* [PATCH] vim: fix 2021-3796
@ 2021-10-22 2:45 Minjae Kim
2021-10-23 15:57 ` [OE-core] " Alexandre Belloni
0 siblings, 1 reply; 3+ messages in thread
From: Minjae Kim @ 2021-10-22 2:45 UTC (permalink / raw)
To: openembedded-core; +Cc: Minjae Kim
vim is vulnerable to Use After Free
Problem: Checking first character of url twice.
reference:
https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
---
.../vim/files/CVE-2021-3796.patch | 70 +++++++++++++++++++
meta/recipes-support/vim/vim.inc | 3 +-
2 files changed, 72 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
new file mode 100644
index 0000000000..08becb4d9a
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
@@ -0,0 +1,70 @@
+From 296bf20889e66e3235e199838c6e360db2c4166d Mon Sep 17 00:00:00 2001
+From: Minjae Kim <flowergom@gmail.com>
+Date: Fri, 22 Oct 2021 02:24:32 +0000
+Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
+
+Problem: Using freed memory when replacing. (Dhiraj Mishra)
+Solution: Get the line pointer after calling ins_copychar().
+
+Upstream-Status: Accepted [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
+CVE: CVE-2021-3796
+Signed-off-by: Minjae Kim <flowergom@gmail.com>
+---
+ src/normal.c | 11 +++++++----
+ src/testdir/test_edit.vim | 12 ++++++++++++
+ 2 files changed, 19 insertions(+), 4 deletions(-)
+
+diff --git a/src/normal.c b/src/normal.c
+index c4963e621..277c92595 100644
+--- a/src/normal.c
++++ b/src/normal.c
+@@ -5009,19 +5009,22 @@ nv_replace(cmdarg_T *cap)
+ {
+ /*
+ * Get ptr again, because u_save and/or showmatch() will have
+- * released the line. At the same time we let know that the
++ * released the line. This may also happen in ins_copychar().
++ * At the same time we let know that the
+ * line will be changed.
+ */
+- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
+ {
+ int c = ins_copychar(curwin->w_cursor.lnum
+ + (cap->nchar == Ctrl_Y ? -1 : 1));
++
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
+ if (c != NUL)
+ ptr[curwin->w_cursor.col] = c;
+- }
+- else
++ } else {
+ ptr[curwin->w_cursor.col] = cap->nchar;
++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
++ }
+ if (p_sm && msg_silent == 0)
+ showmatch(cap->nchar);
+ ++curwin->w_cursor.col;
+diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
+index 4e29e7fe1..d7565e1ea 100644
+--- a/src/testdir/test_edit.vim
++++ b/src/testdir/test_edit.vim
+@@ -1519,3 +1519,15 @@ func Test_edit_noesckeys()
+ bwipe!
+ set esckeys
+ endfunc
++
++" Test for getting the character of the line below after "p"
++func Test_edit_put_CTRL_E()
++ set encoding=latin1
++ new
++ let @" = ''
++ sil! norm orggRx
++ sil! norm pr
++ call assert_equal(['r', 'r'], getline(1, 2))
++ bwipe!
++ set encoding=utf-8
++endfunc
+--
+2.17.1
+
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index db1e9caf4d..917f82404b 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -18,7 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git \
file://no-path-adjust.patch \
file://racefix.patch \
file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
- file://CVE-2021-3778.patch \
+ file://CVE-2021-3778.patch \
+ file://CVE-2021-3796.patch \
"
SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
--
2.30.1 (Apple Git-130)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [OE-core] [PATCH] vim: fix 2021-3796
2021-10-22 2:45 [PATCH] vim: fix 2021-3796 Minjae Kim
@ 2021-10-23 15:57 ` Alexandre Belloni
2021-10-24 6:43 ` Minjae Kim
0 siblings, 1 reply; 3+ messages in thread
From: Alexandre Belloni @ 2021-10-23 15:57 UTC (permalink / raw)
To: Minjae Kim; +Cc: openembedded-core
Hello,
On 22/10/2021 11:45:06+0900, Minjae Kim wrote:
> vim is vulnerable to Use After Free
> Problem: Checking first character of url twice.
