From 6618836e0c77621e8f2021ecf90c7d5fbf5479c6 Mon Sep 17 00:00:00 2001 From: dongyuzhen Date: Fri, 23 Sep 2022 14:46:56 +0800 Subject: [PATCH] fix CVE-2022-3256 (cherry picked from commit 9c21b94d0c4856b678316515577e2818ccfbbae0) --- backport-CVE-2022-3256.patch | 66 ++++++++++++++++++++++++++++++++++++ vim.spec | 9 ++++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-3256.patch diff --git a/backport-CVE-2022-3256.patch b/backport-CVE-2022-3256.patch new file mode 100644 index 0000000..d72af1b --- /dev/null +++ b/backport-CVE-2022-3256.patch @@ -0,0 +1,66 @@ +From 8ecfa2c56b4992c7f067b92488aa9acea5a454ad Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 21 Sep 2022 13:07:22 +0100 +Subject: [PATCH] patch 9.0.0530: using freed memory when autocmd changes mark + +Problem: Using freed memory when autocmd changes mark. +Solution: Copy the mark before editing another buffer. +--- + src/mark.c | 12 +++++++----- + src/testdir/test_marks.vim | 13 +++++++++++++ + 2 files changed, 20 insertions(+), 5 deletions(-) + +diff --git a/src/mark.c b/src/mark.c +index ade5a10..584db03 100644 +--- a/src/mark.c ++++ b/src/mark.c +@@ -221,17 +221,19 @@ movemark(int count) + fname2fnum(jmp); + if (jmp->fmark.fnum != curbuf->b_fnum) + { +- // jump to other file +- if (buflist_findnr(jmp->fmark.fnum) == NULL) ++ // Make a copy, an autocommand may make "jmp" invalid. ++ fmark_T fmark = jmp->fmark; ++ ++ // jump to the file with the mark ++ if (buflist_findnr(fmark.fnum) == NULL) + { // Skip this one .. + count += count < 0 ? -1 : 1; + continue; + } +- if (buflist_getfile(jmp->fmark.fnum, jmp->fmark.mark.lnum, +- 0, FALSE) == FAIL) ++ if (buflist_getfile(fmark.fnum, fmark.mark.lnum, 0, FALSE) == FAIL) + return (pos_T *)NULL; + // Set lnum again, autocommands my have changed it +- curwin->w_cursor = jmp->fmark.mark; ++ curwin->w_cursor = fmark.mark; + pos = (pos_T *)-1; + } + else +diff --git a/src/testdir/test_marks.vim b/src/testdir/test_marks.vim +index 12501a3..20fb304 100644 +--- a/src/testdir/test_marks.vim ++++ b/src/testdir/test_marks.vim +@@ -305,4 +305,17 @@ func Test_getmarklist() + close! + endfunc + ++" This was using freed memory ++func Test_jump_mark_autocmd() ++ next 00 ++ edit 0 ++ sargument ++ au BufEnter 0 all ++ sil norm  ++ ++ au! BufEnter ++ bwipe! ++endfunc ++ ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.27.0 + diff --git a/vim.spec b/vim.spec index 53ff057..ff0b657 100644 --- a/vim.spec +++ b/vim.spec @@ -12,7 +12,7 @@ Name: vim Epoch: 2 Version: 9.0 -Release: 15 +Release: 16 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -65,6 +65,7 @@ Patch6034: backport-CVE-2022-3134.patch Patch6035: backport-CVE-2022-3153.patch Patch6036: backport-CVE-2022-3234.patch Patch6037: backport-CVE-2022-3235.patch +Patch6038: backport-CVE-2022-3256.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -463,6 +464,12 @@ LC_ALL=en_US.UTF-8 make -j1 test %{_mandir}/man1/evim.* %changelog +* Fri Sep 23 2022 dongyuzhen - 2:9.0-16 +- Type:CVE +- ID:CVE-2022-3256 +- SUG:NA +- DESC:fix CVE-2022-3256 + * Mon Sep 19 2022 dongyuzhen - 2:9.0-15 - Type:CVE - ID:CVE-2022-3234 CVE-2022-3235 -- Gitee