We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Heap Use After Free in function ex_diffgetput in vim/vim

Valid

Reported on

Jun 29th 2022

Description

Heap Use After Free in function ex_diffgetput at diff.c:2790

vim version

git log
commit 75417d960bd17a5b701cfb625b8864dacaf0cc39 (HEAD -> master, tag: v9.0.0001, origin/master, origin/HEAD)

POC

./afl/src/vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf3_s.dat -c :qa!

=================================================================
==683647==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d000009018 at pc 0x0000005fb91f bp 0x7fffffff7870 sp 0x7fffffff7868
READ of size 8 at 0x60d000009018 thread T0
    #0 0x5fb91e in ex_diffgetput /home/fuzz/fuzz/vim/afl/src/diff.c:2790:6
    #1 0x5f9af2 in nv_diffgetput /home/fuzz/fuzz/vim/afl/src/diff.c:2642:5
    #2 0xb6c9ac in nv_put_opt /home/fuzz/fuzz/vim/afl/src/normal.c:7262:6
    #3 0xb52d27 in nv_put /home/fuzz/fuzz/vim/afl/src/normal.c:7237:5
    #4 0xb1fe8f in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:939:5
    #5 0x81539e in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8812:6
    #6 0x814bc8 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8775:5
    #7 0x814779 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8693:6
    #8 0x7dd6f9 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #9 0x7ca5b5 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #10 0xe59ece in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
    #11 0xe56966 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
    #12 0xe562a3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
    #13 0xe559ae in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
    #14 0x7dd6f9 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #15 0x7ca5b5 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #16 0x7cf231 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
    #17 0x1424092 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
    #18 0x142022b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
    #19 0x141573d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
    #20 0x7ffff7bee082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #21 0x41ea5d in _start (/home/fuzz/fuzz/vim/afl/src/vim+0x41ea5d)

0x60d000009018 is located 8 bytes inside of 136-byte region [0x60d000009010,0x60d000009098)
freed by thread T0 here:
    #0 0x499a52 in free (/home/fuzz/fuzz/vim/afl/src/vim+0x499a52)
    #1 0x4cbdf6 in vim_free /home/fuzz/fuzz/vim/afl/src/alloc.c:624:2
    #2 0x5eae9f in diff_mark_adjust_tp /home/fuzz/fuzz/vim/afl/src/diff.c:522:6
    #3 0x5e8d09 in diff_mark_adjust /home/fuzz/fuzz/vim/afl/src/diff.c:279:6
    #4 0xa28dd2 in mark_adjust_internal /home/fuzz/fuzz/vim/afl/src/mark.c:1172:5
    #5 0xa23ce8 in mark_adjust /home/fuzz/fuzz/vim/afl/src/mark.c:1004:5
    #6 0x5fce79 in ex_diffgetput /home/fuzz/fuzz/vim/afl/src/diff.c:2905:3
    #7 0x5f9af2 in nv_diffgetput /home/fuzz/fuzz/vim/afl/src/diff.c:2642:5
    #8 0xb6c9ac in nv_put_opt /home/fuzz/fuzz/vim/afl/src/normal.c:7262:6
    #9 0xb52d27 in nv_put /home/fuzz/fuzz/vim/afl/src/normal.c:7237:5
    #10 0xb1fe8f in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:939:5
    #11 0x81539e in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8812:6
    #12 0x814bc8 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8775:5
    #13 0x814779 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8693:6
    #14 0x7dd6f9 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #15 0x7ca5b5 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #16 0xe59ece in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
    #17 0xe56966 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
    #18 0xe562a3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
    #19 0xe559ae in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
    #20 0x7dd6f9 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #21 0x7ca5b5 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #22 0x7cf231 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
    #23 0x1424092 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
    #24 0x142022b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
    #25 0x141573d in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
    #26 0x7ffff7bee082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x499cbd in malloc (/home/fuzz/fuzz/vim/afl/src/vim+0x499cbd)
    #1 0x4cb392 in lalloc /home/fuzz/fuzz/vim/afl/src/alloc.c:246:11
    #2 0x4cb27a in alloc /home/fuzz/fuzz/vim/afl/src/alloc.c:151:12
    #3 0x600782 in diff_alloc_new /home/fuzz/fuzz/vim/afl/src/diff.c:558:12
    #4 0x605c2b in diff_read /home/fuzz/fuzz/vim/afl/src/diff.c:1829:11
    #5 0x5ef64e in diff_try_update /home/fuzz/fuzz/vim/afl/src/diff.c:905:2
    #6 0x5ee4d9 in ex_diffupdate /home/fuzz/fuzz/vim/afl/src/diff.c:991:5
    #7 0x5ff67a in diff_lnum_win /home/fuzz/fuzz/vim/afl/src/diff.c:3158:2
    #8 0x545e5a in changed_bytes /home/fuzz/fuzz/vim/afl/src/change.c:728:11
    #9 0x54d67e in ins_char_bytes /home/fuzz/fuzz/vim/afl/src/change.c:1125:5
    #10 0x54e0ab in ins_char /home/fuzz/fuzz/vim/afl/src/change.c:1014:5
    #11 0x6979df in insertchar /home/fuzz/fuzz/vim/afl/src/edit.c:2275:6
    #12 0x68fa79 in insert_special /home/fuzz/fuzz/vim/afl/src/edit.c:2038:2
    #13 0x675137 in edit /home/fuzz/fuzz/vim/afl/src/edit.c:1359:3
    #14 0xb6a9cc in invoke_edit /home/fuzz/fuzz/vim/afl/src/normal.c:7035:9
    #15 0xb6c6e4 in n_opencmd /home/fuzz/fuzz/vim/afl/src/normal.c:6279:6
    #16 0xb52cc6 in nv_open /home/fuzz/fuzz/vim/afl/src/normal.c:7416:2
    #17 0xb1fe8f in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:939:5
    #18 0x81539e in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8812:6
    #19 0x814bc8 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8775:5
    #20 0x814779 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8693:6
    #21 0x7dd6f9 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #22 0x7ca5b5 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #23 0xe59ece in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
    #24 0xe56966 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
    #25 0xe562a3 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
    #26 0xe559ae in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
    #27 0x7dd6f9 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #28 0x7ca5b5 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #29 0x7cf231 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/fuzz/vim/afl/src/diff.c:2790:6 in ex_diffgetput
Shadow bytes around the buggy address:
  0x0c1a7fff91b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff91c0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd
  0x0c1a7fff91d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff91e0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a7fff91f0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x0c1a7fff9200: fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a7fff9210: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1a7fff9220: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c1a7fff9230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==683647==ABORTING

poc_huaf3_s.dat

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

We are processing your report and will contact the vim team within 24 hours. a year ago
We have contacted a member of the vim team and are waiting to hear back a year ago
Bram Moolenaar validated this vulnerability a year ago

I can reproduce it. The POC is too complicated to use as a test. Can you do it without the mapping of "0"?

Uinitech has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar
a year ago

Maintainer

Fixed with patch 9.0.0026

Bram Moolenaar marked this as fixed in 9.0 with commit c5274d a year ago
Bram Moolenaar has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation