Use After Free in function bt_quickfix in vim/vim

Valid

Reported on

Oct 17th 2022


Description

Use After Free in function at buffer.c:5715 .

vim version

git log
commit 3f0092c141824356b55b11cd3985baaf4df65334 (grafted, HEAD -> master, tag: v9.0.0777, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc13_huaf.dat -c :qa!
=================================================================
==70030==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000033c20 at pc 0x562af9a11f95 bp 0x7ffef20b0c50 sp 0x7ffef20b0c40
READ of size 8 at 0x625000033c20 thread T0
    #0 0x562af9a11f94 in bt_quickfix /home/fuzz/vim/src/buffer.c:5715
    #1 0x562af9dde598 in is_qf_win /home/fuzz/vim/src/quickfix.c:4481
    #2 0x562af9dde8e4 in qf_find_buf /home/fuzz/vim/src/quickfix.c:4525
    #3 0x562af9ddec98 in qf_update_buffer /home/fuzz/vim/src/quickfix.c:4575
    #4 0x562af9dd2585 in qf_init_ext /home/fuzz/vim/src/quickfix.c:1859
    #5 0x562af9dedb84 in cexpr_core /home/fuzz/vim/src/quickfix.c:8053
    #6 0x562af9dedeb9 in ex_cexpr /home/fuzz/vim/src/quickfix.c:8105
    #7 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #8 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #9 0x562af9ff4ab1 in do_ucmd /home/fuzz/vim/src/usercmd.c:1895
    #10 0x562af9b65dce in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2571
    #11 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #12 0x562afa007b50 in call_user_func /home/fuzz/vim/src/userfunc.c:2945
    #13 0x562afa008db9 in call_user_func_check /home/fuzz/vim/src/userfunc.c:3107
    #14 0x562afa00b62b in call_func /home/fuzz/vim/src/userfunc.c:3663
    #15 0x562afa001ec0 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841
    #16 0x562afa017a39 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647
    #17 0x562afa01984c in ex_call /home/fuzz/vim/src/userfunc.c:5971
    #18 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #19 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #20 0x562af9e870f9 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #21 0x562af9e8832e in do_source /home/fuzz/vim/src/scriptfile.c:1811
    #22 0x562af9e84dec in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
    #23 0x562af9e84e51 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #24 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #25 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #26 0x562af9b5b369 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:584
    #27 0x562afa16e108 in exe_commands /home/fuzz/vim/src/main.c:3135
    #28 0x562afa16727b in vim_main2 /home/fuzz/vim/src/main.c:781
    #29 0x562afa166b33 in main /home/fuzz/vim/src/main.c:432
    #30 0x7f7d2eace082 in __libc_start_main ../csu/libc-start.c:308
    #31 0x562af99d6e6d in _start (/home/fuzz/vim/src/vim+0x13ae6d)

0x625000033c20 is located 6944 bytes inside of 9392-byte region [0x625000032100,0x6250000345b0)
freed by thread T0 here:
    #0 0x7f7d2ef6540f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x562af99d7596 in vim_free /home/fuzz/vim/src/alloc.c:615
    #2 0x562af99f747a in free_buffer /home/fuzz/vim/src/buffer.c:973
    #3 0x562af99f653b in close_buffer /home/fuzz/vim/src/buffer.c:760
    #4 0x562af9a132d1 in wipe_buffer /home/fuzz/vim/src/buffer.c:5989
    #5 0x562af9a13188 in buf_contents_changed /home/fuzz/vim/src/buffer.c:5968
    #6 0x562af9bc3971 in buf_check_timestamp /home/fuzz/vim/src/fileio.c:4139
    #7 0x562af9b47a14 in do_ecmd /home/fuzz/vim/src/ex_cmds.c:2713
    #8 0x562af9b81a5d in do_exedit /home/fuzz/vim/src/ex_docmd.c:7184
    #9 0x562af9b80b64 in ex_edit /home/fuzz/vim/src/ex_docmd.c:7082
    #10 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #11 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #12 0x562afa007b50 in call_user_func /home/fuzz/vim/src/userfunc.c:2945
    #13 0x562afa008db9 in call_user_func_check /home/fuzz/vim/src/userfunc.c:3107
    #14 0x562afa00b62b in call_func /home/fuzz/vim/src/userfunc.c:3663
    #15 0x562afa001ec0 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841
    #16 0x562afa017a39 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647
    #17 0x562afa01984c in ex_call /home/fuzz/vim/src/userfunc.c:5971
    #18 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #19 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #20 0x562af9e870f9 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #21 0x562af9e8832e in do_source /home/fuzz/vim/src/scriptfile.c:1811
    #22 0x562af9e84dec in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
    #23 0x562af9e84e51 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #24 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #25 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #26 0x562af9b5b369 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:584
    #27 0x562afa16e108 in exe_commands /home/fuzz/vim/src/main.c:3135
    #28 0x562afa16727b in vim_main2 /home/fuzz/vim/src/main.c:781
    #29 0x562afa166b33 in main /home/fuzz/vim/src/main.c:432

previously allocated by thread T0 here:
    #0 0x7f7d2ef65808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x562af99d72aa in lalloc /home/fuzz/vim/src/alloc.c:246
    #2 0x562af99d7140 in alloc_clear /home/fuzz/vim/src/alloc.c:177
    #3 0x562af99fcc6a in buflist_new /home/fuzz/vim/src/buffer.c:2139
    #4 0x562af9a12e5c in buf_contents_changed /home/fuzz/vim/src/buffer.c:5931
    #5 0x562af9bc3971 in buf_check_timestamp /home/fuzz/vim/src/fileio.c:4139
    #6 0x562af9b47a14 in do_ecmd /home/fuzz/vim/src/ex_cmds.c:2713
    #7 0x562af9b81a5d in do_exedit /home/fuzz/vim/src/ex_docmd.c:7184
    #8 0x562af9b80b64 in ex_edit /home/fuzz/vim/src/ex_docmd.c:7082
    #9 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #10 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #11 0x562afa007b50 in call_user_func /home/fuzz/vim/src/userfunc.c:2945
    #12 0x562afa008db9 in call_user_func_check /home/fuzz/vim/src/userfunc.c:3107
    #13 0x562afa00b62b in call_func /home/fuzz/vim/src/userfunc.c:3663
    #14 0x562afa001ec0 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841
    #15 0x562afa017a39 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647
    #16 0x562afa01984c in ex_call /home/fuzz/vim/src/userfunc.c:5971
    #17 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #18 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #19 0x562af9e870f9 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #20 0x562af9e8832e in do_source /home/fuzz/vim/src/scriptfile.c:1811
    #21 0x562af9e84dec in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
    #22 0x562af9e84e51 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #23 0x562af9b65e64 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #24 0x562af9b5cfcf in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #25 0x562af9b5b369 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:584
    #26 0x562afa16e108 in exe_commands /home/fuzz/vim/src/main.c:3135
    #27 0x562afa16727b in vim_main2 /home/fuzz/vim/src/main.c:781
    #28 0x562afa166b33 in main /home/fuzz/vim/src/main.c:432
    #29 0x7f7d2eace082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/vim/src/buffer.c:5715 in bt_quickfix
Shadow bytes around the buggy address:
  0x0c4a7fffe730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffe780: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe7a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe7b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe7c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffe7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==70030==ABORTING

poc download url: https://github.com/Janette88/vim/blob/main/poc13_huaf.dat

Impact

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

We are processing your report and will contact the vim team within 24 hours. a year ago
We have contacted a member of the vim team and are waiting to hear back a year ago
Bram Moolenaar validated this vulnerability a year ago

I can reproduce it. The function argument is unused, it can be removed. The essence is that the split in the autocommand opens a window on the dummy buffer, that should not be allowed.

janette88 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar marked this as fixed in 9.0.0789 with commit 8f3c3c a year ago
Bram Moolenaar has been awarded the fix bounty
This vulnerability will not receive a CVE
Pavlos published this vulnerability a year ago
to join this conversation