patch 9.0.2035: [security] use-after-free with wildmenu

Problem:  [security] use-after-free with wildmenu
Solution: properly clean up the wildmenu when exiting

Fix wildchar/wildmenu/pum memory corruption with special wildchar's

Currently, using `wildchar=<Esc>` or `wildchar=<C-\>` can lead to a
memory corruption if using wildmenu+pum, or wrong states if only using
wildmenu. This is due to the code only using one single place inside the
cmdline process loop to perform wild menu clean up (by checking
`end_wildmenu`) but there are other odd situations where the loop could
have exited and we need a post-loop clean up just to be sure. If the
clean up was not done you would have a stale popup menu referring to
invalid memory, or if not using popup menu, incorrect status line (if
`laststatus=0`).

For example, if you hit `<Esc>` two times when it's wildchar, there's a
hard-coded behavior to exit command-line as a failsafe for user, and if
you hit `<C-\><C-\><C-N>` it will also exit command-line, but the clean
up code would not have hit because of specialized `<C-\>` handling.

Fix Ctrl-E / Ctrl-Y to not cancel/accept wildmenu if they are also
used for 'wildchar'/'wildcharm'. Currently they don't behave properly,
and also have potentially memory unsafe behavior as the logic is
currently not accounting for this situation and try to do both.
(Previous patch that addressed this: #11677)

Also, correctly document Escape key behavior (double-hit it to escape)
in wildchar docs as it's previously undocumented.

In addition, block known invalid chars to be set in `wildchar` option,
such as Ctrl-C and `<CR>`. This is just to make it clear to the user
they shouldn't be set, and is not required for this bug fix.

closes: #13361

Signed-off-by: Christian Brabandt <[email protected]>
Co-authored-by: Yee Cheng Chin <[email protected]>

Author: ychin

runtime/doc/options.txt

@@ -9253,6 +9253,8 @@ A jump table for the options with a short description can be found at |Q_op|.
 	The character is not recognized when used inside a macro.  See
 	'wildcharm' for that.
 	Some keys will not work, such as CTRL-C, <CR> and Enter.
+	<Esc> can be used, but hitting it twice in a row will still exit
+	command-line as a failsafe measure.
 	Although 'wc' is a number option, you can set it to a special key: >
 		:set wc=<Tab>
 <	NOTE: This option is set to the Vi default value when 'compatible' is

src/ex_getln.c

@@ -1877,7 +1877,8 @@ getcmdline_int(
 	if (p_wmnu)
 	    c = wildmenu_translate_key(&ccline, c, &xpc, did_wild_list);
 
-	if (cmdline_pum_active())
+	int key_is_wc = (c == p_wc && KeyTyped) || c == p_wcm;
+	if (cmdline_pum_active() && !key_is_wc)
 	{
 	    // Ctrl-Y: Accept the current selection and close the popup menu.
 	    // Ctrl-E: cancel the cmdline popup menu and return the original
@@ -1897,7 +1898,7 @@ getcmdline_int(
 	// 'wildcharm' or Ctrl-N or Ctrl-P or Ctrl-A or Ctrl-L).
 	// If the popup menu is displayed, then PageDown and PageUp keys are
 	// also used to navigate the menu.
-	end_wildmenu = (!(c == p_wc && KeyTyped) && c != p_wcm
+	end_wildmenu = (!key_is_wc
 		&& c != Ctrl_N && c != Ctrl_P && c != Ctrl_A && c != Ctrl_L);
 	end_wildmenu = end_wildmenu && (!cmdline_pum_active() ||
 			    (c != K_PAGEDOWN && c != K_PAGEUP
@@ -2504,6 +2505,15 @@ getcmdline_int(
     cmdmsg_rl = FALSE;
 #endif
 
