Heap-based Buffer Overflow in function get_lisp_indent in vim/vim

Valid

Reported on

Jun 16th 2022


Description

Heap-based Buffer Overflow in function get_lisp_indent at indent.c:1994

vim version

git log
commit 83497f875881973df772cc4cc593766345df6c4a (HEAD -> master, tag: v8.2.5105, origin/master, origin/HEAD)

POC

./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poc_hbo2_s.dat -c :qa!

=================================================================
==2361==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000013d00 at pc 0x0000009a0535 bp 0x7ffcbe3e9ab0 sp 0x7ffcbe3e9aa8
READ of size 1 at 0x621000013d00 thread T0
    #0 0x9a0534 in get_lisp_indent /home/fuzz/fuzz/vim/afl/src/indent.c:1994:36
    #1 0x99f221 in op_reindent /home/fuzz/fuzz/vim/afl/src/indent.c:1101:16
    #2 0xbb091d in do_pending_operator /home/fuzz/fuzz/vim/afl/src/ops.c:4057:7
    #3 0xb1fa03 in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:961:2
    #4 0x814eee in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8808:6
    #5 0x814718 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8771:5
    #6 0x8142c9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8689:6
    #7 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #8 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #9 0xe58b5e in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
    #10 0xe555f6 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
    #11 0xe54f33 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
    #12 0xe5463e in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
    #13 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #14 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #15 0x7ced81 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
    #16 0x1422702 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
    #17 0x141e89b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
    #18 0x1413dad in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
    #19 0x7fe23555b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #20 0x41ea4d in _start (/home/fuzz/fuzz/vim/afl/src/vim+0x41ea4d)

0x621000013d00 is located 0 bytes to the right of 4096-byte region [0x621000012d00,0x621000013d00)
allocated by thread T0 here:
    #0 0x499cad in malloc (/home/fuzz/fuzz/vim/afl/src/vim+0x499cad)
    #1 0x4cb382 in lalloc /home/fuzz/fuzz/vim/afl/src/alloc.c:246:11
    #2 0x4cb26a in alloc /home/fuzz/fuzz/vim/afl/src/alloc.c:151:12
    #3 0x142bfb5 in mf_alloc_bhdr /home/fuzz/fuzz/vim/afl/src/memfile.c:884:21
    #4 0x142adc7 in mf_new /home/fuzz/fuzz/vim/afl/src/memfile.c:375:26
    #5 0xa60d28 in ml_new_data /home/fuzz/fuzz/vim/afl/src/memline.c:4080:15
    #6 0xa5f6d1 in ml_open /home/fuzz/fuzz/vim/afl/src/memline.c:394:15
    #7 0x501c8a in open_buffer /home/fuzz/fuzz/vim/afl/src/buffer.c:186:9
    #8 0x141ff4c in create_windows /home/fuzz/fuzz/vim/afl/src/main.c:2902:9
    #9 0x141e21a in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:711:5
    #10 0x1413dad in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
    #11 0x7fe23555b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/afl/src/indent.c:1994:36 in get_lisp_indent
Shadow bytes around the buggy address:
  0x0c427fffa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffa7a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2361==ABORTING

poc_hbo2_s.dat

Impact

This vulnerabilities are capable of crashing software, modify Memory, and possible remote execution

We are processing your report and will contact the vim team within 24 hours. 10 days ago
We have contacted a member of the vim team and are waiting to hear back 9 days ago
Bram Moolenaar validated this vulnerability 8 days ago

I can reproduce it, also with a much simpler POC.

TDHX ICS Security has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar
8 days ago

Maintainer


Fixed in patch 8.2.5122.

Bram Moolenaar confirmed that a fix has been merged on 0e8e93 8 days ago
Bram Moolenaar has been awarded the fix bounty
to join this conversation