Undefined behavior in diff_write_buffer()

2022-07-1506:15:10

abysslab

www.huntr.dev

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:N/I:N/A:P

0.0005 Low

EPSS

Percentile

14.8%

JSON

Description

Undefined behavior.
(commit hash: 99af91e5820c78a196c9272cd8ce5aa5be7bf374)
It may occur heap-buffer-overflow.

Proof of Concept

Download POC file
POC

GDB

gdb-peda$ r -u NONE -i NONE -n -m -X -Z -e -s -S undefined_poc -c :qa!
0000089bd31 in diff_write_buffer (buf=0x62500000f100, din=&lt;optimized out&gt;)
    at diff.c:755
#3  diff_write (buf=0x62500000f100, din=0x7fffffff9000) at diff.c:827
#4  0x000000000085f358 in diff_try_update (dio=0x7fffffff9000, idx_orig=0x0, eap=0x0)
    at diff.c:888
#5  0x0000000000859daa in ex_diffupdate (eap=0x0) at diff.c:991
#6  0x000000000084f327 in diff_check (wp=0x625000014100, lnum=0x1) at diff.c:1923
#7  0x000000000083cc97 in diff_redraw (dofold=&lt;optimized out&gt;) at diff.c:690
#8  0x000000000088fc47 in ex_diffgetput (eap=0x7fffffff9468) at diff.c:2991
#9  0x00000000008851fd in nv_diffgetput (put=&lt;optimized out&gt;, count=0x0) at diff.c:2642
#10 0x000000000149a452 in normal_cmd (oap=0x7fffffff97e0, toplevel=0x1) at normal.c:939
#11 0x0000000000d2f445 in exec_normal (was_typed=&lt;optimized out&gt;, use_vpeekc=0x0, 
    may_use_terminal_loop=0x0) at ex_docmd.c:8794
#12 0x0000000000d2ac98 in exec_normal_cmd (cmd=&lt;optimized out&gt;, remap=&lt;optimized out&gt;, 
    silent=0x0) at ex_docmd.c:8777
#13 ex_normal (eap=0x7fffffff9c70) at ex_docmd.c:8695
#14 0x0000000000c7d2be in do_one_cmd (cmdlinep=&lt;optimized out&gt;, flags=0x7, 
    cstack=&lt;optimized out&gt;, fgetline=&lt;optimized out&gt;, cookie=&lt;optimized out&gt;)
    at ex_docmd.c:2570
#15 do_cmdline (cmdline=&lt;optimized out&gt;, fgetline=&lt;optimized out&gt;, 
    cookie=&lt;optimized out&gt;, flags=0x7) at ex_docmd.c:992
#16 0x0000000001c8046e in do_source_ext (
    fname=0x6080000004a3 "out/fuzz02/crashes/id:000025,sig:11,src:024149,time:211790218,execs:3659384,op:havoc,rep:8", check_other=0xffffab90, is_vimrc=0x680, ret_sid=0x0, 
    eap=&lt;optimized out&gt;, clearvars=0x0) at scriptfile.c:1674
#17 0x0000000001c7a1ac in do_source (fname=&lt;optimized out&gt;, check_other=0x0, 
    is_vimrc=0x0, ret_sid=0x606000000f20) at scriptfile.c:1801
#18 cmd_source (
    fname=0x6080000004a3 "out/fuzz02/crashes/id:000025,sig:11,src:024149,time:211790218,execs:3659384,op:havoc,rep:8", eap=0x7fffffffae10) at scriptfile.c:1174
#19 0x0000000000c7d2be in do_one_cmd (cmdlinep=&lt;optimized out&gt;, flags=0xb, 
    cstack=&lt;optimized out&gt;, fgetline=&lt;optimized out&gt;, cookie=&lt;optimized out&gt;)
    at ex_docmd.c:2570
#20 do_cmdline (cmdline=&lt;optimized out&gt;, fgetline=&lt;optimized out&gt;, 
    cookie=&lt;optimized out&gt;, flags=0xb) at ex_docmd.c:992
#21 0x0000000002a4b348 in exe_commands (parmp=&lt;optimized out&gt;) at main.c:3133
#22 vim_main2 () at main.c:780
#23 0x0000000002a409c9 in main (argc=0x2, argc@entry=0xf, argv=&lt;optimized out&gt;, 
    argv@entry=0x7fffffffe428) at main.c:432
#24 0x00007ffff6bf8bf7 in __libc_start_main (main=0x2a34a40 &lt;main&gt;, argc=0xf, 
    argv=0x7fffffffe428, init=&lt;optimized out&gt;, fini=&lt;optimized out&gt;, 
    rtld_fini=&lt;optimized out&gt;, stack_end=0x7fffffffe418) at ../csu/libc-start.c:310
#25 0x000000000041c2aa in _start ()