+    // We could have reached here without having a chance to clean up wild menu
+    // if certain special keys like <Esc> or <C-\> were used as wildchar. Make
+    // sure to still clean up to avoid memory corruption.
+    if (cmdline_pum_active())
+	cmdline_pum_remove();
+    wildmenu_cleanup(&ccline);
+    did_wild_list = FALSE;
+    wim_index = 0;
+
     ExpandCleanup(&xpc);
     ccline.xpc = NULL;
 

src/option.c

@@ -4392,6 +4392,21 @@ did_set_weirdinvert(optset_T *args)
     return NULL;
 }
 
+/*
+ * Process the new 'wildchar' / 'wildcharm' option value.
+ */
+    char *
+did_set_wildchar(optset_T *args)
+{
+    long c = *(long *)args->os_varp;
+
+    // Don't allow key values that wouldn't work as wildchar.
+    if (c == Ctrl_C || c == '\n' || c == '\r' || c == K_KENTER)
+	return e_invalid_argument;
+
+    return NULL;
+}
+
 /*
  * Process the new 'window' option value.
  */

src/optiondefs.h

@@ -2812,11 +2812,11 @@ static struct vimoption options[] =
 			    (char_u *)&p_ww, PV_NONE, did_set_whichwrap, expand_set_whichwrap,
 			    {(char_u *)"", (char_u *)"b,s"} SCTX_INIT},
     {"wildchar",    "wc",   P_NUM|P_VIM,
-			    (char_u *)&p_wc, PV_NONE, NULL, NULL,
+			    (char_u *)&p_wc, PV_NONE, did_set_wildchar, NULL,
 			    {(char_u *)(long)Ctrl_E, (char_u *)(long)TAB}
 			    SCTX_INIT},
     {"wildcharm",   "wcm",  P_NUM|P_VI_DEF,
-			    (char_u *)&p_wcm, PV_NONE, NULL, NULL,
+			    (char_u *)&p_wcm, PV_NONE, did_set_wildchar, NULL,
 			    {(char_u *)0L, (char_u *)0L} SCTX_INIT},
     {"wildignore",  "wig",  P_STRING|P_VI_DEF|P_ONECOMMA|P_NODUP,
 			    (char_u *)&p_wig, PV_NONE, NULL, NULL,

src/proto/option.pro

@@ -81,6 +81,7 @@ char *did_set_undofile(optset_T *args);
 char *did_set_undolevels(optset_T *args);
 char *did_set_updatecount(optset_T *args);
 char *did_set_weirdinvert(optset_T *args);
+char *did_set_wildchar(optset_T *args);
 char *did_set_window(optset_T *args);
 char *did_set_winheight_helpheight(optset_T *args);
 char *did_set_winminheight(optset_T *args);

src/testdir/dumps/Test_wildmenu_5.dump

@@ -0,0 +1,8 @@
+| +0&#ffffff0@74
+|~+0#4040ff13&| @73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
+|:+0#0000000&|v|i|m| > @69

src/testdir/dumps/Test_wildmenu_6.dump

@@ -0,0 +1,8 @@
+> +0&#ffffff0@74
+|~+0#4040ff13&| @73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
+| +0#0000000&@56|0|,|0|-|1| @8|A|l@1| 

…s/Test_wildmenu_pum_clear_entries_1.dump …ps/Test_wildmenu_pum_odd_wildchar_1.dumpsrc/testdir/dumps/Test_wildmenu_pum_clear_entries_1.dump renamed to src/testdir/dumps/Test_wildmenu_pum_odd_wildchar_1.dump src/testdir/dumps/Test_wildmenu_pum_clear_entries_1.dump renamed to src/testdir/dumps/Test_wildmenu_pum_odd_wildchar_1.dump

@@ -0,0 +1,10 @@
+| +0#0000001#ffd7ff255|!| @14| +0#0000000#0000001| +0&#ffffff0@56
+| +0#0000001#e0e0e08|#| @14| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@56
+| +0#0000001#ffd7ff255|&| @14| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@56
+| +0#0000001#ffd7ff255|*| @14| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@56
+| +0#0000001#ffd7ff255|+@1| @13| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@56
+| +0#0000001#ffd7ff255|-@1| @13| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@56
+| +0#0000001#ffd7ff255|<| @14| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@56
+| +0#0000001#ffd7ff255|=| @14| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@56
+| +0#0000001#ffd7ff255|>| @14| +0#0000000#a8a8a8255| +0#4040ff13#ffffff0@56
+|:+0#0000000&|#> @72

src/testdir/dumps/Test_wildmenu_pum_odd_wildchar_2.dump

@@ -0,0 +1,10 @@
+> +0&#ffffff0@74
+|~+0#4040ff13&| @73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
+|~| @73
+| +0#0000000&@56|0|,|0|-|1| @8|A|l@1|