| commit | 55f8bba73be5f9c3a5a4d0d6c5f56e65f2c7d3fc | [log] [tgz] |
|---|---|---|
| author | Christian Brabandt <cb@256bit.org> | Wed Feb 28 23:32:00 2024 +0100 |
| committer | Christian Brabandt <cb@256bit.org> | Wed Feb 28 23:32:00 2024 +0100 |
| tree | a793a9f5c73a9e252ec61a23a0671a281c128958 | |
| parent | 0fdd18596f504774bc5993d029d68eecea827439 [diff] |
patch 9.1.0143: [security]: autocmd causes use-after-free in set_curbuf()
Problem: [security]: autocmd cause use-after-free in set_curbuf()
(kawarimidoll)
Solution: check side-effect of BufLeave autocommand, when the number
of windows changed, close windows containing buffers that will
be wiped, if curbuf changed unexpectedly make sure b_nwindows
is decremented otherwise it cannot be wiped
set_curbuf() already makes some efforts to ensure the BufLeave
autocommands do not cause issues. However there are still 2 issues
that are not taken care of:
1) If a BufLeave autocommand opens a new window containing the same
buffer as that is going got be closed in close_buffer() a bit later,
we suddenly have another window open, containing a free'd buffer. So we
must check if the number of windows changed and if it does (and the
current buffer is going to be wiped (according to the 'bufhidden'
setting), let's immediately close all windows containing the current
buffer using close_windows()
2) If a BufLeave autocommand changes our current buffer (displays it in
the current window), buf->b_nwindow will be incremented. As part of
set_curbuf() we will however enter another buffer soon, which means, the
newly created curbuf will have b_nwindows still have set, even so the
buffer is no longer displayed in a window. This causes later problems,
because it will no longer be possible to wipe such a buffer. So just
before entering the final buffer, check if the curbuf changed when
calling the BufLeave autocommand and if it does (and curbuf is still
valid), decrement curbuf->b_nwindows.
Both issues can be verified using the provided test (however the second
issue only because such an impacted buffer won't be wiped, causing
futher issues in later tests).
fixes: #13839
closes: #14104
Signed-off-by: Christian Brabandt <cb@256bit.org>
- src/buffer.c[diff]
- src/proto/window.pro[diff]
- src/testdir/test_autocmd.vim[diff]
- src/version.c[diff]
- src/window.c[diff]
- .github/
- ci/
- nsis/
- pixmaps/
- READMEdir/
- runtime/
- src/
- tools/
- .appveyor.yml
- .cirrus.yml
- .codecov.yml
- .gitattributes
- .gitignore
- .hgignore
- configure
- CONTRIBUTING.md
- Filelist
- LICENSE
- Makefile
- README.md
- README.txt
- README_VIM9.md
- SECURITY.md
- uninstall.txt
- vimtutor.bat
- vimtutor.com
If you find a bug or want to discuss the best way to add a new feature, please open an issue. If you have a question or want to discuss the best way to do something with Vim, you can use StackExchange or one of the Maillists.
What is Vim?
Vim is a greatly improved version of the good old UNIX editor Vi. Many new features have been added: multi-level undo, syntax highlighting, command line history, on-line help, spell checking, filename completion, block operations, script language, etc. There is also a Graphical User Interface (GUI) available. Still, Vi compatibility is maintained, those who have Vi "in the fingers" will feel at home. See runtime/doc/vi_diff.txt for differences with Vi.
This editor is very useful for editing programs and other plain text files. All commands are given with normal keyboard characters, so those who can type with ten fingers can work very fast. Additionally, function keys can be mapped to commands by the user, and the mouse can be used.
Vim runs under MS-Windows (7, 8, 10, 11), macOS, Haiku, VMS and almost all flavours of UNIX. Porting to other systems should not be very difficult. Older versions of Vim run on MS-DOS, MS-Windows 95/98/Me/NT/2000/XP/Vista, Amiga DOS, Atari MiNT, BeOS, RISC OS and OS/2. These are no longer maintained.
For Vim9 script see README_VIM9.
Distribution
You can often use your favorite package manager to install Vim. On Mac and Linux a small version of Vim is pre-installed, you still need to install Vim if you want more features.
There are separate distributions for Unix, PC, Amiga and some other systems. This README.md file comes with the runtime archive. It includes the documentation, syntax files and other files that are used at runtime. To run Vim you must get either one of the binary archives or a source archive. Which one you need depends on the system you want to run it on and whether you want or must compile it yourself. Check https://www.vim.org/download.php for an overview of currently available distributions.
Some popular places to get the latest Vim:
- Check out the git repository from GitHub.
- Get the source code as an archive.
- Get a Windows executable from the vim-win32-installer repository.
Compiling
If you obtained a binary distribution you don't need to compile Vim. If you obtained a source distribution, all the stuff for compiling Vim is in the src directory. See src/INSTALL for instructions.
Installation
See one of these files for system-specific instructions. Either in the READMEdir directory (in the repository) or the top directory (if you unpack an archive):
README_ami.txt Amiga README_unix.txt Unix README_dos.txt MS-DOS and MS-Windows README_mac.txt Macintosh README_haiku.txt Haiku README_vms.txt VMS
There are other README_*.txt files, depending on the distribution you used.
Documentation
The Vim tutor is a one hour training course for beginners. Often it can be started as vimtutor. See :help tutor for more information.
The best is to use :help in Vim. If you don't have an executable yet, read runtime/doc/help.txt. It contains pointers to the other documentation files. The User Manual reads like a book and is recommended to learn to use Vim. See :help user-manual.
Copying
Vim is Charityware. You can use and copy it as much as you like, but you are encouraged to make a donation to help orphans in Uganda. Please read the file runtime/doc/uganda.txt for details (do :help uganda inside Vim).
Summary of the license: There are no restrictions on using or distributing an unmodified copy of Vim. Parts of Vim may also be distributed, but the license text must always be included. For modified versions, a few restrictions apply. The license is GPL compatible, you may compile Vim with GPL libraries and distribute it.
Sponsoring
Fixing bugs and adding new features takes a lot of time and effort. To show your appreciation for the work and motivate Bram and others to continue working on Vim please send a donation.
Since Bram is back to a paid job the money will now be used to help children in Uganda. See runtime/doc/uganda.txt. But at the same time donations increase Bram's motivation to keep working on Vim!
For the most recent information about sponsoring look on the Vim web site: https://www.vim.org/sponsor/
Contributing
If you would like to help make Vim better, see the CONTRIBUTING.md file.
Information
If you are on macOS, you can use Macvim.
The latest news about Vim can be found on the Vim home page: https://www.vim.org/
If you have problems, have a look at the Vim documentation or tips: https://www.vim.org/docs.php https://vim.fandom.com/wiki/Vim_Tips_Wiki
If you still have problems or any other questions, use one of the mailing lists to discuss them with Vim users and developers: https://www.vim.org/maillist.php
If nothing else works, report bugs directly to the vim-dev mailing list: <vim-dev@vim.org>
Main author
Most of Vim was created by Bram Moolenaar <Bram@vim.org> Bram-Moolenaar
Send any other comments, patches, flowers and suggestions to the vim-dev mailing list: <vim-dev@vim.org>
This is README.md for version 9.1 of Vim: Vi IMproved.