Heap-based buffer overflow in function inc in vim/vim
Jun 29th 2022
Heap-based buffer overflow in function
inc at misc2.c:344
commit 8eba2bd291b347e3008aa9e565652d51ad638cfa (HEAD, tag: v8.2.5151)
Proof of Concept
guest@elk:~/trung$ valgrind ./vim_latest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc80min3 -c :qa! ==6151== Memcheck, a memory error detector ==6151== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==6151== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==6151== Command: ./vim_latest/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc/poc80min3 -c :qa! ==6151== ==6151== Invalid read of size 1 ==6151== at 0x223E25: inc (misc2.c:344) ==6151== by 0x2340DB: nv_put_opt (normal.c:7372) ==6151== by 0x238604: normal_cmd (normal.c:939) ==6151== by 0x1B674C: exec_normal (ex_docmd.c:8807) ==6151== by 0x1B69AF: ex_normal (ex_docmd.c:8693) ==6151== by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570) ==6151== by 0x1BB2CD: do_cmdline (ex_docmd.c:992) ==6151== by 0x2ABF50: do_source_ext (scriptfile.c:1674) ==6151== by 0x2ACF43: do_source (scriptfile.c:1801) ==6151== by 0x2ACF43: cmd_source (scriptfile.c:1174) ==6151== by 0x1BB2CD: do_one_cmd (ex_docmd.c:2570) ==6151== by 0x1BB2CD: do_cmdline (ex_docmd.c:992) ==6151== by 0x380B1F: exe_commands (main.c:3133) ==6151== by 0x380B1F: vim_main2 (main.c:780) ==6151== by 0x13F6DC: main (main.c:432) ==6151== Address 0x5e5f794 is 4 bytes after a block of size 4,096 alloc'd ==6151== at 0x4C31B0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==6151== by 0x140C70: lalloc (alloc.c:246) ==6151== by 0x3812AA: mf_alloc_bhdr.isra.3 (memfile.c:884) ==6151== by 0x382086: mf_new (memfile.c:375) ==6151== by 0x21480F: ml_new_data (memline.c:4080) ==6151== by 0x2176CC: ml_open (memline.c:394) ==6151== by 0x150EB4: open_buffer (buffer.c:186) ==6151== by 0x380429: create_windows (main.c:2902) ==6151== by 0x380429: vim_main2 (main.c:711) ==6151== by 0x13F6DC: main (main.c:432) ==6151== ==6151== ==6151== HEAP SUMMARY: ==6151== in use at exit: 69,739 bytes in 405 blocks ==6151== total heap usage: 1,204 allocs, 799 frees, 261,409 bytes allocated ==6151== ==6151== LEAK SUMMARY: ==6151== definitely lost: 0 bytes in 0 blocks ==6151== indirectly lost: 0 bytes in 0 blocks ==6151== possibly lost: 0 bytes in 0 blocks ==6151== still reachable: 69,739 bytes in 405 blocks ==6151== suppressed: 0 bytes in 0 blocks ==6151== Rerun with --leak-check=full to see details of leaked memory ==6151== ==6151== For counts of detected and suppressed errors, rerun with: -v ==6151== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
This may result in corruption of sensitive information, a crash, or code execution among other things.