Heap-based Buffer Overflow in function ml_append_int in vim/vim

Valid

Reported on

Jan 12th 2023


Description

Heap-based Buffer Overflow in function ml_append_int at memline.c:2951

vim version

git log
commit 043d7b2c84cda275354aa023b5769660ea70a168 (HEAD -> master, tag: v9.0.1182, origin/master, origin/HEAD)

POC

./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hbo02_s.dat -c :qa!
=================================================================
==11458==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000009d00 at pc 0x00000049950f bp 0x7ffcbaff3ef0 sp 0x7ffcbaff36b8
READ of size 2147479553 at 0x621000009d00 thread T0
    #0 0x49950e in __asan_memmove (/home/fuzz/vim/src/vim+0x49950e)
    #1 0xabc5d7 in ml_append_int /home/fuzz/vim/src/memline.c:2951:6
    #2 0xa9b51f in ml_flush_line /home/fuzz/vim/src/memline.c:4109:9
    #3 0xab24bc in ml_append_flush /home/fuzz/vim/src/memline.c:3370:2
    #4 0xab2342 in ml_append_flags /home/fuzz/vim/src/memline.c:3415:12
    #5 0x117b44a in u_undoredo /home/fuzz/vim/src/undo.c:2821:7
    #6 0x117535b in u_doit /home/fuzz/vim/src/undo.c:2273:6
    #7 0x1174c1a in u_undo /home/fuzz/vim/src/undo.c:2214:5
    #8 0xbaad92 in nv_kundo /home/fuzz/vim/src/normal.c:4737:2
    #9 0xba3d19 in nv_undo /home/fuzz/vim/src/normal.c:4719:2
    #10 0xb6448b in normal_cmd /home/fuzz/vim/src/normal.c:939:5
    #11 0x83ea0e in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887:6
    #12 0x83e238 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850:5
    #13 0x83dde9 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768:6
    #14 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2
    #15 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17
    #16 0xea1d75 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672:5
    #17 0xe9e7d6 in do_source /home/fuzz/vim/src/scriptfile.c:1818:12
    #18 0xe9e10c in cmd_source /home/fuzz/vim/src/scriptfile.c:1163:14
    #19 0xe9d7ee in ex_source /home/fuzz/vim/src/scriptfile.c:1189:2
    #20 0x8060c1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580:2
    #21 0x7f2ae5 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993:17
    #22 0x7f7831 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587:12
    #23 0x14c4e12 in exe_commands /home/fuzz/vim/src/main.c:3146:2
    #24 0x14c0fae in vim_main2 /home/fuzz/vim/src/main.c:782:2
    #25 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12
    #26 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #27 0x41eaad in _start (/home/fuzz/vim/src/vim+0x41eaad)

0x621000009d00 is located 0 bytes to the right of 4096-byte region [0x621000008d00,0x621000009d00)
allocated by thread T0 here:
    #0 0x499d0d in malloc (/home/fuzz/vim/src/vim+0x499d0d)
    #1 0x4cb3ea in lalloc /home/fuzz/vim/src/alloc.c:246:11
    #2 0x4cb2ca in alloc /home/fuzz/vim/src/alloc.c:151:12
    #3 0x14ce9f5 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:884:21
    #4 0x14cd807 in mf_new /home/fuzz/vim/src/memfile.c:375:26
    #5 0xa98308 in ml_new_data /home/fuzz/vim/src/memline.c:4138:15
    #6 0xa96ca7 in ml_open /home/fuzz/vim/src/memline.c:391:15
    #7 0x503cd6 in open_buffer /home/fuzz/vim/src/buffer.c:192:9
    #8 0x14c265c in create_windows /home/fuzz/vim/src/main.c:2915:9
    #9 0x14c092d in vim_main2 /home/fuzz/vim/src/main.c:713:5
    #10 0x14b6449 in main /home/fuzz/vim/src/main.c:433:12
    #11 0x7f8319ce2082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/vim/src/vim+0x49950e) in __asan_memmove
Shadow bytes around the buggy address:
  0x0c427fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff93a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff93b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11458==ABORTING

poc_hbo02_s.dat

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

We are processing your report and will contact the vim team within 24 hours. a year ago
We have contacted a member of the vim team and are waiting to hear back a year ago
Bram Moolenaar validated this vulnerability a year ago

I can reproduce it. The "L" command moves the cursor to line zero.

jieyongma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar marked this as fixed in 9.0.1189 with commit 232bda a year ago
Bram Moolenaar has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation