Out-of-bounds Read in function utf_ptr2char in vim/vim

Valid

Reported on

Jul 6th 2022

Description

Out-of-bounds Read in function utf_ptr2char at mbyte.c:1794

vim version

git log
commit 324478037923feef1eb8a771648e38ade9e5e05a (HEAD -> master, tag: v9.0.0042, origin/master, origin/HEAD)

POC

./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_obr5_s.dat -c :qa!
=================================================================
==11944==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000062f2 at pc 0x000000a46869 bp 0x7ffea3585660 sp 0x7ffea3585658
READ of size 1 at 0x6020000062f2 thread T0
    #0 0xa46868 in utf_ptr2char /home/fuzz/fuzz/vim/afl/src/mbyte.c:1794:9
    #1 0xd996cc in find_match_text /home/fuzz/fuzz/vim/afl/src/./regexp_nfa.c:5648:25
    #2 0xd97afb in nfa_regexec_both /home/fuzz/fuzz/vim/afl/src/./regexp_nfa.c:7370:13
    #3 0xcfa1f5 in nfa_regexec_nl /home/fuzz/fuzz/vim/afl/src/./regexp_nfa.c:7567:12
    #4 0xcf64ad in vim_regexec_string /home/fuzz/fuzz/vim/afl/src/regexp.c:2865:14
    #5 0xcf6cf9 in vim_regexec /home/fuzz/fuzz/vim/afl/src/regexp.c:2931:12
    #6 0x541a4b in fname_match /home/fuzz/fuzz/vim/afl/src/buffer.c:2954:6
    #7 0x51d9ca in buflist_match /home/fuzz/fuzz/vim/afl/src/buffer.c:2928:13
    #8 0x51836b in buflist_findpat /home/fuzz/fuzz/vim/afl/src/buffer.c:2645:11
    #9 0x7dd3d1 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2535:13
    #10 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #11 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
    #12 0xe58940 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1157:6
    #13 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
    #14 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #15 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #16 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
    #17 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
    #18 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
    #19 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
    #20 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #21 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #22 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
    #23 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
    #24 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
    #25 0x1418b2d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
    #26 0x7f885dc42082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #27 0x41ea5d in _start (/home/fuzz/fuzz/vim/afl/src/vim+0x41ea5d)

0x6020000062f2 is located 0 bytes to the right of 2-byte region [0x6020000062f0,0x6020000062f2)
allocated by thread T0 here:
    #0 0x499cbd in malloc (/home/fuzz/fuzz/vim/afl/src/vim+0x499cbd)
    #1 0x4cb392 in lalloc /home/fuzz/fuzz/vim/afl/src/alloc.c:246:11
    #2 0x4cb27a in alloc /home/fuzz/fuzz/vim/afl/src/alloc.c:151:12
    #3 0xf90e26 in vim_strsave /home/fuzz/fuzz/vim/afl/src/strings.c:27:9
    #4 0x50f9a3 in buflist_new /home/fuzz/fuzz/vim/afl/src/buffer.c:2105:18
    #5 0x5289f2 in buflist_add /home/fuzz/fuzz/vim/afl/src/buffer.c:3605:11
    #6 0x4d0f00 in alist_add /home/fuzz/fuzz/vim/afl/src/arglist.c:206:6
    #7 0x4d0aaa in alist_set /home/fuzz/fuzz/vim/afl/src/arglist.c:173:6
    #8 0x4d2ccf in do_arglist /home/fuzz/fuzz/vim/afl/src/arglist.c:484:6
    #9 0x4d56f7 in ex_next /home/fuzz/fuzz/vim/afl/src/arglist.c:751:10
    #10 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #11 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #12 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
    #13 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
    #14 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
    #15 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
    #16 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #17 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #18 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
    #19 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
    #20 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
    #21 0x1418b2d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
    #22 0x7f885dc42082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/afl/src/mbyte.c:1794:9 in utf_ptr2char
Shadow bytes around the buggy address:
  0x0c047fff8c00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c10: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 00
  0x0c047fff8c20: fa fa 05 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c30: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047fff8c50: fa fa 00 03 fa fa fd fa fa fa 02 fa fa fa[02]fa
  0x0c047fff8c60: fa fa 01 fa fa fa 05 fa fa fa 00 04 fa fa 01 fa
  0x0c047fff8c70: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 07 fa
  0x0c047fff8c80: fa fa 03 fa fa fa 00 06 fa fa 00 04 fa fa 01 fa
  0x0c047fff8c90: fa fa 01 fa fa fa 03 fa fa fa 01 fa fa fa 01 fa
  0x0c047fff8ca0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11944==ABORTING

poc_obr5_s.dat

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

We are processing your report and will contact the vim team within 24 hours. a year ago

We have contacted a member of the vim team and are waiting to hear back a year ago

We have sent a follow up to the vim team. We will try again in 7 days. a year ago

We have sent a second follow up to the vim team. We will try again in 10 days. 10 months ago

We have sent a third and final follow up to the vim team. This report is now considered stale. 10 months ago

Bram Moolenaar validated this vulnerability 10 months ago

I can reproduce the problem. Turning the POC into a regression test is difficult.

Uinitech has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Bram Moolenaar

commented 10 months ago

Maintainer

Fixed with patch 9.0.0105

Bram Moolenaar marked this as fixed in 9.0.0104 with commit f50940 10 months ago

Bram Moolenaar has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation