heap-buffer-overflow in function utfc_ptr2len in vim/vim
Valid
Reported on
Jan 22nd 2023
Description
Heap-based Buffer Overflow in function utfc_ptr2len at mbyte.c:2145
Vim Version
git log
commit ebfec1c531f32d424bb2aca6e7391ef3bfcbfe20 (HEAD -> master, tag: v9.0.1234, origin/master, origin/HEAD)
Both POCs also apply to v9.0.1262:
git log
commit f2e30d0c448b9754d0d4daa901b51fbbf4c30747 (HEAD -> master, tag: v9.0.1262, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -i NONE -n -m -X -Z -e -s -S POC4 -c :qa!
=================================================================
==2677684==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006ed2 at pc 0x55eb9e00811e bp 0x7fff6aa0cb30 sp 0x7fff6aa0cb20
READ of size 1 at 0x602000006ed2 thread T0
#0 0x55eb9e00811d in utfc_ptr2len /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2145
#1 0x55eb9e142732 in get_visual_text /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:3678
#2 0x55eb9e148a2b in nv_zg_zw /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2613
#3 0x55eb9e148a2b in nv_zet /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2990
#4 0x55eb9e1378c5 in normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:938
#5 0x55eb9dd79252 in exec_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8887
#6 0x55eb9dd79c11 in exec_normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8850
#7 0x55eb9dd79c11 in ex_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8768
#8 0x55eb9dd92d41 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#9 0x55eb9dd92d41 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#10 0x55eb9e467315 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1726
#11 0x55eb9e46dbd0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1872
#12 0x55eb9e46dbd0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1217
#13 0x55eb9dd92d41 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#14 0x55eb9dd92d41 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#15 0x55eb9eac1b81 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146
#16 0x55eb9eac1b81 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782
#17 0x55eb9d9c98e7 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433
#18 0x7f58cd15dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#19 0x7f58cd15de3f in __libc_start_main_impl ../csu/libc-start.c:392
#20 0x55eb9d9d0594 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x199594)
0x602000006ed2 is located 0 bytes to the right of 2-byte region [0x602000006ed0,0x602000006ed2)
allocated by thread T0 here:
#0 0x7f58cdbf7867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55eb9d9d0aea in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2145 in utfc_ptr2len
Shadow bytes around the buggy address:
0x0c047fff8d80: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8d90: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8da0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff8dc0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 01 fa
=>0x0c047fff8dd0: fa fa 00 00 fa fa 01 fa fa fa[02]fa fa fa fd fa
0x0c047fff8de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8df0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 07 fa
0x0c047fff8e20: fa fa 01 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2677684==ABORTING
Impact
This vulnerability is capable of crashing software, modify memory, and possible remote execution.
References
We are processing your report and will contact the
vim
team within 24 hours.
8 months ago
soaarony modified the report
8 months ago
We have contacted a member of the
vim
team and are waiting to hear back
8 months ago
soaarony modified the report
8 months ago
soaarony modified the report
8 months ago
soaarony modified the report
8 months ago
soaarony modified the report
8 months ago
soaarony modified the report
8 months ago
soaarony modified the report
8 months ago
soaarony modified the report
7 months ago
I cannot reproduce the problem. The stack trace indicates that Visual mode is active, but in the POC I don't see a command that starts Visual mode. I cannot guess what matters for reproducing the problem.
Hi Sir, this vulnerability is patched at here
But the vulnerability is found same time as same_leader under this link . It was my bad back then to report two bugs in a single report. Not sure if a CVE can still be assigned to the finding of this vulnerability?
If not, I don't mind closing this bug report on my end. Thank you!!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
to join this conversation