>
> reference:
> https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3
> ---
> .../vim/files/CVE-2021-3796.patch | 70 +++++++++++++++++++
> meta/recipes-support/vim/vim.inc | 3 +-
> 2 files changed, 72 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-support/vim/files/CVE-2021-3796.patch
>
> diff --git a/meta/recipes-support/vim/files/CVE-2021-3796.patch b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> new file mode 100644
> index 0000000000..08becb4d9a
> --- /dev/null
> +++ b/meta/recipes-support/vim/files/CVE-2021-3796.patch
> @@ -0,0 +1,70 @@
> +From 296bf20889e66e3235e199838c6e360db2c4166d Mon Sep 17 00:00:00 2001
> +From: Minjae Kim <flowergom@gmail.com>
> +Date: Fri, 22 Oct 2021 02:24:32 +0000
> +Subject: [PATCH] patch 8.2.3428: using freed memory when replacing
> +
> +Problem: Using freed memory when replacing. (Dhiraj Mishra)
> +Solution: Get the line pointer after calling ins_copychar().
> +
> +Upstream-Status: Accepted [https://github.com/vim/vim/commit/35a9a00afcb20897d462a766793ff45534810dc3]
> +CVE: CVE-2021-3796
> +Signed-off-by: Minjae Kim <flowergom@gmail.com>
The patch doesn't seem to apply properly:
https://autobuilder.yoctoproject.org/typhoon/#/builders/115/builds/866/steps/13/logs/stdio
Can you check?
> +---
> + src/normal.c | 11 +++++++----
> + src/testdir/test_edit.vim | 12 ++++++++++++
> + 2 files changed, 19 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/normal.c b/src/normal.c
> +index c4963e621..277c92595 100644
> +--- a/src/normal.c
> ++++ b/src/normal.c
> +@@ -5009,19 +5009,22 @@ nv_replace(cmdarg_T *cap)
> + {
> + /*
> + * Get ptr again, because u_save and/or showmatch() will have
> +- * released the line. At the same time we let know that the
> ++ * released the line. This may also happen in ins_copychar().
> ++ * At the same time we let know that the
> + * line will be changed.
> + */
> +- ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> + if (cap->nchar == Ctrl_E || cap->nchar == Ctrl_Y)
> + {
> + int c = ins_copychar(curwin->w_cursor.lnum
> + + (cap->nchar == Ctrl_Y ? -1 : 1));
> ++
> ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> + if (c != NUL)
> + ptr[curwin->w_cursor.col] = c;
> +- }
> +- else
> ++ } else {
> + ptr[curwin->w_cursor.col] = cap->nchar;
> ++ ptr = ml_get_buf(curbuf, curwin->w_cursor.lnum, TRUE);
> ++ }
> + if (p_sm && msg_silent == 0)
> + showmatch(cap->nchar);
> + ++curwin->w_cursor.col;
> +diff --git a/src/testdir/test_edit.vim b/src/testdir/test_edit.vim
> +index 4e29e7fe1..d7565e1ea 100644
> +--- a/src/testdir/test_edit.vim
> ++++ b/src/testdir/test_edit.vim
> +@@ -1519,3 +1519,15 @@ func Test_edit_noesckeys()
> + bwipe!
> + set esckeys
> + endfunc
> ++
> ++" Test for getting the character of the line below after "p"
> ++func Test_edit_put_CTRL_E()
> ++ set encoding=latin1
> ++ new
> ++ let @" = ''
> ++ sil! norm orggRx
> ++ sil! norm pr
> ++ call assert_equal(['r', 'r'], getline(1, 2))
> ++ bwipe!
> ++ set encoding=utf-8
> ++endfunc
> +--
> +2.17.1
> +
> diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
> index db1e9caf4d..917f82404b 100644
> --- a/meta/recipes-support/vim/vim.inc
> +++ b/meta/recipes-support/vim/vim.inc
> @@ -18,7 +18,8 @@ SRC_URI = "git://github.com/vim/vim.git \
> file://no-path-adjust.patch \
> file://racefix.patch \
> file://b7081e135a16091c93f6f5f7525a5c58fb7ca9f9.patch \
> - file://CVE-2021-3778.patch \
> + file://CVE-2021-3778.patch \
> + file://CVE-2021-3796.patch \
> "
>
> SRCREV = "98056533b96b6b5d8849641de93185dd7bcadc44"
> --
> 2.30.1 (Apple Git-130)
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157291): https://lists.openembedded.org/g/openembedded-core/message/157291
> Mute This Topic: https://lists.openembedded.org/mt/86505722/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] vim: fix 2021-3796
2021-10-23 15:57 ` [OE-core] " Alexandre Belloni
@ 2021-10-24 6:43 ` Minjae Kim
0 siblings, 0 replies; 3+ messages in thread
From: Minjae Kim @ 2021-10-24 6:43 UTC (permalink / raw)
To: openembedded-core
[-- Attachment #1: Type: text/plain, Size: 3090 bytes --]
Hi Alexandre,
I updated the patch and I got a build success on my machine as below.
Thanks for notice :)
/poky/master/poky/meta$ bitbake vim -c cleanall; bitbake vim -C compile Loading cache: 100% |############################################################################################################################################################################################################################################################################################ Loaded 1478 entries from dependency cache. NOTE: Resolving any missing task queue dependencies Build Configuration: BB_VERSION = "1.52.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "universal" TARGET_SYS = "x86_64-poky-linux" MACHINE = "qemux86-64" DISTRO = "poky" DISTRO_VERSION = "3.4" TUNE_FEATURES = "m64 core2" TARGET_FPU = "" meta meta-poky meta-yocto-bsp = "master:912f24b89c51300c05c8eb810c55ce1ad2e6545c" Initialising tasks: 100% |####################################################################################################################################################################################################################################################################################### Sstate summary: Wanted 0 Local 0 Network 0 Missed 0 Current 0 (0% match, 0% complete) NOTE: No setscene tasks NOTE: Executing Tasks NOTE: Tasks Summary: Attempted 3 tasks of which 0 didn't need to be rerun and all succeeded. Loading cache: 100% |############################################################################################################################################################################################################################################################################################ Loaded 1478 entries from dependency cache. NOTE: Resolving any missing task queue dependencies Build Configuration: BB_VERSION = "1.52.0" BUILD_SYS = "x86_64-linux" NATIVELSBSTRING = "universal" TARGET_SYS = "x86_64-poky-linux" MACHINE = "qemux86-64" DISTRO = "poky" DISTRO_VERSION = "3.4" TUNE_FEATURES = "m64 core2" TARGET_FPU = "" meta meta-poky meta-yocto-bsp = "master:912f24b89c51300c05c8eb810c55ce1ad2e6545c" NOTE: Tainting hash to force rebuild of task poky/master/poky/meta/recipes-support/vim/vim_8.2.bb, do_compile############################################################### WARNING: poky/master/poky/meta/recipes-support/vim/vim_8.2.bb:do_compile is tainted from a forced run####################################################################### Initialising tasks: 100% |####################################################################################################################################################################################################################################################################################### Sstate summary: Wanted 7 Local 0 Network 0 Missed 7 Current 552 (0% match, 98% complete) NOTE: Executing Tasks NOTE: Tasks Summary: Attempted 1964 tasks of which 1949 didn't need to be rerun and all succeeded. Summary: There was 1 WARNING message shown.
Thanks,
Minjae Kim.
[-- Attachment #2: Type: text/html, Size: 3311 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-24 6:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-22 2:45 [PATCH] vim: fix 2021-3796 Minjae Kim
2021-10-23 15:57 ` [OE-core] " Alexandre Belloni
2021-10-24 6:43 ` Minjae Kim
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.