Valgrind

valgrind src/vim -u NONE -i NONE -n -m -X -Z -e -s -S undefined_poc -c :qa!
==19670== Conditional jump or move depends on uninitialised value(s)
==19670==    at 0x554E31: check_string_option (optionstr.c:324)
==19670==    by 0x52BF96: check_winopt (option.c:5773)
==19670==    by 0x551EEA: check_win_options (option.c:5726)
==19670==    by 0x551EEA: set_init_1 (option.c:341)
==19670==    by 0x9AE63E: common_init (main.c:990)
==19670==    by 0x15E4D4: main (main.c:185)
==19670== 
==19670== Conditional jump or move depends on uninitialised value(s)
==19670==    at 0x554E31: check_string_option (optionstr.c:324)
==19670==    by 0x52BFA2: check_winopt (option.c:5774)
==19670==    by 0x551EEA: check_win_options (option.c:5726)
==19670==    by 0x551EEA: set_init_1 (option.c:341)
==19670==    by 0x9AE63E: common_init (main.c:990)
==19670==    by 0x15E4D4: main (main.c:185)
==19670== 
==19670== 
==19670== More than 1000 different errors detected.  I'm not reporting any more.
==19670== Final error counts will be inaccurate.  Go fix your program!
==19670== Rerun with --error-limit=no to disable this cutoff.  Note
==19670== that errors may occur in your program without prior warning from
==19670== Valgrind, because errors are no longer being displayed.
==19670== 
  debug=  define=^\s*#\s*define  dictionary=  diffexpr=  diffopt=internal,filler,closeoff  directory=.,~/tmp,/var/tmp,/tmp  display=
==19670== 
==19670== Process terminating with default action of signal 11 (SIGSEGV)
==19670==    at 0x4A593DB: kill (syscall-template.S:78)
==19670==    by 0x5635D2: may_core_dump (os_unix.c:3519)
==19670==    by 0x56C179: mch_exit (os_unix.c:3485)
==19670==    by 0x9B12BE: getout (main.c:1737)
==19670==    by 0x4A5908F: ??? (in /usr/lib/x86_64-linux-gnu/libc-2.31.so)
==19670==    by 0x483EF45: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==19670==    by 0x200084: diff_write_buffer (diff.c:755)
==19670==    by 0x200084: diff_write (diff.c:827)
==19670==    by 0x2018E7: diff_try_update (diff.c:888)
==19670==    by 0x20CABD: ex_diffupdate (diff.c:991)
==19670==    by 0x20D08A: diff_check (diff.c:1923)
==19670==    by 0x20A063: diff_redraw (diff.c:690)
==19670==    by 0x214066: ex_diffgetput (diff.c:2991)
==19670== 
==19670== HEAP SUMMARY:
==19670==     in use at exit: 2,287,429 bytes in 983 blocks
==19670==   total heap usage: 6,946 allocs, 5,963 frees, 7,398,161 bytes allocated
==19670== 
==19670== LEAK SUMMARY:
==19670==    definitely lost: 5,664 bytes in 4 blocks
==19670==    indirectly lost: 0 bytes in 0 blocks
==19670==      possibly lost: 0 bytes in 0 blocks
==19670==    still reachable: 2,281,765 bytes in 979 blocks
==19670==         suppressed: 0 bytes in 0 blocks
==19670== Rerun with --leak-check=full to see details of leaked memory
==19670== 
==19670== Use --track-origins=yes to see where uninitialised values come from
==19670== For lists of detected and suppressed errors, rerun with: -s
==19670== ERROR SUMMARY: 28632 errors from 1000 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)