!259 [sync] PR-238: Fix CVE-2022-1898 CVE-2022-1942

From: @openeuler-sync-bot Reviewed-by: @lvying6 Signed-off-by: @lvying6
2022-06-30 02:17:10 +00:00 · 2022-06-30 02:17:10 +00:00 · d1230baa14
commit d1230baa14
parent 91d73e6e8f bb324c55d8
4 changed files with 265 additions and 1 deletions
--- a/backport-CVE-2022-1898.patch
+++ b/backport-CVE-2022-1898.patch
@ -0,0 +1,57 @@
+From e2fa213cf571041dbd04ab0329303ffdc980678a Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Thu, 26 May 2022 16:32:44 +0100
+Subject: [PATCH] patch 8.2.5024: using freed memory with "]d"
+ 
+Problem:    Using freed memory with "]d".
+Solution:   Copy the pattern before searching.
+
+---
+ src/normal.c                 | 6 ++++++
+ src/testdir/test_tagjump.vim | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/normal.c b/src/normal.c
+index e9e587d..f122627 100644
+--- a/src/normal.c
+++ b/src/normal.c
+@@ -4425,6 +4425,11 @@ nv_brackets(cmdarg_T *cap)
+ 	    clearop(cap->oap);
+ 	else
+ 	{
+	    // Make a copy, if the line was changed it will be freed.
+	    ptr = vim_strnsave(ptr, len);
+	    if (ptr == NULL)
+		return;
+
+ 	    find_pattern_in_path(ptr, 0, len, TRUE,
+ 		cap->count0 == 0 ? !isupper(cap->nchar) : FALSE,
+ 		((cap->nchar & 0xf) == ('d' & 0xf)) ?  FIND_DEFINE : FIND_ANY,
+@@ -4433,6 +4438,7 @@ nv_brackets(cmdarg_T *cap)
+ 			    islower(cap->nchar) ? ACTION_SHOW : ACTION_GOTO,
+ 		cap->cmdchar == ']' ? curwin->w_cursor.lnum + 1 : (linenr_T)1,
+ 		(linenr_T)MAXLNUM);
+	    vim_free(ptr);
+ 	    curwin->w_set_curswant = TRUE;
+ 	}
+     }
+diff --git a/src/testdir/test_tagjump.vim b/src/testdir/test_tagjump.vim
+index 24df68f..c682682 100644
+--- a/src/testdir/test_tagjump.vim
+++ b/src/testdir/test_tagjump.vim
+@@ -563,6 +563,12 @@ func Test_define_search()
+   sil norm o0
+   sil! norm 
+   bwipe!
+
+  new somefile
++  call setline(1, ['first line', '', '#define something 0'])
++  sil norm 0o0
++  sil! norm ]d
++  bwipe!
+ endfunc
+ 
+ " vim: shiftwidth=2 sts=2 expandtab
+-- 
+2.27.0
+
--- a/backport-CVE-2022-1942.patch
+++ b/backport-CVE-2022-1942.patch
@ -0,0 +1,140 @@
+From 71223e2db87c2bf3b09aecb46266b56cda26191d Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 30 May 2022 15:23:09 +0100
+Subject: [PATCH] patch 8.2.5043: can open a cmdline window from a substitute
+ expression
+
+Problem:    Can open a cmdline window from a substitute expression.
+Solution:   Disallow opening a command line window when text or buffer is
+            locked.
+
+---
+ src/buffer.c                    |  7 +------
+ src/ex_getln.c                  | 19 +++++++++++++++++++
+ src/proto/ex_getln.pro          |  1 +
+ src/testdir/test_substitute.vim | 24 ++++++++++++++++++++++++
+ src/window.c                    |  5 +----
+ 5 files changed, 46 insertions(+), 10 deletions(-)
+
+diff --git a/src/buffer.c b/src/buffer.c
+index 88094ee..8fabbdb 100644
+--- a/src/buffer.c
+++ b/src/buffer.c
+@@ -2364,12 +2364,7 @@ buflist_getfile(
+     if (buf == curbuf)
+ 	return OK;
+ 
+-    if (text_locked())
+-    {
+-	text_locked_msg();
+-	return FAIL;
+-    }
+-    if (curbuf_locked())
+    if (text_or_buf_locked())
+ 	return FAIL;
+ 
+     // altfpos may be changed by getfile(), get it now
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index 64b393d..d5fc38d 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -2588,6 +2588,21 @@ text_locked(void)
+     return text_and_win_locked() || textlock != 0;
+ }
+ 
+/*
+ * Check for text, window or buffer locked.
+ * Give an error message and return TRUE if something is locked.
+ */
+    int
+text_or_buf_locked(void)
+{
+    if (text_locked())
+    {
+	text_locked_msg();
+	return TRUE;
+    }
+    return curbuf_locked();
+}
+
+ /*
+  * Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is
+  * and give an error message.
+@@ -4170,6 +4185,10 @@ open_cmdwin(void)
+     int			save_KeyTyped;
+ #endif
+ 
+    // Can't do this when text or buffer is locked.
+    if (text_or_buf_locked())
+	return K_IGNORE;
+
+     // Can't do this recursively.  Can't do it when typing a password.
+     if (cmdwin_type != 0
+ # if defined(FEAT_CRYPT) || defined(FEAT_EVAL)
+diff --git a/src/proto/ex_getln.pro b/src/proto/ex_getln.pro
+index f64bb1f..7597457 100644
+--- a/src/proto/ex_getln.pro
+++ b/src/proto/ex_getln.pro
+@@ -7,6 +7,7 @@ int text_and_win_locked(void);
+ void text_locked_msg(void);
+ char *get_text_locked_msg(void);
+ int text_locked(void);
+int text_or_buf_locked(void);
+ int curbuf_locked(void);
+ int allbuf_locked(void);
+ char_u *getexline(int c, void *cookie, int indent, int do_concat);
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index bda96f6..ebc0839 100644
+--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
+@@ -775,3 +775,27 @@ func Test_sub_change_window()
+   delfunc Repl
+ endfunc
+ 
+" This was opening a command line window from the expression
+func Test_sub_open_cmdline_win()
+  " the error only happens in a very specific setup, run a new Vim instance to
+  " get a clean starting point.
+  let lines =<< trim [SCRIPT]
+    norm o0000000000000000000000000000000000000000000000000000
+    func Replace()
+      norm q/
+    endfunc
+    s/\%')/\=Replace()
+    redir >Xresult
+    messages
+    redir END
+    qall!
+  [SCRIPT]
+  call writefile(lines, 'Xscript')
+  if RunVim([], [], '-u NONE -S Xscript')
+    let messages = readfile('Xresult')
+    call assert_match('E565: Not allowed to change text or change window', messages[3])
+  endif
+
+  call delete('Xscript')
+  call delete('Xresult')
+endfunc
+diff --git a/src/window.c b/src/window.c
+index 0a154b0..d8091f9 100644
+--- a/src/window.c
+++ b/src/window.c
+@@ -4343,14 +4343,11 @@ win_goto(win_T *wp)
+ 
+     if (ERROR_IF_POPUP_WINDOW)
+ 	return;
+-    if (text_and_win_locked())
+    if (text_or_buf_locked())
+     {
+ 	beep_flush();
+-	text_locked_msg();
+ 	return;
+     }
+-    if (curbuf_locked())
+-	return;
+ 
+     if (wp->w_buffer != curbuf)
+ 	reset_VIsual_and_resel();
+-- 
+2.27.0
+
--- a/backport-fix-test-failed.patch
+++ b/backport-fix-test-failed.patch
@ -0,0 +1,58 @@
+From be99042b03edf7b8156c9adbc23516bfcf2cec0f Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar <Bram@vim.org>
+Date: Mon, 30 May 2022 16:01:42 +0100
+Subject: [PATCH] patch 8.2.5044: command line test fails
+
+Problem:    Command line test fails.
+Solution:   Also beep when cmdline win can't be opened because of locks.
+            Make the test not beep.  Make the test pass on MS-Windows.
+
+---
+ src/ex_getln.c                  | 6 ++----
+ src/testdir/test_substitute.vim | 5 +++--
+ 2 files changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/src/ex_getln.c b/src/ex_getln.c
+index d5fc38d..7571ae2 100644
+--- a/src/ex_getln.c
+++ b/src/ex_getln.c
+@@ -4186,11 +4186,9 @@ open_cmdwin(void)
+ #endif
+ 
+     // Can't do this when text or buffer is locked.
+-    if (text_or_buf_locked())
+-	return K_IGNORE;
+-
+     // Can't do this recursively.  Can't do it when typing a password.
+-    if (cmdwin_type != 0
+    if (text_or_buf_locked()
+	    || cmdwin_type != 0
+ # if defined(FEAT_CRYPT) || defined(FEAT_EVAL)
+ 	    || cmdline_star > 0
+ # endif
+diff --git a/src/testdir/test_substitute.vim b/src/testdir/test_substitute.vim
+index 367f472..3450c4f 100644
+--- a/src/testdir/test_substitute.vim
+++ b/src/testdir/test_substitute.vim
+@@ -781,6 +781,7 @@ func Test_sub_open_cmdline_win()
+   " the error only happens in a very specific setup, run a new Vim instance to
+   " get a clean starting point.
+   let lines =<< trim [SCRIPT]
+  set vb t_vb=
+     norm o0000000000000000000000000000000000000000000000000000
+     func Replace()
+       norm q/
+@@ -793,8 +794,8 @@ func Test_sub_open_cmdline_win()
+   [SCRIPT]
+   call writefile(lines, 'Xscript')
+   if RunVim([], [], '-u NONE -S Xscript')
+-    let messages = readfile('Xresult')
+-    call assert_match('E565: Not allowed to change text or change window', messages[3])
+    call assert_match('E565: Not allowed to change text or change window',
+          \ readfile('Xresult')->join('XX'))
+   endif
+ 
+   call delete('Xscript')
+-- 
+2.27.0
+
--- a/vim.spec
+++ b/vim.spec
@ -12,7 +12,7 @@
 Name:           vim
 Epoch:          2
 Version:        8.2
-Release:        40
+Release:        41
 Summary:        Vim is a highly configurable text editor for efficiently creating and changing any kind of text.
 License:        Vim and MIT
 URL:            http://www.vim.org
@ -116,6 +116,9 @@ Patch6079:      backport-CVE-2022-1927.patch
 Patch6080:      backport-after-a-put-the-mark-is-on-the-last-byte.patch
 Patch6081:      backport-illegal-memory-access.patch
 Patch6082:      backport-CVE-2022-1886.patch
+Patch6083:      backport-CVE-2022-1898.patch
+Patch6084:      backport-CVE-2022-1942.patch
+Patch6085:      backport-fix-test-failed.patch

 Patch9000:      bugfix-rm-modify-info-version.patch

@ -504,6 +507,12 @@ popd
 %{_mandir}/man1/evim.*

 %changelog
+* Wed Jun 15 2022 tianwei <tianwei12@h-partners.com> - 2:8.2-41
+- Type:CVE
+- ID:CVE-2022-1898 CVE-2022-1942
+- SUG:NA
+- DESC:fix CVE-2022-1898 CVE-2022-1942
+
 * Wed Jun 15 2022 renhongxun <renhongxun@h-partners.com> - 2:8.2-40
 - Type:CVE
 - ID:CVE-2022-1886