We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Heap Use After Free in function ins_compl_get_exp in vim/vim

Valid

Reported on

Jan 22nd 2023

Description

Heap Use After Free in function ins_compl_get_exp at insexpand.c:3846

vim version

git log
commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -> master, tag: v9.0.1223, origin/master, origin/HEAD)

POC

./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf01_s.dat -c :qa!
=================================================================
==2302704==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000006394 at pc 0x555555d4d2c1 bp 0x7fffffffbcc0 sp 0x7fffffffbcb0
WRITE of size 4 at 0x625000006394 thread T0
    #0 0x555555d4d2c0 in ins_compl_get_exp /home/fuzz/vim/src/insexpand.c:3846
    #1 0x555555d4fd14 in find_next_completion_match /home/fuzz/vim/src/insexpand.c:4058
    #2 0x555555d510a5 in ins_compl_next /home/fuzz/vim/src/insexpand.c:4160
    #3 0x555555d5bb23 in ins_complete /home/fuzz/vim/src/insexpand.c:5018
    #4 0x5555558d1dc5 in edit /home/fuzz/vim/src/edit.c:1289
    #5 0x555555f87569 in invoke_edit /home/fuzz/vim/src/normal.c:7049
    #6 0x555555f870dd in nv_edit /home/fuzz/vim/src/normal.c:7019
    #7 0x555555f28ab6 in normal_cmd /home/fuzz/vim/src/normal.c:938
    #8 0x555555b1b122 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
    #9 0x555555b1aab7 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
    #10 0x555555b199ff in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
    #11 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #12 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #13 0x55555633a827 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672
    #14 0x55555633d026 in do_source /home/fuzz/vim/src/scriptfile.c:1818
    #15 0x555556335719 in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
    #16 0x555556335872 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #17 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #18 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #19 0x555555aa1bbc in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
    #20 0x555556adbcd0 in exe_commands /home/fuzz/vim/src/main.c:3146
    #21 0x555556ac5d78 in vim_main2 /home/fuzz/vim/src/main.c:782
    #22 0x555556ac3250 in main /home/fuzz/vim/src/main.c:433
    #23 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
    #24 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d)

0x625000006394 is located 4756 bytes inside of 9424-byte region [0x625000005100,0x6250000075d0)
freed by thread T0 here:
    #0 0x7ffff769040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x555555698b50 in vim_free /home/fuzz/vim/src/alloc.c:615
    #2 0x5555556ec3a1 in free_buffer /home/fuzz/vim/src/buffer.c:984
    #3 0x5555556e9f36 in close_buffer /home/fuzz/vim/src/buffer.c:769
    #4 0x5555556ee794 in empty_curbuf /home/fuzz/vim/src/buffer.c:1246
    #5 0x5555556f1c07 in do_buffer_ext /home/fuzz/vim/src/buffer.c:1439
    #6 0x5555556f5da5 in do_buffer /home/fuzz/vim/src/buffer.c:1652
    #7 0x5555556f5f53 in do_bufdel /home/fuzz/vim/src/buffer.c:1686
    #8 0x555555af1448 in ex_bunload /home/fuzz/vim/src/ex_docmd.c:5543
    #9 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #10 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #11 0x555556722c9c in call_user_func /home/fuzz/vim/src/userfunc.c:3041
    #12 0x55555672545f in call_user_func_check /home/fuzz/vim/src/userfunc.c:3203
    #13 0x55555672bbf6 in call_func /home/fuzz/vim/src/userfunc.c:3759
    #14 0x555556727e3b in call_callback /home/fuzz/vim/src/userfunc.c:3504
    #15 0x55555653cd8f in find_tagfunc_tags /home/fuzz/vim/src/tag.c:1480
    #16 0x5555565415b9 in findtags_apply_tfu /home/fuzz/vim/src/tag.c:1847
    #17 0x555556552ed2 in find_tags /home/fuzz/vim/src/tag.c:3153
    #18 0x555555d46a70 in get_next_tag_completion /home/fuzz/vim/src/insexpand.c:3400
    #19 0x555555d4b5d2 in get_next_completion_match /home/fuzz/vim/src/insexpand.c:3715
    #20 0x555555d4cbad in ins_compl_get_exp /home/fuzz/vim/src/insexpand.c:3823
    #21 0x555555d4fd14 in find_next_completion_match /home/fuzz/vim/src/insexpand.c:4058
    #22 0x555555d510a5 in ins_compl_next /home/fuzz/vim/src/insexpand.c:4160
    #23 0x555555d5bb23 in ins_complete /home/fuzz/vim/src/insexpand.c:5018
    #24 0x5555558d1dc5 in edit /home/fuzz/vim/src/edit.c:1289
    #25 0x555555f87569 in invoke_edit /home/fuzz/vim/src/normal.c:7049
    #26 0x555555f870dd in nv_edit /home/fuzz/vim/src/normal.c:7019
    #27 0x555555f28ab6 in normal_cmd /home/fuzz/vim/src/normal.c:938
    #28 0x555555b1b122 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
    #29 0x555555b1aab7 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850

previously allocated by thread T0 here:
    #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246
    #2 0x5555556978ce in alloc_clear /home/fuzz/vim/src/alloc.c:177
    #3 0x5555556fcc86 in buflist_new /home/fuzz/vim/src/buffer.c:2156
    #4 0x55555692e35a in win_alloc_firstwin /home/fuzz/vim/src/window.c:4251
    #5 0x55555692da9e in win_alloc_first /home/fuzz/vim/src/window.c:4185
    #6 0x555556ac6cd4 in common_init /home/fuzz/vim/src/main.c:976
    #7 0x555556ac204e in main /home/fuzz/vim/src/main.c:186
    #8 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/vim/src/insexpand.c:3846 in ins_compl_get_exp
Shadow bytes around the buggy address:
  0x0c4a7fff8c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fff8c70: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2302704==ABORTING

poc_huaf01_s.dat

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

We are processing your report and will contact the vim team within 24 hours. 8 months ago
We have contacted a member of the vim team and are waiting to hear back 8 months ago
Uinitech
7 months ago

Researcher

This issue still exists with the current Vim version

Christian Brabandt validated this vulnerability 18 days ago
Uinitech has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christian Brabandt marked this as fixed in 9.0.1858 with commit ee9166 18 days ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has been assigned a CVE
Christian Brabandt published this vulnerability 18 days ago
to join this conversation