Heap-based Buffer Overflow in function ins_compl_add in vim/vim
Valid
Reported on
Jul 6th 2022
Description
Heap-based Buffer Overflow in function ins_compl_add at insexpand.c:751
vim version
git log
commit 324478037923feef1eb8a771648e38ade9e5e05a (HEAD -> master, tag: v9.0.0042, origin/master, origin/HEAD)
POC
./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbor4_s.dat -c :qa!
=================================================================
==3114==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e0000827cb at pc 0x0000009b3131 bp 0x7ffeee1a6850 sp 0x7ffeee1a6848
READ of size 1 at 0x61e0000827cb thread T0
#0 0x9b3130 in ins_compl_add /home/fuzz/fuzz/vim/afl/src/insexpand.c:751:10
#1 0x9b1294 in ins_compl_add_infercase /home/fuzz/fuzz/vim/afl/src/insexpand.c:697:12
#2 0x9d137b in get_next_default_completion /home/fuzz/fuzz/vim/afl/src/insexpand.c:3629:6
#3 0x9cc7f7 in get_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:3694:24
#4 0x9c9a7e in ins_compl_get_exp /home/fuzz/fuzz/vim/afl/src/insexpand.c:3767:20
#5 0x9c8438 in find_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:4002:21
#6 0x9c0f04 in ins_compl_next /home/fuzz/fuzz/vim/afl/src/insexpand.c:4103:9
#7 0x9c197c in ins_complete /home/fuzz/fuzz/vim/afl/src/insexpand.c:4954:9
#8 0x674939 in edit /home/fuzz/fuzz/vim/afl/src/edit.c:1281:10
#9 0xb989c7 in op_change /home/fuzz/fuzz/vim/afl/src/ops.c:1758:14
#10 0xbb25f7 in do_pending_operator /home/fuzz/fuzz/vim/afl/src/ops.c:4041:7
#11 0xb21ac3 in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:961:2
#12 0x8156fe in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8814:6
#13 0x814f28 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8777:5
#14 0x814ad9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8695:6
#15 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
#16 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#17 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
#18 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
#19 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
#20 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
#21 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
#22 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#23 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
#24 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
#25 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
#26 0x1418b2d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
#27 0x7fd83cb66082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#28 0x41ea5d in _start (/home/fuzz/fuzz/vim/afl/src/vim+0x41ea5d)
0x61e0000827cb is located 125 bytes to the right of 2766-byte region [0x61e000081c80,0x61e00008274e)
allocated by thread T0 here:
#0 0x499cbd in malloc (/home/fuzz/fuzz/vim/afl/src/vim+0x499cbd)
#1 0x4cb392 in lalloc /home/fuzz/fuzz/vim/afl/src/alloc.c:246:11
#2 0x4cb27a in alloc /home/fuzz/fuzz/vim/afl/src/alloc.c:151:12
#3 0xf90f0d in vim_strnsave /home/fuzz/fuzz/vim/afl/src/strings.c:44:9
#4 0x9b349a in ins_compl_add /home/fuzz/fuzz/vim/afl/src/insexpand.c:768:26
#5 0x9b1294 in ins_compl_add_infercase /home/fuzz/fuzz/vim/afl/src/insexpand.c:697:12
#6 0x9d137b in get_next_default_completion /home/fuzz/fuzz/vim/afl/src/insexpand.c:3629:6
#7 0x9cc7f7 in get_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:3694:24
#8 0x9c9a7e in ins_compl_get_exp /home/fuzz/fuzz/vim/afl/src/insexpand.c:3767:20
#9 0x9c8438 in find_next_completion_match /home/fuzz/fuzz/vim/afl/src/insexpand.c:4002:21
#10 0x9c0f04 in ins_compl_next /home/fuzz/fuzz/vim/afl/src/insexpand.c:4103:9
#11 0x9c197c in ins_complete /home/fuzz/fuzz/vim/afl/src/insexpand.c:4954:9
#12 0x674939 in edit /home/fuzz/fuzz/vim/afl/src/edit.c:1281:10
#13 0xb989c7 in op_change /home/fuzz/fuzz/vim/afl/src/ops.c:1758:14
#14 0xbb25f7 in do_pending_operator /home/fuzz/fuzz/vim/afl/src/ops.c:4041:7
#15 0xb21ac3 in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:961:2
#16 0x8156fe in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8814:6
#17 0x814f28 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8777:5
#18 0x814ad9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8695:6
#19 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
#20 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#21 0xe5c8fe in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
#22 0xe59396 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
#23 0xe58cd3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
#24 0xe583de in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
#25 0x7dda59 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
#26 0x7ca915 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
#27 0x7cf591 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
#28 0x1427482 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
#29 0x142361b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/afl/src/insexpand.c:751:10 in ins_compl_add
Shadow bytes around the buggy address:
0x0c3c800084a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c800084b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c800084c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c800084d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c800084e0: 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa fa
=>0x0c3c800084f0: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
0x0c3c80008500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c80008510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c80008520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c80008530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c80008540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3114==ABORTING
Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
We are processing your report and will contact the
vim
team within 24 hours.
a year ago
We have contacted a member of the
vim
team and are waiting to hear back
a year ago
I can reproduce it. There must be a much simpler way to reproduc this: using a line more than 1030 bytes long.
