patch 9.0.2158: [security]: use-after-free in check_argument_type
Problem: [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
list
function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.
So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer
closes: #13652
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/testdir/crash/poc_uaf_check_argument_types b/src/testdir/crash/poc_uaf_check_argument_types
new file mode 100644
index 0000000..83a2e7b
--- /dev/null
+++ b/src/testdir/crash/poc_uaf_check_argument_types
Binary files differ
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 242da8e..fd786e5 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -184,6 +184,12 @@
call term_sendkeys(buf, args)
call TermWait(buf, 150)
+ let file = 'crash/poc_uaf_check_argument_types'
+ let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args)
+ call TermWait(buf, 150)
+
" clean up
exe buf .. "bw!"
bw!