Skip to content

Commit 6cb1c82

Browse files
seandewarchrisbra
authored andcommitted
patch 9.1.1361: [security]: possible use-after-free when closing a buffer
Problem: [security]: Possible to open more windows into a closing buffer without splitting, bypassing existing "b_locked_split" checks and triggering use-after-free Solution: Disallow switching to a closing buffer. Editing a closing buffer (via ":edit", etc.) was fixed in v9.1.0764, but add an error message and check just "b_locked_split", as "b_locked" is necessary only when the buffer shouldn't be wiped, and may be set for buffers that are in-use but not actually closing. (Sean Dewar) closes: #17246 Signed-off-by: Sean Dewar <6256228+seandewar@users.noreply.github.com> Signed-off-by: Christian Brabandt <cb@256bit.org>
1 parent c3f48e3 commit 6cb1c82

8 files changed

Lines changed: 59 additions & 18 deletions

File tree

src/buffer.c

Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -526,12 +526,6 @@ can_unload_buffer(buf_T *buf)
526526
return can_unload;
527527
}
528528

529-
int
530-
buf_locked(buf_T *buf)
531-
{
532-
return buf->b_locked || buf->b_locked_split;
533-
}
534-
535529
/*
536530
* Close the link to a buffer.
537531
* "action" is used when there is no longer a window for the buffer.
@@ -1432,12 +1426,19 @@ do_buffer_ext(
14321426
if ((flags & DOBUF_NOPOPUP) && bt_popup(buf) && !bt_terminal(buf))
14331427
return OK;
14341428
#endif
1435-
if (
1436-
action == DOBUF_GOTO
1437-
&& buf != curbuf
1438-
&& !check_can_set_curbuf_forceit((flags & DOBUF_FORCEIT) ? TRUE : FALSE))
1439-
// disallow navigating to another buffer when 'winfixbuf' is applied
1440-
return FAIL;
1429+
if (action == DOBUF_GOTO && buf != curbuf)
1430+
{
1431+
if (!check_can_set_curbuf_forceit((flags & DOBUF_FORCEIT) != 0))
1432+
// disallow navigating to another buffer when 'winfixbuf' is applied
1433+
return FAIL;
1434+
if (buf->b_locked_split)
1435+
{
1436+
// disallow navigating to a closing buffer, which like splitting,
1437+
// can result in more windows displaying it
1438+
emsg(_(e_cannot_switch_to_a_closing_buffer));
1439+
return FAIL;
1440+
}
1441+
}
14411442

14421443
if ((action == DOBUF_GOTO || action == DOBUF_SPLIT)
14431444
&& (buf->b_flags & BF_DUMMY))

src/errors.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3728,3 +3728,5 @@ EXTERN char e_failed_resizing_quickfix_stack[]
37283728
EXTERN char e_no_quickfix_stack[]
37293729
INIT(= N_("E1545: Quickfix list stack unavailable"));
37303730
#endif
3731+
EXTERN char e_cannot_switch_to_a_closing_buffer[]
3732+
INIT(= N_("E1546: Cannot switch to a closing buffer"));

src/ex_cmds.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2743,16 +2743,17 @@ do_ecmd(
27432743
}
27442744
if (buf == NULL)
27452745
goto theend;
2746-
// autocommands try to edit a file that is going to be removed,
2747-
// abort
2748-
if (buf_locked(buf))
2746+
// autocommands try to edit a closing buffer, which like splitting, can
2747+
// result in more windows displaying it; abort
2748+
if (buf->b_locked_split)
27492749
{
27502750
// window was split, but not editing the new buffer,
27512751
// reset b_nwindows again
27522752
if (oldwin == NULL
27532753
&& curwin->w_buffer != NULL
27542754
&& curwin->w_buffer->b_nwindows > 1)
27552755
--curwin->w_buffer->b_nwindows;
2756+
emsg(_(e_cannot_switch_to_a_closing_buffer));
27562757
goto theend;
27572758
}
27582759
if (curwin->w_alt_fnum == buf->b_fnum && prev_alt_fnum != 0)

src/proto/buffer.pro

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@ int open_buffer(int read_stdin, exarg_T *eap, int flags_arg);
55
void set_bufref(bufref_T *bufref, buf_T *buf);
66
int bufref_valid(bufref_T *bufref);
77
int buf_valid(buf_T *buf);
8-
int buf_locked(buf_T *buf);
98
int close_buffer(win_T *win, buf_T *buf, int action, int abort_if_last, int ignore_abort);
109
void buf_clear_file(buf_T *buf);
1110
void buf_freeall(buf_T *buf, int flags);

src/structs.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3072,7 +3072,7 @@ struct file_buffer
30723072
int b_locked; // Buffer is being closed or referenced, don't
30733073
// let autocommands wipe it out.
30743074
int b_locked_split; // Buffer is being closed, don't allow opening
3075-
// a new window with it.
3075+
// it in more windows.
30763076

30773077
/*
30783078
* b_ffname has the full path of the file (NULL for no name).

src/testdir/test_autocmd.vim

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5035,7 +5035,8 @@ func Test_autocmd_BufWinLeave_with_vsp()
50355035
exe "e " fname
50365036
vsp
50375037
augroup testing
5038-
exe "au BufWinLeave " .. fname .. " :e " dummy .. "| vsp " .. fname
5038+
exe 'au BufWinLeave' fname 'e' dummy
5039+
\ '| call assert_fails(''vsp' fname ''', ''E1546:'')'
50395040
augroup END
50405041
bw
50415042
call CleanUpTestAuGroup()

src/testdir/test_buffer.vim

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -569,4 +569,39 @@ func Test_buflist_alloc_failure()
569569
call assert_fails('cexpr "XallocFail6:10:Line10"', 'E342:')
570570
endfunc
571571

572+
func Test_closed_buffer_still_in_window()
573+
%bw!
574+
575+
let s:w = win_getid()
576+
new
577+
let s:b = bufnr()
578+
setl bufhidden=wipe
579+
580+
augroup ViewClosedBuffer
581+
autocmd!
582+
autocmd BufUnload * ++once call assert_fails(
583+
\ 'call win_execute(s:w, "' .. s:b .. 'b")', 'E1546:')
584+
augroup END
585+
quit!
586+
" Previously resulted in s:b being curbuf while unloaded (no memfile).
587+
call assert_equal(1, bufloaded(bufnr()))
588+
call assert_equal(0, bufexists(s:b))
589+
590+
let s:w = win_getid()
591+
split
592+
new
593+
let s:b = bufnr()
594+
595+
augroup ViewClosedBuffer
596+
autocmd!
597+
autocmd BufWipeout * ++once call win_gotoid(s:w)
598+
\| call assert_fails(s:b .. 'b', 'E1546:') | wincmd p
599+
augroup END
600+
bw! " Close only this buffer first; used to be a heap UAF.
601+
602+
unlet! s:w s:b
603+
autocmd! ViewClosedBuffer
604+
%bw!
605+
endfunc
606+
572607
" vim: shiftwidth=2 sts=2 expandtab

src/version.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -704,6 +704,8 @@ static char *(features[]) =
704704

705705
static int included_patches[] =
706706
{ /* Add new patch number below this line */
707+
/**/
708+
1361,
707709
/**/
708710
1360,
709711
/**/

0 commit comments

Comments
 (0)