heap-buffer-overflow in function vim_regsub_both in vim/vim

Valid

Reported on

Sep 4th 2023


Description

heap-buffer-overflow in vim_regsub_both at regexp.c:2482

Version

git log
commit e073a8b79f1d3398b27f35b7920746b564a169e9 (HEAD -> master, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S vim_regsub_both_poc -c :qa!
  helplang=en  readonly  updatecount=0nowritenoloadplugins  scroll=5  viminfofile=NONE  fileencodings=ucs-bom,utf-8,default,latin1
  helplang=en  readonly  updatecount=0nowritenoloadplugins  scroll=3  viminfofile=NONE  fileencodings=ucs-bom,utf-8,default,latin1
  helplang=en  readonly  spell  viminfofile=NONEnoloadplugins  scroll=2  updatecount=0nowrite  fileencodings=ucs-bom,utf-8,default,latin1
  helplang=en  readonly  spell  viminfofile=NONEnoloadplugins  scroll=2  updatecount=0nowrite  fileencodings=ucs-bom,utf-8,default,latin1
  helplang=en  readonly  spell  viminfofile=NONEnoloadplugins  scroll=1  updatecount=0nowrite  fileencodings=ucs-bom,utf-8,default,latin1
  helplang=en  readonly  spell  viminfofile=NONEnoloadplugins  scroll=1  updatecount=0nowrite  fileencodings=ucs-bom,utf-8,default,latin1
  helplang=en  readonly  spell  viminfofile=NONEnoloadplugins  scroll=1  updatecount=0nowrite  fileencodings=ucs-bom,utf-8,default,latin1
=================================================================
==567534==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000bc37 at pc 0x56014d6ccf64 bp 0x7ffd19b5cd00 sp 0x7ffd19b5ccf0
WRITE of size 1 at 0x60600000bc37 thread T0
    #0 0x56014d6ccf63 in vim_regsub_both /home/limweicheng/Desktop/Fuzz/vim/src/regexp.c:2482
    #1 0x56014d7ac3d6 in vim_regsub_multi /home/limweicheng/Desktop/Fuzz/vim/src/regexp.c:1972
    #2 0x56014d0cdf70 in ex_substitute /home/limweicheng/Desktop/Fuzz/vim/src/ex_cmds.c:4660
    #3 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #4 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #5 0x56014d820415 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #6 0x56014d826e5b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1236
    #7 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #8 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #9 0x56014d820415 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #10 0x56014d826e5b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1236
    #11 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #12 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #13 0x56014d820415 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #14 0x56014d826e5b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1236
    #15 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #16 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #17 0x56014d820415 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #18 0x56014d826e5b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1236
    #19 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #20 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #21 0x56014d820415 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #22 0x56014d826e5b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1236
    #23 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #24 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #25 0x56014d820415 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #26 0x56014d826e5b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1236
    #27 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #28 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #29 0x56014d820415 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #30 0x56014d826e5b in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1236
    #31 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #32 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #33 0x56014d820415 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
    #34 0x56014d826b60 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1908
    #35 0x56014d826b60 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1253
    #36 0x56014d141816 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
    #37 0x56014d141816 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
    #38 0x56014de98d21 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3173
    #39 0x56014de98d21 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:790
    #40 0x56014cd6d275 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:441
    #41 0x7f8d8199bd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #42 0x7f8d8199be3f in __libc_start_main_impl ../csu/libc-start.c:392
    #43 0x56014cd73f94 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x1a0f94)

0x60600000bc37 is located 3 bytes to the right of 52-byte region [0x60600000bc00,0x60600000bc34)
allocated by thread T0 here:
    #0 0x7f8d82435867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x56014cd744ea in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/limweicheng/Desktop/Fuzz/vim/src/regexp.c:2482 in vim_regsub_both
Shadow bytes around the buggy address:
  0x0c0c7fff9730: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9740: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9750: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff9760: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9770: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c7fff9780: 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==567534==ABORTING

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

References

We are processing your report and will contact the vim team within 24 hours. 3 months ago
soaarony modified the report
3 months ago
We have contacted a member of the vim team and are waiting to hear back 3 months ago
Christian
3 months ago

Maintainer


thanks

Christian
3 months ago

Maintainer


should be fixed now

Christian Brabandt validated this vulnerability 3 months ago
soaarony has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christian Brabandt marked this as fixed in 9.0.1873 with commit f6d28f 3 months ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has been assigned a CVE
Christian Brabandt published this vulnerability 3 months ago
to join this conversation