patch 9.0.2158: [security]: use-after-free in check_argument_type

Problem: [security]: use-after-free in check_argument_type Solution: Reset function type pointer when freeing the function type list function pointer fp->uf_func_type may point to the same memory, that was allocated for fp->uf_type_list. However, when cleaning up a function definition (e.g. because it was invalid), fp->uf_type_list will be freed, but fp->uf_func_type may still point to the same (now) invalid memory address. So when freeing the fp->uf_type_list, check if fp->func_type points to any of those types and if it does, reset the fp->uf_func_type pointer to the t_func_any (default) type pointer closes: #13652 Signed-off-by: Christian Brabandt <cb@256bit.org>
vim · Dec 11, 2023 · 0f28791 · 0f28791
1 parent e4a450a
commit 0f28791
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 2 deletions.
diff --git a/src/proto/vim9type.pro b/src/proto/vim9type.pro
@@ -2,6 +2,7 @@
 type_T *get_type_ptr(garray_T *type_gap);
 type_T *copy_type(type_T *type, garray_T *type_gap);
 void clear_type_list(garray_T *gap);
+void clear_func_type_list(garray_T *gap, type_T **func_type);
 type_T *alloc_type(type_T *type);
 void free_type(type_T *type);
 void set_tv_type(typval_T *tv, type_T *type);

diff --git a/src/testdir/crash/poc_uaf_check_argument_types b/src/testdir/crash/poc_uaf_check_argument_types
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
@@ -184,6 +184,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/poc_uaf_check_argument_types'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
   bw!

diff --git a/src/userfunc.c b/src/userfunc.c
@@ -2533,7 +2533,7 @@ func_clear_items(ufunc_T *fp)
     VIM_CLEAR(fp->uf_arg_types);
     VIM_CLEAR(fp->uf_block_ids);
     VIM_CLEAR(fp->uf_va_name);
-    clear_type_list(&fp->uf_type_list);
+    clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
 
     // Increment the refcount of this function to avoid it being freed
     // recursively when the partial is freed.
@@ -5435,7 +5435,7 @@ define_function(
     {
 	VIM_CLEAR(fp->uf_arg_types);
 	VIM_CLEAR(fp->uf_va_name);
-	clear_type_list(&fp->uf_type_list);
+	clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
     }
     if (free_fp)
 	VIM_CLEAR(fp);

diff --git a/src/version.c b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    2158,
 /**/
     2157,
 /**/

diff --git a/src/vim9type.c b/src/vim9type.c
@@ -122,6 +122,19 @@ clear_type_list(garray_T *gap)
     ga_clear(gap);
 }
 
+    void
+clear_func_type_list(garray_T *gap, type_T **func_type)
+{
+    while (gap->ga_len > 0)
+    {
+	// func_type pointing to the uf_type_list, so reset pointer
+	if (*func_type == ((type_T **)gap->ga_data)[--gap->ga_len])
+	    *func_type = &t_func_any;
+	vim_free(((type_T **)gap->ga_data)[gap->ga_len]);
+    }
+    ga_clear(gap);
+}
+
 /*
  * Take a type that is using entries in a growarray and turn it into a type
  * with allocated entries.