Out-of-bounds Read in function build_stl_str_hl in vim/vim

Valid

Reported on

Jan 3rd 2023

Out-of-bounds Read in function build_stl_str_hl at buffer.c:4350

vim version

git log
commit ea720aea851e645f4c8ec3b20afb27c7ca38184c (HEAD -> master, tag: v9.0.1137, origin/master, origin/HEAD)

POC

./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_hor01_s.dat -c :qa!
=================================================================
==2441==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006eb5 at pc 0x00000052f7a2 bp 0x7ffd0ecb2570 sp 0x7ffd0ecb2568
READ of size 1 at 0x602000006eb5 thread T0
    #0 0x52f7a1 in build_stl_str_hl /home/fuzz/vim/src/buffer.c:4350:22
    #1 0xe6d8cf in win_redr_custom /home/fuzz/vim/src/screen.c:1104:13
    #2 0x6748f7 in redraw_custom_statusline /home/fuzz/vim/src/drawscreen.c:591:5
    #3 0x6726fa in win_redr_status /home/fuzz/vim/src/drawscreen.c:461:2
    #4 0x67ca0b in redraw_statuslines /home/fuzz/vim/src/drawscreen.c:3307:6
    #5 0x14bb8f8 in main_loop /home/fuzz/vim/src/main.c:1428:6
    #6 0x8943d2 in open_cmdwin /home/fuzz/vim/src/ex_getln.c:4546:5
    #7 0x879ed4 in getcmdline_int /home/fuzz/vim/src/ex_getln.c:1935:7
    #8 0x8746ce in getcmdline /home/fuzz/vim/src/ex_getln.c:1551:12
    #9 0xb8ccf8 in nv_search /home/fuzz/vim/src/normal.c:4138:22
    #10 0xb62f4b in normal_cmd /home/fuzz/vim/src/normal.c:939:5
    #11 0x83d7ae in exec_normal /home/fuzz/vim/src/ex_docmd.c:8888:6
    #12 0x83cfd8 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8851:5
    #13 0x83cb89 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8769:6
    #14 0x804e61 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2581:2
    #15 0x7f1885 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:994:17
    #16 0xea0575 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672:5
    #17 0xe9cfd6 in do_source /home/fuzz/vim/src/scriptfile.c:1818:12
    #18 0xe9c90c in cmd_source /home/fuzz/vim/src/scriptfile.c:1163:14
    #19 0xe9bfee in ex_source /home/fuzz/vim/src/scriptfile.c:1189:2
    #20 0x804e61 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2581:2
    #21 0x7f1885 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:994:17
    #22 0x7f65d1 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:588:12
    #23 0x14b9732 in exe_commands /home/fuzz/vim/src/main.c:3146:2
    #24 0x14b58ce in vim_main2 /home/fuzz/vim/src/main.c:782:2
    #25 0x14aad69 in main /home/fuzz/vim/src/main.c:433:12
    #26 0x7efd4f54b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #27 0x41eaad in _start (/home/fuzz/vim/src/vim+0x41eaad)

0x602000006eb5 is located 0 bytes to the right of 5-byte region [0x602000006eb0,0x602000006eb5)
allocated by thread T0 here:
    #0 0x499d0d in malloc (/home/fuzz/vim/src/vim+0x499d0d)
    #1 0x4cb3ea in lalloc /home/fuzz/vim/src/alloc.c:246:11
    #2 0x4cb2ca in alloc /home/fuzz/vim/src/alloc.c:151:12
    #3 0xfd7296 in vim_strsave /home/fuzz/vim/src/strings.c:27:9
    #4 0xe6d865 in win_redr_custom /home/fuzz/vim/src/screen.c:1103:11
    #5 0x6748f7 in redraw_custom_statusline /home/fuzz/vim/src/drawscreen.c:591:5
    #6 0x6726fa in win_redr_status /home/fuzz/vim/src/drawscreen.c:461:2
    #7 0x67ca0b in redraw_statuslines /home/fuzz/vim/src/drawscreen.c:3307:6
    #8 0x14bb8f8 in main_loop /home/fuzz/vim/src/main.c:1428:6
    #9 0x8943d2 in open_cmdwin /home/fuzz/vim/src/ex_getln.c:4546:5
    #10 0x879ed4 in getcmdline_int /home/fuzz/vim/src/ex_getln.c:1935:7
    #11 0x8746ce in getcmdline /home/fuzz/vim/src/ex_getln.c:1551:12
    #12 0xb8ccf8 in nv_search /home/fuzz/vim/src/normal.c:4138:22
    #13 0xb62f4b in normal_cmd /home/fuzz/vim/src/normal.c:939:5
    #14 0x83d7ae in exec_normal /home/fuzz/vim/src/ex_docmd.c:8888:6
    #15 0x83cfd8 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8851:5
    #16 0x83cb89 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8769:6
    #17 0x804e61 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2581:2
    #18 0x7f1885 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:994:17
    #19 0xea0575 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672:5
    #20 0xe9cfd6 in do_source /home/fuzz/vim/src/scriptfile.c:1818:12
    #21 0xe9c90c in cmd_source /home/fuzz/vim/src/scriptfile.c:1163:14
    #22 0xe9bfee in ex_source /home/fuzz/vim/src/scriptfile.c:1189:2
    #23 0x804e61 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2581:2
    #24 0x7f1885 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:994:17
    #25 0x7f65d1 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:588:12
    #26 0x14b9732 in exe_commands /home/fuzz/vim/src/main.c:3146:2
    #27 0x14b58ce in vim_main2 /home/fuzz/vim/src/main.c:782:2
    #28 0x14aad69 in main /home/fuzz/vim/src/main.c:433:12
    #29 0x7efd4f54b082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vim/src/buffer.c:4350:22 in build_stl_str_hl
Shadow bytes around the buggy address:
  0x0c047fff8d80: fa fa 02 fa fa fa 00 02 fa fa 01 fa fa fa 07 fa
  0x0c047fff8d90: fa fa 01 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
  0x0c047fff8da0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 02 fa
  0x0c047fff8db0: fa fa 07 fa fa fa 02 fa fa fa 00 03 fa fa 00 fa
  0x0c047fff8dc0: fa fa 05 fa fa fa 01 fa fa fa 00 07 fa fa 07 fa
=>0x0c047fff8dd0: fa fa 01 fa fa fa[05]fa fa fa fd fd fa fa 00 03
  0x0c047fff8de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2441==ABORTING

poc_hor01_s.dat

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

We are processing your report and will contact the vim team within 24 hours. a year ago

We have contacted a member of the vim team and are waiting to hear back a year ago

Bram Moolenaar validated this vulnerability a year ago

I can reproduce it. The POC can be simplified a bit, the essential part is using "%0" at the end of the 'statusline' option.

Uinitech has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Bram Moolenaar

commented a year ago

Maintainer

Fixed with patch 9.0.1143

Bram Moolenaar marked this as fixed in 9.0.1143 with commit 7b17eb a year ago

Bram Moolenaar has been awarded the fix bounty

This vulnerability has been assigned a CVE

Bram Moolenaar published this vulnerability a year ago

to join this conversation