Out-of-bounds Read in function suggest_trie_walk in vim/vim

Valid

Reported on

Jun 16th 2022


Description

Out-of-bounds Read in function suggest_trie_walk at spellsuggest.c:1437

vim version

git log
commit 83497f875881973df772cc4cc593766345df6c4a (HEAD -> master, tag: v8.2.5105, origin/master, origin/HEAD)

POC

root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src# ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poc_obr1_s.dat -c :qa!
=================================================================
==25892==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcd478687f at pc 0x000000f6de1a bp 0x7ffcd4781cd0 sp 0x7ffcd4781cc8
READ of size 1 at 0x7ffcd478687f thread T0
    #0 0xf6de19 in suggest_trie_walk /home/fuzz/fuzz/vim/afl/src/spellsuggest.c:1437:20
    #1 0xf6a08d in suggest_try_change /home/fuzz/fuzz/vim/afl/src/spellsuggest.c:1217:2
    #2 0xf61979 in spell_suggest_intern /home/fuzz/fuzz/vim/afl/src/spellsuggest.c:1013:5
    #3 0xf5ce9a in spell_find_suggest /home/fuzz/fuzz/vim/afl/src/spellsuggest.c:888:6
    #4 0xf5879d in spell_suggest /home/fuzz/fuzz/vim/afl/src/spellsuggest.c:554:5
    #5 0xb63f84 in nv_zet /home/fuzz/fuzz/vim/afl/src/normal.c:3007:7
    #6 0xb1f59f in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:939:5
    #7 0x814eee in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8808:6
    #8 0x814718 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8771:5
    #9 0x8142c9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8689:6
    #10 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #11 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #12 0xe58b5e in do_source_ext /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1674:5
    #13 0xe555f6 in do_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1801:12
    #14 0xe54f33 in cmd_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1174:14
    #15 0xe5463e in ex_source /home/fuzz/fuzz/vim/afl/src/scriptfile.c:1200:2
    #16 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #17 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #18 0x7ced81 in do_cmdline_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:586:12
    #19 0x1422702 in exe_commands /home/fuzz/fuzz/vim/afl/src/main.c:3133:2
    #20 0x141e89b in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:780:2
    #21 0x1413dad in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
    #22 0x7f3842261082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #23 0x41ea4d in _start (/home/fuzz/fuzz/vim/afl/src/vim+0x41ea4d)

Address 0x7ffcd478687f is located in stack of thread T0 at offset 287 in frame
    #0 0xf69a5f in suggest_try_change /home/fuzz/fuzz/vim/afl/src/spellsuggest.c:1184

  This frame has 1 object(s):
    [32, 286) 'fword' (line 1185) <== Memory access at offset 287 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/fuzz/vim/afl/src/spellsuggest.c:1437:20 in suggest_trie_walk
Shadow bytes around the buggy address:
  0x10001a8e8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001a8e8cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001a8e8cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001a8e8ce0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x10001a8e8cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10001a8e8d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[06]
  0x10001a8e8d10: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10001a8e8d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001a8e8d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001a8e8d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10001a8e8d50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==25892==ABORTING

poc_obr1_s.dat

Impact

This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution

We are processing your report and will contact the vim team within 24 hours. 10 days ago
We have contacted a member of the vim team and are waiting to hear back 9 days ago
Bram Moolenaar validated this vulnerability 7 days ago

I can reproduce the problem and found a fix.

TDHX ICS Security has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar
7 days ago

Maintainer


Fixed with Patch 8.2.5123

Bram Moolenaar confirmed that a fix has been merged on 156d39 7 days ago
Bram Moolenaar has been awarded the fix bounty
to join this conversation