From c77080ac21ae24a6025854e8395ebd9ae673ae26 Mon Sep 17 00:00:00 2001 From: shixuantong Date: Tue, 30 Nov 2021 16:04:09 +0800 Subject: [PATCH] fix CVE-2021-3973 CVE-2021-3974 (cherry picked from commit c30457b9bb28ba04825a439785514449b5cc07f2) --- backport-CVE-2021-3973.patch | 79 +++++++++++++++++++ backport-CVE-2021-3974.patch | 67 ++++++++++++++++ backport-find-test-fails.patch | 34 ++++++++ ...k-if-find-and-sfind-have-an-argument.patch | 70 ++++++++++++++++ vim.spec | 12 ++- 5 files changed, 261 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-3973.patch create mode 100644 backport-CVE-2021-3974.patch create mode 100644 backport-find-test-fails.patch create mode 100644 backport-no-early-check-if-find-and-sfind-have-an-argument.patch diff --git a/backport-CVE-2021-3973.patch b/backport-CVE-2021-3973.patch new file mode 100644 index 0000000..cda4be3 --- /dev/null +++ b/backport-CVE-2021-3973.patch @@ -0,0 +1,79 @@ +From 615ddd5342b50a6878a907062aa471740bd9a847 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 17 Nov 2021 18:00:31 +0000 +Subject: [PATCH] patch 8.2.3611: crash when using CTRL-W f without finding a + file name + +Problem: Crash when using CTRL-W f without finding a file name. +Solution: Bail out when the file name length is zero. + +Reference:https://github.com/vim/vim/commit/615ddd5342b50a6878a907062aa471740bd9a847 +--- + src/findfile.c | 8 ++++++++ + src/normal.c | 6 ++++-- + src/testdir/test_visual.vim | 8 ++++++++ + 3 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/src/findfile.c b/src/findfile.c +index ba996c4..7a4dfe5 100644 +--- a/src/findfile.c ++++ b/src/findfile.c +@@ -1727,6 +1727,9 @@ find_file_in_path_option( + proc->pr_WindowPtr = (APTR)-1L; + # endif + ++ if (len == 0) ++ return NULL; ++ + if (first == TRUE) + { + // copy file name into NameBuff, expanding environment variables +@@ -2103,7 +2106,12 @@ find_file_name_in_path( + int c; + # if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) + char_u *tofree = NULL; ++# endif + ++ if (len == 0) ++ return NULL; ++ ++# if defined(FEAT_FIND_ID) && defined(FEAT_EVAL) + if ((options & FNAME_INCL) && *curbuf->b_p_inex != NUL) + { + tofree = eval_includeexpr(ptr, len); +diff --git a/src/normal.c b/src/normal.c +index d6333b9..e9e587d 100644 +--- a/src/normal.c ++++ b/src/normal.c +@@ -3778,8 +3778,10 @@ get_visual_text( + *pp = ml_get_pos(&VIsual); + *lenp = curwin->w_cursor.col - VIsual.col + 1; + } +- if (has_mbyte) +- // Correct the length to include the whole last character. ++ if (**pp == NUL) ++ *lenp = 0; ++ if (has_mbyte && *lenp > 0) ++ // Correct the length to include all bytes of the last character. + *lenp += (*mb_ptr2len)(*pp + (*lenp - 1)) - 1; + } + reset_VIsual_and_resel(); +diff --git a/src/testdir/test_visual.vim b/src/testdir/test_visual.vim +index ae28123..0705fdb 100644 +--- a/src/testdir/test_visual.vim ++++ b/src/testdir/test_visual.vim +@@ -894,4 +894,12 @@ func Test_block_insert_replace_tabs() + bwipe! + endfunc + ++func Test_visual_block_ctrl_w_f() ++ " Emtpy block selected in new buffer should not result in an error. ++ au! BufNew foo sil norm f ++ edit foo ++ ++ au! BufNew ++endfunc ++ + " vim: shiftwidth=2 sts=2 expandtab +-- +2.23.0 \ No newline at end of file diff --git a/backport-CVE-2021-3974.patch b/backport-CVE-2021-3974.patch new file mode 100644 index 0000000..2582704 --- /dev/null +++ b/backport-CVE-2021-3974.patch @@ -0,0 +1,67 @@ +From 64066b9acd9f8cffdf4840f797748f938a13f2d6 Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 17 Nov 2021 18:22:56 +0000 +Subject: [PATCH] patch 8.2.3612: using freed memory with regexp using a mark + +Problem: Using freed memory with regexp using a mark. +Solution: Get the line again after getting the mark position. + +Reference:https://github.com/vim/vim/commit/64066b9acd9f8cffdf4840f797748f938a13f2d6 +--- + src/regexp.c | 2 +- + src/regexp_nfa.c | 8 ++++++++ + src/testdir/test_regexp_latin.vim | 8 ++++++++ + 3 files changed, 17 insertions(+), 1 deletion(-) + +diff --git a/src/regexp.c b/src/regexp.c +index 112f753..2e94e5a 100644 +--- a/src/regexp.c ++++ b/src/regexp.c +@@ -1092,7 +1092,7 @@ typedef struct { + // The current match-position is stord in these variables: + linenr_T lnum; // line number, relative to first line + char_u *line; // start of current line +- char_u *input; // current input, points into "regline" ++ char_u *input; // current input, points into "line" + + int need_clear_subexpr; // subexpressions still need to be cleared + #ifdef FEAT_SYN_HL +diff --git a/src/regexp_nfa.c b/src/regexp_nfa.c +index bc4a4b6..433523e 100644 +--- a/src/regexp_nfa.c ++++ b/src/regexp_nfa.c +@@ -6623,8 +6623,16 @@ nfa_regmatch( + case NFA_MARK_GT: + case NFA_MARK_LT: + { ++ size_t col = rex.input - rex.line; + pos_T *pos = getmark_buf(rex.reg_buf, t->state->val, FALSE); + ++ // Line may have been freed, get it again. ++ if (REG_MULTI) ++ { ++ rex.line = reg_getline(rex.lnum); ++ rex.input = rex.line + col; ++ } ++ + // Compare the mark position to the match position. + result = (pos != NULL // mark doesn't exist + && pos->lnum > 0 // mark isn't set in reg_buf +diff --git a/src/testdir/test_regexp_latin.vim b/src/testdir/test_regexp_latin.vim +index 7a4d98f..3168edc 100644 +--- a/src/testdir/test_regexp_latin.vim ++++ b/src/testdir/test_regexp_latin.vim +@@ -141,3 +141,11 @@ func Test_pattern_compile_speed() + call assert_inrange(0.01, 10.0, reltimefloat(reltime(start))) + set spc= + endfunc ++ ++func Test_using_mark_position() ++ " this was using freed memory ++ new ++ norm O0 ++ call assert_fails("s/\\%')", 'E486:') ++ bwipe! ++endfunc +-- +2.23.0 \ No newline at end of file diff --git a/backport-find-test-fails.patch b/backport-find-test-fails.patch new file mode 100644 index 0000000..ec8314f --- /dev/null +++ b/backport-find-test-fails.patch @@ -0,0 +1,34 @@ +From e015d99abb4276f47ce97bad1ad5ff0c658b1c8a Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Wed, 17 Nov 2021 19:01:53 +0000 +Subject: [PATCH] patch 8.2.3613: :find test fails + +Problem: :find test fails. +Solution: Put length check inside if block. + +Reference:https://github.com/vim/vim/commit/e015d99abb4276f47ce97bad1ad5ff0c658b1c8a +--- + src/findfile.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/findfile.c b/src/findfile.c +index 7a4dfe5..b9a0e47 100644 +--- a/src/findfile.c ++++ b/src/findfile.c +@@ -1727,11 +1727,11 @@ find_file_in_path_option( + proc->pr_WindowPtr = (APTR)-1L; + # endif + +- if (len == 0) +- return NULL; +- + if (first == TRUE) + { ++ if (len == 0) ++ return NULL; ++ + // copy file name into NameBuff, expanding environment variables + save_char = ptr[len]; + ptr[len] = NUL; +-- +2.23.0 \ No newline at end of file diff --git a/backport-no-early-check-if-find-and-sfind-have-an-argument.patch b/backport-no-early-check-if-find-and-sfind-have-an-argument.patch new file mode 100644 index 0000000..02934c5 --- /dev/null +++ b/backport-no-early-check-if-find-and-sfind-have-an-argument.patch @@ -0,0 +1,70 @@ +From 2d10cd478047df8ba144d4b0fcc46480993af57f Mon Sep 17 00:00:00 2001 +From: Bram Moolenaar +Date: Thu, 19 Mar 2020 14:37:30 +0100 +Subject: [PATCH] patch 8.2.0407: no early check if :find and :sfind have an + argument + +Problem: No early check if :find and :sfind have an argument. +Solution: Add EX_NEEDARG. + +Reference:https://github.com/vim/vim/commit/2d10cd478047df8ba144d4b0fcc46480993af57f +--- + src/ex_cmds.h | 4 ++-- + src/testdir/test_find_complete.vim | 8 ++++---- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/ex_cmds.h b/src/ex_cmds.h +index 983378c..28ea6ee 100644 +--- a/src/ex_cmds.h ++++ b/src/ex_cmds.h +@@ -572,7 +572,7 @@ EXCMD(CMD_filter, "filter", ex_wrongmodifier, + EX_BANG|EX_NEEDARG|EX_EXTRA|EX_NOTRLCOM, + ADDR_NONE), + EXCMD(CMD_find, "find", ex_find, +- EX_RANGE|EX_BANG|EX_FILE1|EX_CMDARG|EX_ARGOPT|EX_TRLBAR, ++ EX_RANGE|EX_BANG|EX_FILE1|EX_CMDARG|EX_ARGOPT|EX_TRLBAR|EX_NEEDARG, + ADDR_OTHER), + EXCMD(CMD_finally, "finally", ex_finally, + EX_TRLBAR|EX_SBOXOK|EX_CMDWIN, +@@ -1319,7 +1319,7 @@ EXCMD(CMD_setlocal, "setlocal", ex_set, + EX_TRLBAR|EX_EXTRA|EX_CMDWIN|EX_SBOXOK, + ADDR_NONE), + EXCMD(CMD_sfind, "sfind", ex_splitview, +- EX_BANG|EX_FILE1|EX_RANGE|EX_CMDARG|EX_ARGOPT|EX_TRLBAR, ++ EX_BANG|EX_FILE1|EX_RANGE|EX_CMDARG|EX_ARGOPT|EX_TRLBAR|EX_NEEDARG, + ADDR_OTHER), + EXCMD(CMD_sfirst, "sfirst", ex_rewind, + EX_EXTRA|EX_BANG|EX_CMDARG|EX_ARGOPT|EX_TRLBAR, +diff --git a/src/testdir/test_find_complete.vim b/src/testdir/test_find_complete.vim +index 679bf3c..32ca967 100644 +--- a/src/testdir/test_find_complete.vim ++++ b/src/testdir/test_find_complete.vim +@@ -15,22 +15,22 @@ func Test_find_complete() + + new + set path= +- call assert_fails('call feedkeys(":find\t\n", "xt")', 'E345:') ++ call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:') + close + + new + set path=. +- call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:') ++ call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:') + close + + new + set path=.,, +- call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:') ++ call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:') + close + + new + set path=./** +- call assert_fails('call feedkeys(":find\t\n", "xt")', 'E32:') ++ call assert_fails('call feedkeys(":find \t\n", "xt")', 'E471:') + close + + " We shouldn't find any file till this point +-- +2.23.0 \ No newline at end of file diff --git a/vim.spec b/vim.spec index 6476c2e..a2ef33c 100644 --- a/vim.spec +++ b/vim.spec @@ -11,7 +11,7 @@ Name: vim Epoch: 2 Version: 8.2 -Release: 6 +Release: 7 Summary: Vim is a highly configurable text editor for efficiently creating and changing any kind of text. License: Vim and MIT URL: http://www.vim.org @@ -40,6 +40,10 @@ Patch6006: backport-CVE-2021-3875.patch Patch6007: backport-CVE-2021-3903.patch Patch6008: backport-CVE-2021-3927.patch Patch6009: backport-CVE-2021-3928.patch +Patch6010: backport-CVE-2021-3973.patch +Patch6011: backport-CVE-2021-3974.patch +Patch6012: backport-find-test-fails.patch +Patch6013: backport-no-early-check-if-find-and-sfind-have-an-argument.patch Patch9000: bugfix-rm-modify-info-version.patch @@ -428,6 +432,12 @@ popd %{_mandir}/man1/evim.* %changelog +* Tue Nov 30 2021 shixuantong - 2:8.2-7 +- Type:CVE +- ID:CVE-2021-3973 CVE-2021-3974 +- SUG:NA +- DESC:fix CVE-2021-3973 CVE-2021-3974 + * Sat Nov 13 2021 shixuantong - 2:8.2-6 - Type:CVE - ID:CVE-2021-3927 CVE-2021-3927 -- Gitee