patch 9.1.0647: [security] use-after-free in tagstack_clear_entry
Problem: [security] use-after-free in tagstack_clear_entry
(Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
entries, let's use tagstack_clear_entry(), which will
also free the stack, but using the VIM_CLEAR macro,
which prevents a use-after-free by setting those pointers
to NULL
This addresses CVE-2024-41957
Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4
Signed-off-by: Christian Brabandt <cb@256bit.org>
diff --git a/src/testdir/crash/double_free b/src/testdir/crash/double_free
new file mode 100644
index 0000000..895c4a0
--- /dev/null
+++ b/src/testdir/crash/double_free
Binary files differ
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index fd786e5..29061aa 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -190,6 +190,12 @@
call term_sendkeys(buf, args)
call TermWait(buf, 150)
+ let file = 'crash/double_free'
+ let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+ let args = printf(cmn_args, vim, file)
+ call term_sendkeys(buf, args)
+ call TermWait(buf, 50)
+
" clean up
exe buf .. "bw!"
bw!
diff --git a/src/version.c b/src/version.c
index 4dc9948..0e49ebd 100644
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 647,
+/**/
646,
/**/
645,
diff --git a/src/window.c b/src/window.c
index 7ca29d4..70c72bc 100644
--- a/src/window.c
+++ b/src/window.c
@@ -5837,10 +5837,7 @@
win_free_lsize(wp);
for (i = 0; i < wp->w_tagstacklen; ++i)
- {
- vim_free(wp->w_tagstack[i].tagname);
- vim_free(wp->w_tagstack[i].user_data);
- }
+ tagstack_clear_entry(&wp->w_tagstack[i]);
vim_free(wp->w_localdir);
vim_free(wp->w_prevdir);