Use After Free in function bt_quickfix in vim/vim
Valid
Reported on
Oct 17th 2022
Description
Use After Free in function at buffer.c:5715 .
vim version
git log
commit 3f0092c141824356b55b11cd3985baaf4df65334 (grafted, HEAD -> master, tag: v9.0.0777, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc13_huaf.dat -c :qa!
=================================================================
==70030==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000033c20 at pc 0x562af9a11f95 bp 0x7ffef20b0c50 sp 0x7ffef20b0c40
READ of size 8 at 0x625000033c20 thread T0
#0 0x562af9a11f94 in bt_quickfix /home/fuzz/vim/src/buffer.c:5715
#1 0x562af9dde598 in is_qf_win /home/fuzz/vim/src/quickfix.c:4481
#2 0x562af9dde8e4 in qf_find_buf /home/fuzz/vim/src/quickfix.c:4525
#3 0x562af9ddec98 in qf_update_buffer /home/fuzz/vim/src/quickfix.c:4575
#4 0x562af9dd2585 in qf_init_ext /home/fuzz/vim/src/quickfix.c:1859
#5 0x562af9dedb84 in cexpr_core /home/fuzz/vim/src/quickfix.c:8053
#6 0x562af9dedeb9 in ex_cexpr /home/fuzz/vim/src/quickfix.c:8105
#7 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#8 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#9 0x562af9ff4ab1 in do_ucmd /home/fuzz/vim/src/usercmd.c:1895
#10 0x562af9b65dce in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2571
#11 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#12 0x562afa007b50 in call_user_func /home/fuzz/vim/src/userfunc.c:2945
#13 0x562afa008db9 in call_user_func_check /home/fuzz/vim/src/userfunc.c:3107
#14 0x562afa00b62b in call_func /home/fuzz/vim/src/userfunc.c:3663
#15 0x562afa001ec0 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841
#16 0x562afa017a39 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647
#17 0x562afa01984c in ex_call /home/fuzz/vim/src/userfunc.c:5971
#18 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#19 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#20 0x562af9e870f9 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
#21 0x562af9e8832e in do_source /home/fuzz/vim/src/scriptfile.c:1811
#22 0x562af9e84dec in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
#23 0x562af9e84e51 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
#24 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#25 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#26 0x562af9b5b369 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:584
#27 0x562afa16e108 in exe_commands /home/fuzz/vim/src/main.c:3135
#28 0x562afa16727b in vim_main2 /home/fuzz/vim/src/main.c:781
#29 0x562afa166b33 in main /home/fuzz/vim/src/main.c:432
#30 0x7f7d2eace082 in __libc_start_main ../csu/libc-start.c:308
#31 0x562af99d6e6d in _start (/home/fuzz/vim/src/vim+0x13ae6d)
0x625000033c20 is located 6944 bytes inside of 9392-byte region [0x625000032100,0x6250000345b0)
freed by thread T0 here:
#0 0x7f7d2ef6540f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x562af99d7596 in vim_free /home/fuzz/vim/src/alloc.c:615
#2 0x562af99f747a in free_buffer /home/fuzz/vim/src/buffer.c:973
#3 0x562af99f653b in close_buffer /home/fuzz/vim/src/buffer.c:760
#4 0x562af9a132d1 in wipe_buffer /home/fuzz/vim/src/buffer.c:5989
#5 0x562af9a13188 in buf_contents_changed /home/fuzz/vim/src/buffer.c:5968
#6 0x562af9bc3971 in buf_check_timestamp /home/fuzz/vim/src/fileio.c:4139
#7 0x562af9b47a14 in do_ecmd /home/fuzz/vim/src/ex_cmds.c:2713
#8 0x562af9b81a5d in do_exedit /home/fuzz/vim/src/ex_docmd.c:7184
#9 0x562af9b80b64 in ex_edit /home/fuzz/vim/src/ex_docmd.c:7082
#10 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#11 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#12 0x562afa007b50 in call_user_func /home/fuzz/vim/src/userfunc.c:2945
#13 0x562afa008db9 in call_user_func_check /home/fuzz/vim/src/userfunc.c:3107
#14 0x562afa00b62b in call_func /home/fuzz/vim/src/userfunc.c:3663
#15 0x562afa001ec0 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841
#16 0x562afa017a39 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647
#17 0x562afa01984c in ex_call /home/fuzz/vim/src/userfunc.c:5971
#18 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#19 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#20 0x562af9e870f9 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
#21 0x562af9e8832e in do_source /home/fuzz/vim/src/scriptfile.c:1811
#22 0x562af9e84dec in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
#23 0x562af9e84e51 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
#24 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#25 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#26 0x562af9b5b369 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:584
#27 0x562afa16e108 in exe_commands /home/fuzz/vim/src/main.c:3135
#28 0x562afa16727b in vim_main2 /home/fuzz/vim/src/main.c:781
#29 0x562afa166b33 in main /home/fuzz/vim/src/main.c:432
previously allocated by thread T0 here:
#0 0x7f7d2ef65808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x562af99d72aa in lalloc /home/fuzz/vim/src/alloc.c:246
#2 0x562af99d7140 in alloc_clear /home/fuzz/vim/src/alloc.c:177
#3 0x562af99fcc6a in buflist_new /home/fuzz/vim/src/buffer.c:2139
#4 0x562af9a12e5c in buf_contents_changed /home/fuzz/vim/src/buffer.c:5931
#5 0x562af9bc3971 in buf_check_timestamp /home/fuzz/vim/src/fileio.c:4139
#6 0x562af9b47a14 in do_ecmd /home/fuzz/vim/src/ex_cmds.c:2713
#7 0x562af9b81a5d in do_exedit /home/fuzz/vim/src/ex_docmd.c:7184
#8 0x562af9b80b64 in ex_edit /home/fuzz/vim/src/ex_docmd.c:7082
#9 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#10 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#11 0x562afa007b50 in call_user_func /home/fuzz/vim/src/userfunc.c:2945
#12 0x562afa008db9 in call_user_func_check /home/fuzz/vim/src/userfunc.c:3107
#13 0x562afa00b62b in call_func /home/fuzz/vim/src/userfunc.c:3663
#14 0x562afa001ec0 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841
#15 0x562afa017a39 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647
#16 0x562afa01984c in ex_call /home/fuzz/vim/src/userfunc.c:5971
#17 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#18 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#19 0x562af9e870f9 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
#20 0x562af9e8832e in do_source /home/fuzz/vim/src/scriptfile.c:1811
#21 0x562af9e84dec in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
#22 0x562af9e84e51 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
#23 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
#24 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
#25 0x562af9b5b369 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:584
#26 0x562afa16e108 in exe_commands /home/fuzz/vim/src/main.c:3135
#27 0x562afa16727b in vim_main2 /home/fuzz/vim/src/main.c:781
#28 0x562afa166b33 in main /home/fuzz/vim/src/main.c:432
#29 0x7f7d2eace082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/vim/src/buffer.c:5715 in bt_quickfix
Shadow bytes around the buggy address:
0x0c4a7fffe730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffe780: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe7b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe7c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffe7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==70030==ABORTING
poc download url: https://github.com/Janette88/vim/blob/main/poc13_huaf.dat
Impact
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
We are processing your report and will contact the
vim
team within 24 hours.
a year ago
We have contacted a member of the
vim
team and are waiting to hear back
a year ago
I can reproduce it. The function argument is unused, it can be removed. The essence is that the split in the autocommand opens a window on the dummy buffer, that should not be allowed.
janette88
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation