heap-buffer-overflow in function inc at misc2.c in vim/vim
Valid
Reported on
Oct 14th 2022
Description
heap-buffer-overflow in function inc at misc2.c:356:6
vim version
git log
commit ba43e76fcd5b2da57dbaa4d9a555793fe8ac344e (HEAD -> master, tag: v9.0.0747, origin/master, origin/HEAD)
Proof of Concept
# ./src/vim -u NONE -X -Z -e -s -S ./poc -c ':qa!'
=================================================================
==2826727==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000782f at pc 0x560f6f87732f bp 0x7ffda688e1f0 sp 0x7ffda688e1e8
READ of size 1 at 0x60200000782f thread T0
#0 0x560f6f87732e in inc /root/vim/src/misc2.c:356:6
#1 0x560f6f8ec068 in nv_put_opt /root/vim/src/normal.c:7375:3
#2 0x560f6f8da200 in nv_brackets /root/vim/src/normal.c:4502:2
#3 0x560f6f8b662b in normal_cmd /root/vim/src/normal.c:920:5
#4 0x560f6f6c13f4 in exec_normal /root/vim/src/ex_docmd.c
#5 0x560f6f6c06c7 in exec_normal_cmd /root/vim/src/ex_docmd.c:8816:5
#6 0x560f6f6c06c7 in ex_normal /root/vim/src/ex_docmd.c:8734:6
#7 0x560f6f69906a in do_one_cmd /root/vim/src/ex_docmd.c:2578:2
#8 0x560f6f69906a in do_cmdline /root/vim/src/ex_docmd.c:990:17
#9 0x560f6fab2430 in do_source_ext /root/vim/src/scriptfile.c:1667:5
#10 0x560f6fab010c in do_source /root/vim/src/scriptfile.c:1811:12
#11 0x560f6fab010c in cmd_source /root/vim/src/scriptfile.c:1163:14
#12 0x560f6f69906a in do_one_cmd /root/vim/src/ex_docmd.c:2578:2
#13 0x560f6f69906a in do_cmdline /root/vim/src/ex_docmd.c:990:17
#14 0x560f6fe4c5d3 in exe_commands /root/vim/src/main.c:3135:2
#15 0x560f6fe4c5d3 in vim_main2 /root/vim/src/main.c:781:2
#16 0x560f6fe4998f in main /root/vim/src/main.c:432:12
#17 0x7f0dc1335d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#18 0x7f0dc1335e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#19 0x560f6f3f51f4 in _start (/root/vim/src/vim+0x1c41f4) (BuildId: 2bd6897ad54c4face0a7fa43a2ad04d588a03e15)
0x60200000782f is located 1 bytes to the left of 2-byte region [0x602000007830,0x602000007832)
allocated by thread T0 here:
#0 0x560f6f47803e in __interceptor_malloc (/root/vim/src/vim+0x24703e) (BuildId: 2bd6897ad54c4face0a7fa43a2ad04d588a03e15)
#1 0x560f6f4b3247 in lalloc /root/vim/src/alloc.c:246:11
SUMMARY: AddressSanitizer: heap-buffer-overflow /root/vim/src/misc2.c:356:6 in inc
Shadow bytes around the buggy address:
0x0c047fff8eb0: fa fa fd fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
0x0c047fff8ec0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8ed0: fa fa 02 fa fa fa fd fa fa fa fd fa fa fa 02 fa
0x0c047fff8ee0: fa fa 01 fa fa fa 01 fa fa fa 02 fa fa fa 01 fa
0x0c047fff8ef0: fa fa 01 fa fa fa 06 fa fa fa fd fa fa fa 01 fa
=>0x0c047fff8f00: fa fa 01 fa fa[fa]02 fa fa fa fa fa fa fa fa fa
0x0c047fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2826727==ABORTING
Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale
Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
We are processing your report and will contact the
vim
team within 24 hours.
7 months ago
ex7l0it modified the report
7 months ago
We have contacted a member of the
vim
team and are waiting to hear back
7 months ago
I can reproduce it. The POC can be drastically simplified, please save me time by doing that before creating an issue.
ex7l0it
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
to join this conversation