From 9f2d793068144ef92765fefd729b0eeffde11b7a Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 2 Aug 2024 05:56:27 +0800
Subject: [PATCH 1/3] vim-patch:9.0.2149: [security]: use-after-free in
 exec_instructions()

Problem:  [security]: use-after-free in exec_instructions()
Solution: get tv pointer again

[security]: use-after-free in exec_instructions()

exec_instructions may access freed memory, if the GA_GROWS_FAILS()
re-allocates memory. When this happens, the typval tv may still point to
now already freed memory. So let's get that pointer again and compare it
with tv. If those two pointers differ, tv is now invalid and we have to
refresh the tv pointer.

closes: vim/vim#13621

https://github.com/vim/vim/commit/5dd41d4b6370b7b7d09d691f9252b3899c66102a

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 .../testdir/crash/poc_uaf_exec_instructions   | Bin 0 -> 69 bytes
 test/old/testdir/test_crash.vim               |  39 +++++++++++-------
 2 files changed, 25 insertions(+), 14 deletions(-)
 create mode 100644 test/old/testdir/crash/poc_uaf_exec_instructions

diff --git a/test/old/testdir/crash/poc_uaf_exec_instructions b/test/old/testdir/crash/poc_uaf_exec_instructions
new file mode 100644
index 0000000000000000000000000000000000000000..49ae8577ff5bf7c47f86a3691525957b0eb57433
GIT binary patch
literal 69
zcmYdEO;ZTc&}86BfiZwQt}=bD)Vvg+5EoamevGQRrhbeqNE|Gvz?ILyRaVSpP@G)E
Kkiu1*&j0{PG7%L3

literal 0
HcmV?d00001

diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
index 49e712a901..242da8e5db 100644
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -113,6 +113,7 @@ endfunc
 func Test_crash1_2()
   CheckNotBSD
   CheckExecutable dash
+  let g:test_is_flaky = 1
 
   " The following used to crash Vim
   let opts = #{cmd: 'sh'}
@@ -149,22 +150,9 @@ func Test_crash1_2()
     \ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
   call TermWait(buf, 150)
 
-  let file = 'crash/poc_ex_substitute'
-  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'"
-  let args = printf(cmn_args, vim, file)
-  " just make sure it runs, we don't care about the resulting echo
-  call term_sendkeys(buf, args .. "\<cr>")
-  " There is no output generated in Github CI for the asan clang build.
-  " so just skip generating the ouput.
-  " call term_sendkeys(buf, args ..
-  "   \ ' &&  echo "crash 5: [OK]" >> '.. result .. "\<cr>")
-  call TermWait(buf, 150)
-
   " clean up
   exe buf .. "bw!"
-
   exe "sp " .. result
-
   let expected = [
       \ 'crash 1: [OK]',
       \ 'crash 2: [OK]',
@@ -174,10 +162,33 @@ func Test_crash1_2()
 
   call assert_equal(expected, getline(1, '$'))
   bw!
-
   call delete(result)
 endfunc
 
+" This test just runs various scripts, that caused issues before.
+" We are not really asserting anything here, it's just important
+" that ASAN does not detect any issues.
+func Test_crash1_3()
+  let vim  = GetVimProg()
+  let buf = RunVimInTerminal('sh', #{cmd: 'sh'})
+
+  let file = 'crash/poc_ex_substitute'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
+  let file = 'crash/poc_uaf_exec_instructions'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
+  " clean up
+  exe buf .. "bw!"
+  bw!
+endfunc
+
 func Test_crash2()
   " The following used to crash Vim
   let opts = #{wait_for_ruler: 0, rows: 20}

From a4bec30b7b2fa66a2db9d03f54e51dff58116465 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 2 Aug 2024 05:58:20 +0800
Subject: [PATCH 2/3] vim-patch:9.0.2158: [security]: use-after-free in
 check_argument_type

Problem:  [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
          list

function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.

So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer

closes: vim/vim#13652

https://github.com/vim/vim/commit/0f28791b215bd4c22ed580839409c2f7d39d8140

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 .../old/testdir/crash/poc_uaf_check_argument_types | Bin 0 -> 43 bytes
 test/old/testdir/test_crash.vim                    |   6 ++++++
 2 files changed, 6 insertions(+)
 create mode 100644 test/old/testdir/crash/poc_uaf_check_argument_types

diff --git a/test/old/testdir/crash/poc_uaf_check_argument_types b/test/old/testdir/crash/poc_uaf_check_argument_types
new file mode 100644
index 0000000000000000000000000000000000000000..83a2e7b0a69305a319dde36451416092f5153ef2
GIT binary patch
literal 43
ycmYdEO;ZTcNVDbAWZ+88OG!yh<0{sVQB~K}kFgEX(BvvB<}xTwF5)WAX8-{DR|{DH

literal 0
HcmV?d00001

diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
index 242da8e5db..fd786e5d54 100644
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -184,6 +184,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/poc_uaf_check_argument_types'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
   bw!