Uinitech
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
xiaoge1001
commented
a year ago
After fixing the vulnerability, there are new problems, and the corresponding information is as follows:
=================================================================
==33751==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000981 at pc 0x7fa2ab4b7fe4 bp 0x7ffe8d066220 sp 0x7ffe8d0659c8
READ of size 1026 at 0x619000000981 thread T0
#0 0x7fa2ab4b7fe3 (/usr/lib64/libasan.so.6+0x52fe3)
#1 0x66cbdb in ins_compl_infercase_gettext /root/github_vim/src/insexpand.c:645
#2 0x66d350 in ins_compl_add_infercase /root/github_vim/src/insexpand.c:725
#3 0x6796d9 in get_next_default_completion /root/github_vim/src/insexpand.c:3668
#4 0x6799db in get_next_completion_match /root/github_vim/src/insexpand.c:3733
#5 0x679e91 in ins_compl_get_exp /root/github_vim/src/insexpand.c:3806
#6 0x67aafa in find_next_completion_match /root/github_vim/src/insexpand.c:4041
#7 0x67ae9e in ins_compl_next /root/github_vim/src/insexpand.c:4142
#8 0x67e01c in ins_complete /root/github_vim/src/insexpand.c:4993
#9 0x4d8fb4 in edit /root/github_vim/src/edit.c:1281
#10 0x75c69a in op_change /root/github_vim/src/ops.c:1758
#11 0x76e7ed in do_pending_operator /root/github_vim/src/ops.c:4041
#12 0x724e12 in normal_cmd /root/github_vim/src/normal.c:961
#13 0x5a98ab in exec_normal /root/github_vim/src/ex_docmd.c:8814
#14 0x5a9674 in exec_normal_cmd /root/github_vim/src/ex_docmd.c:8777
#15 0x5a8f0b in ex_normal /root/github_vim/src/ex_docmd.c:8695
#16 0x5857c0 in do_one_cmd /root/github_vim/src/ex_docmd.c:2570
#17 0x57c853 in do_cmdline /root/github_vim/src/ex_docmd.c:992
#18 0x89e715 in do_source_ext /root/github_vim/src/scriptfile.c:1674
#19 0x89f8aa in do_source /root/github_vim/src/scriptfile.c:1801
#20 0x89c32d in cmd_source /root/github_vim/src/scriptfile.c:1174
#21 0x89c3a0 in ex_source /root/github_vim/src/scriptfile.c:1200
#22 0x5857c0 in do_one_cmd /root/github_vim/src/ex_docmd.c:2570
#23 0x57c853 in do_cmdline /root/github_vim/src/ex_docmd.c:992
#24 0x57ab0e in do_cmdline_cmd /root/github_vim/src/ex_docmd.c:586
#25 0xb6de7a in exe_commands /root/github_vim/src/main.c:3133
#26 0xb66d6a in vim_main2 /root/github_vim/src/main.c:780
#27 0xb66570 in main /root/github_vim/src/main.c:432
#28 0x7fa2ab18220f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#29 0x7fa2ab1822bb in __libc_start_main_impl ../csu/libc-start.c:409
#30 0x404f24 in _start (/root/github_vim/src/vim+0x404f24)
0x619000000981 is located 0 bytes to the right of 1025-byte region [0x619000000580,0x619000000981)
allocated by thread T0 here:
#0 0x7fa2ab5141c7 in __interceptor_malloc (/usr/lib64/libasan.so.6+0xaf1c7)
#1 0x405370 in lalloc /root/github_vim/src/alloc.c:246
#2 0x405161 in alloc /root/github_vim/src/alloc.c:151
#3 0xb66fc1 in common_init /root/github_vim/src/main.c:914
#4 0xb66220 in main /root/github_vim/src/main.c:185
#5 0x7fa2ab18220f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.6+0x52fe3)
Shadow bytes around the buggy address:
0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c327fff8180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==33751==ABORTING
to join this conversation