patch 9.1.0764: [security]: use-after-free when closing a buffer

Problem: [security]: use-after-free when closing a buffer Solution: When splitting the window and editing a new buffer, check whether the newly to be edited buffer has been marked for deletion and abort in this case Github Advisory: https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg Signed-off-by: Christian Brabandt <cb@256bit.org>
2025-09-23 03:43:49 -04:00 · 2024-10-06 17:31:10 +02:00
parent 818c641b6f
commit 51b62387be
5 changed files with 40 additions and 0 deletions
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -497,6 +497,12 @@ can_unload_buffer(buf_T *buf)
    return can_unload;
 }

+    int
+buf_locked(buf_T *buf)
+{
+    return buf->b_locked || buf->b_locked_split;
+}
+
 /*
 * Close the link to a buffer.
 * "action" is used when there is no longer a window for the buffer.
--- a/src/ex_cmds.c
+++ b/src/ex_cmds.c
@@ -2743,6 +2743,18 @@ do_ecmd(
 	}
 	if (buf == NULL)
 	    goto theend;
+	// autocommands try to edit a file that is goind to be removed,
+	// abort
+	if (buf_locked(buf))
+	{
+	    // window was split, but not editing the new buffer,
+	    // reset b_nwindows again
+	    if (oldwin == NULL
+		    && curwin->w_buffer != NULL
+		    && curwin->w_buffer->b_nwindows > 1)
+		--curwin->w_buffer->b_nwindows;
+	    goto theend;
+	}
 	if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)
 	    // reusing the buffer, keep the old alternate file
 	    curwin->w_alt_fnum = prev_alt_fnum;
--- a/src/proto/buffer.pro
+++ b/src/proto/buffer.pro
@@ -70,4 +70,5 @@ char_u *buf_get_fname(buf_T *buf);
 void set_buflisted(int on);
 int buf_contents_changed(buf_T *buf);
 void wipe_buffer(buf_T *buf, int aucmd);
+int buf_locked(buf_T *buf);
 /* vim: set ft=c : */
--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
@@ -4883,4 +4883,23 @@ func Test_GuiEnter_Turkish_locale()
  endtry
 endfunc

+" This was using freed memory
+func Test_autocmd_BufWinLeave_with_vsp()
+  new
+  let fname = 'XXXBufWinLeaveUAF.txt'
+  let dummy = 'XXXDummy.txt'
+  call writefile([], fname)
+  call writefile([], dummy)
+  defer delete(fname)
+  defer delete(dummy)
+  exe "e " fname
+  vsp
+  augroup testing
+    exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
+  augroup END
+  bw
+  call CleanUpTestAuGroup()
+  exe "bw! " .. dummy
+endfunc
+
 " vim: shiftwidth=2 sts=2 expandtab
--- a/src/version.c
+++ b/src/version.c
@@ -704,6 +704,8 @@ static char *(features[]) =

 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    764,
 /**/
    763,
 /**/