patch 9.0.2158: [security]: use-after-free in check_argument_typev9.0.2158

Problem:  [security]: use-after-free in check_argument_type
Solution: Reset function type pointer when freeing the function type
          list

function pointer fp->uf_func_type may point to the same memory, that was
allocated for fp->uf_type_list. However, when cleaning up a function
definition (e.g. because it was invalid), fp->uf_type_list will be
freed, but fp->uf_func_type may still point to the same (now) invalid
memory address.

So when freeing the fp->uf_type_list, check if fp->func_type points to
any of those types and if it does, reset the fp->uf_func_type pointer to
the t_func_any (default) type pointer

closes: #13652

Signed-off-by: Christian Brabandt <cb@256bit.org>

6 files changed, 24 insertions, 2 deletions

diff --git a/src/proto/vim9type.pro b/src/proto/vim9type.pro
index 85cc96fb23..1643e0c0fb 100644
--- a/src/proto/vim9type.pro
+++ b/src/proto/vim9type.pro
@@ -2,6 +2,7 @@
 type_T *get_type_ptr(garray_T *type_gap);
 type_T *copy_type(type_T *type, garray_T *type_gap);
 void clear_type_list(garray_T *gap);
+void clear_func_type_list(garray_T *gap, type_T **func_type);
 type_T *alloc_type(type_T *type);
 void free_type(type_T *type);
 void set_tv_type(typval_T *tv, type_T *type);
diff --git a/src/testdir/crash/poc_uaf_check_argument_types b/src/testdir/crash/poc_uaf_check_argument_types
new file mode 100644
index 0000000000..83a2e7b0a6
--- /dev/null
+++ b/src/testdir/crash/poc_uaf_check_argument_types
diff --git a/src/testdir/test_crash.vim b/src/testdir/test_crash.vim
index 242da8e5db..fd786e5d54 100644
--- a/src/testdir/test_crash.vim
+++ b/src/testdir/test_crash.vim
@@ -184,6 +184,12 @@ func Test_crash1_3()
   call term_sendkeys(buf, args)
   call TermWait(buf, 150)
 
+  let file = 'crash/poc_uaf_check_argument_types'
+  let cmn_args = "%s -u NONE -i NONE -n -e -s -S %s -c ':qa!'\<cr>"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args)
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
   bw!
diff --git a/src/userfunc.c b/src/userfunc.c
index e2b1bc3226..410658b1ea 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -2533,7 +2533,7 @@ func_clear_items(ufunc_T *fp)
     VIM_CLEAR(fp->uf_arg_types);
     VIM_CLEAR(fp->uf_block_ids);
     VIM_CLEAR(fp->uf_va_name);
-    clear_type_list(&fp->uf_type_list);
+    clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
 
     // Increment the refcount of this function to avoid it being freed
     // recursively when the partial is freed.
@@ -5435,7 +5435,7 @@ errret_2:
     {
 	VIM_CLEAR(fp->uf_arg_types);
 	VIM_CLEAR(fp->uf_va_name);
-	clear_type_list(&fp->uf_type_list);
+	clear_func_type_list(&fp->uf_type_list, &fp->uf_func_type);
     }
     if (free_fp)
 	VIM_CLEAR(fp);
diff --git a/src/version.c b/src/version.c
index 919f42f2d3..4bb1c90bae 100644
--- a/src/version.c
+++ b/src/version.c
@@ -705,6 +705,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    2158,
+/**/
     2157,
 /**/
     2156,
diff --git a/src/vim9type.c b/src/vim9type.c
index a142a7b9c3..fec2bf9d3e 100644
--- a/src/vim9type.c
+++ b/src/vim9type.c
@@ -122,6 +122,19 @@ clear_type_list(garray_T *gap)
     ga_clear(gap);
 }
 
+    void
+clear_func_type_list(garray_T *gap, type_T **func_type)
+{
+    while (gap->ga_len > 0)
+    {
+	// func_type pointing to the uf_type_list, so reset pointer
+	if (*func_type == ((type_T **)gap->ga_data)[--gap->ga_len])
+	    *func_type = &t_func_any;
+	vim_free(((type_T **)gap->ga_data)[gap->ga_len]);
+    }
+    ga_clear(gap);
+}
+
 /*
  * Take a type that is using entries in a growarray and turn it into a type
  * with allocated entries.