We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

heap-buffer-overflow in vim_regsub_both in vim/vim

Valid

Reported on

Mar 27th 2023

Description

heap based buffer overflow in in vim_regsub_both at regexp.c:2473

Vim Version

git log
commit 1a08a3e2a584889f19b84a27672134649b73da58 (HEAD -> master, tag: v9.0.1429, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S POC_vim_regsub_both -c :qa!
=================================================================
==559305==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000bc37 at pc 0x55e89c179cab bp 0x7ffdc3294b40 sp 0x7ffdc3294b30
WRITE of size 1 at 0x60600000bc37 thread T0
    #0 0x55e89c179caa in vim_regsub_both /home/Desktop/Fuzz/vim/src/regexp.c:2473
    #1 0x55e89c258b76 in vim_regsub_multi /home/Desktop/Fuzz/vim/src/regexp.c:1964
    #2 0x55e89bb81212 in ex_substitute /home/Desktop/Fuzz/vim/src/ex_cmds.c:4647
    #3 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #4 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #5 0x55e89c2cc655 in do_source_ext /home/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #6 0x55e89c2d321b in cmd_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1233
    #7 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #8 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #9 0x55e89c2cc655 in do_source_ext /home/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #10 0x55e89c2d321b in cmd_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1233
    #11 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #12 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #13 0x55e89c2cc655 in do_source_ext /home/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #14 0x55e89c2d321b in cmd_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1233
    #15 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #16 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #17 0x55e89c2cc655 in do_source_ext /home/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #18 0x55e89c2d321b in cmd_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1233
    #19 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #20 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #21 0x55e89c2cc655 in do_source_ext /home/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #22 0x55e89c2d321b in cmd_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1233
    #23 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #24 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #25 0x55e89c2cc655 in do_source_ext /home/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #26 0x55e89c2d321b in cmd_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1233
    #27 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #28 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #29 0x55e89c2cc655 in do_source_ext /home/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #30 0x55e89c2d321b in cmd_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1233
    #31 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #32 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #33 0x55e89c2cc655 in do_source_ext /home/Desktop/Fuzz/vim/src/scriptfile.c:1759
    #34 0x55e89c2d2f20 in do_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1905
    #35 0x55e89c2d2f20 in cmd_source /home/Desktop/Fuzz/vim/src/scriptfile.c:1250
    #36 0x55e89bbf5094 in do_one_cmd /home/Desktop/Fuzz/vim/src/ex_docmd.c:2580
    #37 0x55e89bbf5094 in do_cmdline /home/Desktop/Fuzz/vim/src/ex_docmd.c:993
    #38 0x55e89c92eb91 in exe_commands /home/Desktop/Fuzz/vim/src/main.c:3150
    #39 0x55e89c92eb91 in vim_main2 /home/Desktop/Fuzz/vim/src/main.c:782
    #40 0x55e89b829457 in main /home/Desktop/Fuzz/vim/src/main.c:433
    #41 0x7f3f1299ed8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #42 0x7f3f1299ee3f in __libc_start_main_impl ../csu/libc-start.c:392
    #43 0x55e89b830104 in _start (/home/Desktop/Fuzz/vim/src/vim+0x19d104)

0x60600000bc37 is located 3 bytes to the right of 52-byte region [0x60600000bc00,0x60600000bc34)
allocated by thread T0 here:
    #0 0x7f3f13438867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55e89b83065a in lalloc /home/Desktop/Fuzz/vim/src/alloc.c:246

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/Desktop/Fuzz/vim/src/regexp.c:2473 in vim_regsub_both
Shadow bytes around the buggy address:
  0x0c0c7fff9730: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9740: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9750: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff9760: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9770: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fff9780: 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==559305==ABORTING

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

References

We are processing your report and will contact the vim team within 24 hours. 6 months ago
We have contacted a member of the vim team and are waiting to hear back 6 months ago
Bram Moolenaar
4 months ago

Maintainer

Sorry, for the slow reply, I didn't have a chance to look into this yet. The POC is very long and contains many special characters and unusual commands. Have you tried making it shorter, leaving out parts that are not needed for reproducing the problem?

hikari446
4 months ago

Researcher

Hi, I did my best to shorten it. Hope this works for you. POC

Christian Brabandt validated this vulnerability 19 days ago
hikari446 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christian
19 days ago

Maintainer

Thanks, I think I fixed it now

Christian Brabandt marked this as fixed in 9.0.1848 with commit ced2c7 19 days ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has been assigned a CVE
Christian Brabandt published this vulnerability 19 days ago
to join this conversation