From 6af359ef4cc3c221e0e3102ab2b54cf64d7c9835 Mon Sep 17 00:00:00 2001
From: zeertzjq <zeertzjq@outlook.com>
Date: Fri, 2 Aug 2024 06:00:02 +0800
Subject: [PATCH 3/3] vim-patch:9.1.0647: [security] use-after-free in
 tagstack_clear_entry

Problem:  [security] use-after-free in tagstack_clear_entry
          (Suyue Guo )
Solution: Instead of manually calling vim_free() on each of the tagstack
          entries, let's use tagstack_clear_entry(), which will
          also free the stack, but using the VIM_CLEAR macro,
          which prevents a use-after-free by setting those pointers
          to NULL

This addresses CVE-2024-41957

Github advisory:
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4

https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a2d5

Co-authored-by: Christian Brabandt <cb@256bit.org>
---
 src/nvim/window.c                     |   4 ++--
 test/functional/legacy/crash_spec.lua |  19 +++++++++++++++++++
 test/old/testdir/crash/double_free    | Bin 0 -> 561 bytes
 test/old/testdir/test_crash.vim       |   6 ++++++
 4 files changed, 27 insertions(+), 2 deletions(-)
 create mode 100644 test/old/testdir/crash/double_free

diff --git a/src/nvim/window.c b/src/nvim/window.c
index b770f0ccab..4fde200a01 100644
--- a/src/nvim/window.c
+++ b/src/nvim/window.c
@@ -73,6 +73,7 @@
 #include "nvim/statusline.h"
 #include "nvim/strings.h"
 #include "nvim/syntax.h"
+#include "nvim/tag.h"
 #include "nvim/terminal.h"
 #include "nvim/types_defs.h"
 #include "nvim/ui.h"
@@ -5205,8 +5206,7 @@ void win_free(win_T *wp, tabpage_T *tp)
   xfree(wp->w_lines);
 
   for (int i = 0; i < wp->w_tagstacklen; i++) {
-    xfree(wp->w_tagstack[i].tagname);
-    xfree(wp->w_tagstack[i].user_data);
+    tagstack_clear_entry(&wp->w_tagstack[i]);
   }
 
   xfree(wp->w_localdir);
diff --git a/test/functional/legacy/crash_spec.lua b/test/functional/legacy/crash_spec.lua
index 04f77c7d4f..e72c3a512a 100644
--- a/test/functional/legacy/crash_spec.lua
+++ b/test/functional/legacy/crash_spec.lua
@@ -1,8 +1,12 @@
+local t = require('test.testutil')
 local n = require('test.functional.testnvim')()
 
 local assert_alive = n.assert_alive
 local clear = n.clear
 local command = n.command
+local eq = t.eq
+local eval = n.eval
+local exec = n.exec
 local feed = n.feed
 
 before_each(clear)
@@ -32,3 +36,18 @@ it('no crash with very long option error message', function()
   pcall(command, 'source test/old/testdir/crash/poc_did_set_langmap')
   assert_alive()
 end)
+
+it('no crash when closing window with tag in loclist', function()
+  exec([[
+    new
+    lexpr ['foo']
+    lopen
+    let g:qf_bufnr = bufnr()
+    lclose
+    call settagstack(1, #{items: [#{tagname: 'foo', from: [g:qf_bufnr, 1, 1, 0]}]})
+  ]])
+  eq(1, eval('bufexists(g:qf_bufnr)'))
+  command('1close')
+  eq(0, eval('bufexists(g:qf_bufnr)'))
+  assert_alive()
+end)
diff --git a/test/old/testdir/crash/double_free b/test/old/testdir/crash/double_free
new file mode 100644
index 0000000000000000000000000000000000000000..895c4a04b6ab1c2eabc80a486e52cabd7a99a5ea
GIT binary patch
literal 561
zcmY+BL2DC16vtm$FL@r)OM?`VNi5idX;=tFTegZ#(3FA_g$iA9XET#zWiz{-+3kcR
z+8h)-c<|7hpT_Uv_ZVMH6#QM@@PBXKoA)1nT!N}!;A@rCk*nK{qi~J@P`Y><JR?x0
zAV|1&|FSA+^(FFrgz2ezF`;5iu43ohexuRo5_JaC>8t4q{~#Di*6H;w(jtG~j{r!x
z#3aqYpoj+pgIo_KYyg;mrs*+t$*`Q-X0v(1u%E^Ti}j5W!>AYtFB0B)5P^C!=IhEP
z!)mp9s)zTK=uG0=i|@l@%s<Sw#dpkiFtYeivUf;Wt9iDdzH+a;E5nfHv39U$u+p`-
zy`X8qU9<7m3w*P+TyH$oGUGzb%*<mqBQ2Svvu4cyALoFdE!Q~b$sLclJbYQ^$ED35
zlxbTnLw|+^nXM$Le-y@;3h4_-ZT)Jk(9SOc!S(YbHsXk0xOUdTE%H10Np3G$lvvxI
zeCz1RRo+w5qD5FNyOP$cgZc_*xNoxLTA;~f?ZGGHMU9!I<@34hvoFKX(ax4FHgB9$
b@#Ju~e()5!l?r~Wt$4JK6w)H|eN?{zo!qIG

literal 0
HcmV?d00001

diff --git a/test/old/testdir/test_crash.vim b/test/old/testdir/test_crash.vim
index fd786e5d54..29061aa423 100644
--- a/test/old/testdir/test_crash.vim
+++ b/test/old/testdir/test_crash.vim
@@ -190,6 +190,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/double_free'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 50)
+
   " clean up
   exe buf .. "bw!"
   bw!