OOB Write ops.c in vim/vim


Reported on

May 26th 2023


Distributor ID: Debian
Description:    Debian GNU/Linux bookworm/sid


I checked against the master branch at commit 50809a45ebde327cb6fdcc727d7466e926aed713 .


This AddressSanitizer output is indicating a write to the 0x7fd0c2103000 address, this is because the testcase causes line 2923 in /src/ops.c in the do_addsub() function to read outside the bounds of buf2.

C Code

buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';  

Assembly from debugging

Relevant registers
*RAX  0x7ffff720e800 ◂— 0xbebebebebebebebe # the 0xbe repeating is an artifact from afl/asan instrumentation
*R8   0xfffffffff720e800

Relevant asm line
mov    cl, byte ptr [rax + r8] #do_addsub+19009


ASAN_OPTIONS=verbosity=2 AFL_MAP_SIZE=410000 ./vim -u NONE -i NONE -n -m -X -Z -e -s -S a_small_crash -c :qa!

POC File


==3654==ERROR: AddressSanitizer: SEGV on unknown address 0x7fd0c2103000 (pc 0x559b90d55551 bp 0x7ffc229e5210 sp 0x7ffc229e4de0 T0)
==3654==The signal is caused by a READ memory access.
    #0 0x559b90d55551 in do_addsub /path/to/vim/src/ops.c:2923:13
    #1 0x559b90d4ff2e in op_addsub /path/to/vim/src/ops.c:2444:15
    #2 0x559b90c9c9e6 in nv_addsub /path/to/vim/src/normal.c:2032:2
    #3 0x559b90d24cfc in normal_cmd /path/to/vim/src/normal.c:939:5
    #4 0x559b90904981 in exec_normal /path/to/vim/src/ex_docmd.c
    #5 0x559b90896656 in exec_normal_cmd /path/to/vim/src/ex_docmd.c:8875:5
    #6 0x559b90896656 in ex_normal //path/to/vim/src/ex_docmd.c:8793:6
    #7 0x559b908bf9b4 in do_one_cmd /path/to/vim/src/ex_docmd.c:2582:2
    #8 0x559b908bf9b4 in do_cmdline /path/to/vim/src/ex_docmd.c:994:17
    #9 0x559b9108a548 in do_source_ext /path/to/vim/src/scriptfile.c:1760:5
    #10 0x559b9109dc31 in do_source /path/to/vim/src/scriptfile.c:1906:12
    #11 0x559b9109dc31 in cmd_source /path/to/vim/src/scriptfile.c:1251:14
    #12 0x559b908bf9b4 in do_one_cmd /path/to/vim/src/ex_docmd.c:2582:2
    #13 0x559b908bf9b4 in do_cmdline /path/to/vim/src/ex_docmd.c:994:17
    #14 0x559b91771818 in do_cmdline_cmd /path/to/vim/src/ex_docmd.c:588:12
    #15 0x559b91771818 in exe_commands /path/to/vim/src/main.c:3150:2
    #16 0x559b91771818 in vim_main2 /path/to/vim/src/main.c:782:2
    #17 0x559b91769146 in main /path/to/vim/src/main.c:433:12
    #18 0x7fd06122a189 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #19 0x7fd06122a244 in __libc_start_main csu/../csu/libc-start.c:381:3
    #20 0x559b903d3260 in _start (/path/to/vim_tmp/vim+0x2f9260) (BuildId: ad6111dc02ebe39a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/to/vim/src/ops.c:2923:13 in do_addsub

# Impact

crashing vim in with vim script has a fairly low impact since it requires someone to run the script or to be loaded with an environment. A out of bounds write could cause a crash, affecting the availability of vim until th


line that triggers the OOB

We are processing your report and will contact the vim team within 24 hours. 4 months ago
We have contacted a member of the vim team and are waiting to hear back 4 months ago
4 months ago


Let me know if you want my harness.

4 months ago


@admin can you ping please

3 months ago


Bram the maintainer is on the platform, please be patient

20 days ago


Hi, I cannot verify the OOB write for buf2. However, I think the following patch would fix it:

diff --git a/src/ops.c b/src/ops.c
index d46a049fe..f4524d3d7 100644
--- a/src/ops.c
+++ b/src/ops.c
@@ -2919,7 +2919,7 @@ do_addsub(
            for (bit = bits; bit > 0; bit--)
                if ((n >> (bit - 1)) & 0x1) break;

-           for (i = 0; bit > 0; bit--)
+           for (i = 0; bit > 0 && i < (NUMBUFLEN - 1); bit--)
                buf2[i++] = ((n >> (bit - 1)) & 0x1) ? '1' : '0';

            buf2[i] = '\0';

can you please verify?

20 days ago


Also, sorry for taking that long. I did not notice those open bug reports here. I had a look a few weeks ago and I did not see any open reports. It's just yesterday that I noticed those open ones here.

20 days ago


Will test patch and report back.

Christian Brabandt validated this vulnerability 19 days ago
coolkingcole has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christian Brabandt marked this as fixed in 9.0.1847 with commit 889f6a 19 days ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has been assigned a CVE
Christian Brabandt published this vulnerability 19 days ago
ops.c#L2922-L2923 has been validated
to join this conversation