ b/src/normal.c
> +@@ -5009,19 +5009,23 @@ nv_replace(cmdarg_T *cap)
> + {
> + /*
> + * Get ptr again, because u_save and/or showmatch() will have
> +- * released the line. At the same time we let know that the
> +- * line will be changed.
> ++ * released the line. This may also happen in ins_copychar().
> ++ * At the same time we let know that the line will be changed.
> + */
> +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
> + {
> + int c = ins_copychar(curwin->w_cursor.lnum
> + + (cap->nchar == Ctrl_Y ? -1 : 1));
> ++
> ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> + if (c != NUL)
> + ptr[curwin->w_cursor.col] = c;
> + }
> + else
> ++ {
> ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> + ptr[curwin->w_cursor.col] = cap->nchar;
> ++ }
> + if (p_sm && msg_silent == 0)
> + showmatch(cap->nchar);
> + ++curwin->w_cursor.col;
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
> index db1e9caf4d..917f82404b 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -18,7 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git \
> file://no-path-adjust.patch \
> file://racefix.patch \
> file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
> - file://CVE-2021-3778.patch \
> + file://CVE-2021-3778.patch \
> + file://CVE-2021-3796.patch \
> "
>
> SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
> --
> 2.30.1 (Apple Git-130)
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157321): https://lists.openembedded.org/g/openembedded-core/message/157321
> Mute This Topic: https://lists.openembedded.org/mt/86550275/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-10-25 16:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-24 6:40 [PATCH v2] vim: fix 2021-3796 Minjae Kim
2021-10-25 16:33 ` [OE-core] " Alexandre Belloni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.