Heap BoF in trunc_string() in vim/vim

Valid

Reported on

Oct 2nd 2023


Environment

Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid

Version

I checked against the master branch as of 09/25 at commit 6ee7b521fa7531ef356ececc8be7575c3800f872 .

Description

Heap BoF in the file /src/message.c in the function trunc_string() at line 356.

Snippet

buf[e - 1] = NUL;

POC

./vim -u NONE -i NONE -n -m -X -Z -e -s -S crash2 -c :qa!

POC File VIM elf

ASAN

=================================================================
==3763035==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000002342 at pc 0x55555636086b bp 0x7fffffffb5f0 sp 0x7fffffffb5e8
WRITE of size 1 at 0x61e000002342 thread T0
    #0 0x55555636086a in trunc_string /path/vim/src/message.c:356:13
    #1 0x55555635f1f7 in msg_strtrunc /path/vim/src/message.c:232:3
    #2 0x555555e02509 in vgr_display_fname /path/vim/src/quickfix.c:5969:9
    #3 0x555555de5ab3 in vgr_process_files /path/vim/src/quickfix.c:6336:6
    #4 0x555555ddf817 in ex_vimgrep /path/vim/src/quickfix.c:6496:14
    #5 0x555555a6b30e in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
    #6 0x555555a5fe25 in do_cmdline /path/vim/src/ex_docmd.c:994:17
    #7 0x555555eff710 in do_source_ext /path/vim/src/scriptfile.c:1762:5
    #8 0x555555efd354 in cmd_source /path/vim/src/scriptfile.c:1253:14
    #9 0x555555a6b30e in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
    #10 0x555555a5fe25 in do_cmdline /path/vim/src/ex_docmd.c:994:17
    #11 0x555556351589 in exe_commands /path/vim/src/main.c:3173:2
    #12 0x55555634ed7e in vim_main2 /path/vim/src/main.c:790:2
    #13 0x555556347e3e in main /path/vim/src/main.c:441:12
    #14 0x7ffff7a501c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #15 0x7ffff7a50284 in __libc_start_main csu/../csu/libc-start.c:360:3
    #16 0x5555557517f0 in _start (/path/vim/fuzzfuzzfuzzfuzz/vim+0x1fd7f0) (BuildId: 68639e4c086c1f4c9dcfcca8bf0579fea932e525)

0x61e000002342 is located 0 bytes to the right of 2754-byte region [0x61e000001880,0x61e000002342)
allocated by thread T0 here:
    #0 0x5555557d463e in malloc (/path/vim/fuzzfuzzfuzzfuzz/vim+0x28063e) (BuildId: 68639e4c086c1f4c9dcfcca8bf0579fea932e525)
    #1 0x55555580f7f7 in lalloc /path/vim/src/alloc.c:246:11

SUMMARY: AddressSanitizer: heap-buffer-overflow /path/vim/src/message.c:356:13 in trunc_string
Shadow bytes around the buggy address:
  0x0c3c7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3c7fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8460: 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa
  0x0c3c7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c7fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3763035==ABORTING

Impact

This POC can crash the application.

We are processing your report and will contact the vim team within 24 hours. 5 months ago
Christian
5 months ago

Maintainer


thanks, validated and fixed

Christian Brabandt validated this vulnerability 5 months ago
coolkingcole has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christian Brabandt marked this as fixed in 9.0.1969 with commit 3bd7fa 5 months ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has now been published 5 months ago
to join this conversation