heap-use-after-free in function editing_arg_idx in vim/vim

Valid

Reported on

Oct 10th 2023


Description

heap-use-after-free in function editing_arg_idx at arglist.c:516 

Vim Version

git log
commit 54844857fd6933fa4f6678e47610c4b9c9f7a091 (HEAD -> master, tag: v9.0.2009, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S editing_arg_idx_POC_2 -c :qa!
=================================================================
==567275==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000119b8 at pc 0x56077f582b56 bp 0x7ffdb5a9d130 sp 0x7ffdb5a9d120
READ of size 4 at 0x6250000119b8 thread T0
    #0 0x56077f582b55 in editing_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:516
    #1 0x56077f582da6 in check_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:530
    #2 0x56077f584027 in alist_check_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:339
    #3 0x56077f584027 in do_arglist /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:494
    #4 0x56077f58906e in ex_next /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:766
    #5 0x56077f94acbc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #6 0x56077f94acbc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #7 0x560780032ea5 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #8 0x5607800395f0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1908
    #9 0x5607800395f0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1253
    #10 0x56077f94acbc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #11 0x56077f94acbc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #12 0x5607806b58e1 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3173
    #13 0x5607806b58e1 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:790
    #14 0x56077f5728c5 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:441
    #15 0x7f2adb010d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #16 0x7f2adb010e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #17 0x56077f5795e4 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x1a45e4)

0x6250000119b8 is located 184 bytes inside of 9424-byte region [0x625000011900,0x625000013dd0)
freed by thread T0 here:
    #0 0x7f2adbaaa517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
    #1 0x56077f57a88f in vim_free /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:616

previously allocated by thread T0 here:
    #0 0x7f2adbaaa867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x56077f579b3a in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246

SUMMARY: AddressSanitizer: heap-use-after-free /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:516 in editing_arg_idx
Shadow bytes around the buggy address:
  0x0c4a7fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffa330: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c4a7fffa340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==567275==ABORTING

Impact

This is capable of causing crashes by using unexpected value, or possible code execution.

References

We are processing your report and will contact the vim team within 24 hours. 5 months ago
soaarony modified the report
5 months ago
We have contacted a member of the vim team and are waiting to hear back 4 months ago
Christian
4 months ago

Maintainer


that is nasty side effect of autocommands wiping buffers, when it is not expected. Thanks, should be fixed now.

Christian Brabandt validated this vulnerability 4 months ago
soaarony has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christian Brabandt marked this as fixed in v9.0.2010 with commit 41e6f7 4 months ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has now been published 4 months ago
to join this conversation