7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
63.3%
When fuzzing vim commit fc78a0369
(works with latest build and latest commit 202b4bd3a
per this time of this report) with clang 13 and ASan, I discovered a buffer overflow.
Here is the poc
https://drive.google.com/file/d/1QFs9OysjzlRQP4hmfnMdfohaEg8lIZ8y/view?usp=sharing
How to build
LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
make -j$(nproc)
Proof of Concept
Run crafted file with this command
./vim -u NONE -X -Z -e -s -S poc_mb_copy_char_min -c :qa!
ASan stack trace:
aldo@vps:~/vimbaru/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_mb_copy_char_min -c :qa!
=================================================================
==829948==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e81 at pc 0x0000006fc616 bp 0x7fffffff8d10 sp 0x7fffffff8d08
WRITE of size 1 at 0x619000000e81 thread T0
#0 0x6fc615 in append_command /home/aldo/vimtes/src/ex_docmd.c:3449:8
#1 0x6d705d in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2618:6
#2 0x6ca342 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
#3 0xafd4a5 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1674:5
#4 0xafaef0 in do_source /home/aldo/vimtes/src/scriptfile.c:1801:12
#5 0xafaa29 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1174:14
#6 0xafa50d in ex_source /home/aldo/vimtes/src/scriptfile.c:1200:2
#7 0x6d6612 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
#8 0x6ca342 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:992:17
#9 0x6cd5d0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:586:12
#10 0xed6bb4 in exe_commands /home/aldo/vimtes/src/main.c:3108:2
#11 0xed48e9 in vim_main2 /home/aldo/vimtes/src/main.c:780:2
#12 0xece1d0 in main /home/aldo/vimtes/src/main.c:432:12
#13 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
#14 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)
0x619000000e81 is located 0 bytes to the right of 1025-byte region [0x619000000a80,0x619000000e81)
allocated by thread T0 here:
#0 0x499c8d in malloc (/home/aldo/vimtes/src/vim+0x499c8d)
#1 0x4cb0e0 in lalloc /home/aldo/vimtes/src/alloc.c:246:11
#2 0x4cb039 in alloc /home/aldo/vimtes/src/alloc.c:151:12
#3 0xece209 in common_init /home/aldo/vimtes/src/main.c:914:19
#4 0xecdd84 in main /home/aldo/vimtes/src/main.c:185:5
#5 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/aldo/vimtes/src/ex_docmd.c:3449:8 in append_command
Shadow bytes around the buggy address:
0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff81d0:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==829948==ABORTING
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
63.3%