fix CVE-2022-3352

(cherry picked from commit 8eeedb6a75f467046ee8b2255e8738d07271be93)
2022-10-08 14:36:39 +08:00 · 2022-10-08 14:36:39 +08:00 · 6d81690672
commit 6d81690672
parent 6c6371856b
2 changed files with 86 additions and 1 deletions
--- a/backport-CVE-2022-3352.patch
+++ b/backport-CVE-2022-3352.patch
@ -0,0 +1,77 @@
+From ef976323e770315b5fca544efb6b2faa25674d15 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Wed, 28 Sep 2022 11:48:30 +0100
+Subject: [PATCH] patch 9.0.0614: SpellFileMissing autocmd may delete buffer
+
+Problem:    SpellFileMissing autocmd may delete buffer.
+Solution:   Disallow deleting the current buffer to avoid using freed memory.
+---
+ src/buffer.c                 |  6 +++++-
+ src/spell.c                  |  6 ++++++
+ src/testdir/test_autocmd.vim | 11 +++++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index f66c234..b647d82 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -465,8 +465,12 @@ can_unload_buffer(buf_T *buf)
+ 	    }
+     }
+     if (!can_unload)
+    {
+	char_u *fname = buf->b_fname != NULL ? buf->b_fname : buf->b_ffname;
+
+ 	semsg(_("E937: Attempt to delete a buffer that is in use: %s"),
+-								 buf->b_fname);
+				fname != NULL ? fname : (char_u *)"[No Name]");
+    }
+     return can_unload;
+ }
+ 
+diff --git a/src/spell.c b/src/spell.c
+index 1d7a1ae..e32dbe7 100644
+--- a/src/spell.c
+++ b/src/spell.c
+@@ -1539,6 +1539,10 @@ spell_load_lang(char_u *lang)
+     sl.sl_slang = NULL;
+     sl.sl_nobreak = FALSE;
+ 
+    // Disallow deleting the current buffer.  Autocommands can do weird things
+    // and cause "lang" to be freed.
+    ++curbuf->b_locked;
+
+     // We may retry when no spell file is found for the language, an
+     // autocommand may load it then.
+     for (round = 1; round <= 2; ++round)
+@@ -1592,6 +1596,8 @@ spell_load_lang(char_u *lang)
+ 	STRCPY(fname_enc + STRLEN(fname_enc) - 3, "add.spl");
+ 	do_in_runtimepath(fname_enc, DIP_ALL, spell_load_cb, &sl);
+     }
+
+    --curbuf->b_locked;
+ }
+ 
+ /*
+diff --git a/src/testdir/test_autocmd.vim b/src/testdir/test_autocmd.vim
+index 27ec80d..e7ffc37 100755
+--- a/src/testdir/test_autocmd.vim
+++ b/src/testdir/test_autocmd.vim
+@@ -2343,3 +2343,14 @@ func Test_BufWrite_lockmarks()
+   call delete('Xtest')
+   call delete('Xtest2')
+ endfunc
+
+" this was wiping out the current buffer and using freed memory
+func Test_SpellFileMissing_bwipe()
+  next 0
+  au SpellFileMissing 0 bwipe
+  call assert_fails('set spell spelllang=0', 'E937:')
+
+  au! SpellFileMissing
+  bwipe
+endfunc
+
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        67
+Release:        68
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -188,6 +188,7 @@ Patch6146:      backport-CVE-2022-3134.patch
 Patch6147:      backport-CVE-2022-3234.patch
 Patch6148:      backport-CVE-2022-3235.patch
 Patch6149:      backport-CVE-2022-3256.patch
+Patch6150:      backport-CVE-2022-3352.patch

 BuildRequires:  autoconf python3-devel ncurses-devel gettext perl-devel perl-generators gcc
 BuildRequires:  perl(ExtUtils::Embed) perl(ExtUtils::ParseXS) libacl-devel gpm-devel file
@ -481,6 +482,7 @@ popd
 %{_bindir}/vim -c ":helptags %{_datadir}/%{name}/vimfiles/doc" -c :q &> /dev/null || :

 %check
+export TERM=linux
 LC_ALL=en_US.UTF-8 make -j1 test

 %files common
@ -576,6 +578,12 @@ LC_ALL=en_US.UTF-8 make -j1 test
 %{_mandir}/man1/evim.*

 %changelog
+* Mon Oct 10 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-68
+- Type:CVE
+- ID:CVE-2022-3352
+- SUG:NA
+- DESC:fix CVE-2022-3352
+
 * Fri Sep 23 2022 dongyuzhen <dongyuzhen@h-partners.com> - 2:8.2-67
 - Type:CVE
 - ID:CVE-2022-3256