Incorrect Calculation of Buffer Size in function yank_copy_line

2023-01-2902:39:59

jieyongma

www.huntr.dev

6.6 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

14.4%

JSON

Description

Incorrect Calculation of Buffer Size in function yank_copy_line at register.c:1468

vim version

git log
commit 657aea7fc47fb919ce76fad64ba0ec55a1af80f1 (HEAD -&gt; master, tag: v9.0.1249, origin/master, origin/HEAD)

POC

./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa!
=================================================================
==1962298==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x7ffff75eafdd in __interceptor_memset ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762
    #1 0x5555562c58ad in yank_copy_line /home/fuzz/vim/src/register.c:1468
    #2 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290
    #3 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742
    #4 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754
    #5 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123
    #6 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960
    #7 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
    #8 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
    #9 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
    #10 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #11 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #12 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
    #13 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905
    #14 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
    #15 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276
    #16 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #17 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #18 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
    #19 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146
    #20 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782
    #21 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433
    #22 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
    #23 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d)

0x602000007270 is located 0 bytes inside of 2-byte region [0x602000007270,0x602000007272)
allocated by thread T0 here:
    #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246
    #2 0x55555569767e in alloc /home/fuzz/vim/src/alloc.c:151
    #3 0x5555562c5715 in yank_copy_line /home/fuzz/vim/src/register.c:1464
    #4 0x5555562c35bd in op_yank /home/fuzz/vim/src/register.c:1290
    #5 0x555555f96baf in op_delete /home/fuzz/vim/src/ops.c:742
    #6 0x555555fa95b9 in op_change /home/fuzz/vim/src/ops.c:1754
    #7 0x555555fd2498 in do_pending_operator /home/fuzz/vim/src/ops.c:4123
    #8 0x555555f29d64 in normal_cmd /home/fuzz/vim/src/normal.c:960
    #9 0x555555b1bb27 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
    #10 0x555555b1b4bc in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
    #11 0x555555b1a404 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
    #12 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #13 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #14 0x55555633c1ab in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
    #15 0x55555633e9aa in do_source /home/fuzz/vim/src/scriptfile.c:1905
    #16 0x5555563370a2 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
    #17 0x5555563371fb in ex_source /home/fuzz/vim/src/scriptfile.c:1276
    #18 0x555555abe320 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #19 0x555555aa6864 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #20 0x555555aa25cd in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
    #21 0x555556adfa19 in exe_commands /home/fuzz/vim/src/main.c:3146
    #22 0x555556ac9ab9 in vim_main2 /home/fuzz/vim/src/main.c:782
    #23 0x555556ac6f8f in main /home/fuzz/vim/src/main.c:433
    #24 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: negative-size-param ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:762 in __interceptor_memset
==1962298==ABORTING

poc_nsp01_s.dat

GDB

gdb --args ./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_nsp01_s.dat -c :qa!

─── Output/messages ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, yank_copy_line (bd=0x7fffffffbc20, y_idx=0, exclude_trailing_space=0) at register.c:1468
1468        vim_memset(pnew, ' ', (size_t)bd-&gt;startspaces);
─── Assembly ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 0x00005555562c5854  yank_copy_line+883 je     0x5555562c585e &lt;yank_copy_line+893&gt;
 0x00005555562c5856  yank_copy_line+885 mov    %rdx,%rdi
 0x00005555562c5859  yank_copy_line+888 callq  0x555555696b30 &lt;__asan_report_store8@plt&gt;
 0x00005555562c585e  yank_copy_line+893 mov    -0x18(%rbp),%rdx
 0x00005555562c5862  yank_copy_line+897 mov    %rdx,(%rax)
!0x00005555562c5865  yank_copy_line+900 mov    -0x28(%rbp),%rax
 0x00005555562c5869  yank_copy_line+904 mov    %rax,%rdx
 0x00005555562c586c  yank_copy_line+907 mov    %rdx,%rax
 0x00005555562c586f  yank_copy_line+910 shr    $0x3,%rax
 0x00005555562c5873  yank_copy_line+914 add    $0x7fff8000,%rax
─── Breakpoints ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] break at 0x00005555562c5865 in register.c:1468 for /home/fuzz/vim/src/register.c:1468 hit 1 time
─── Expressions ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── History ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Memory ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
─── Registers ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
     rax 0x0000602000007230        rbx 0x0000555556d935e0     rcx 0x0000000000000000     rdx 0x0000602000007250     rsi 0x0000000000000000     rdi 0x0000000000000000     rbp 0x00007fffffffbb00     rsp 0x00007fffffffbac0
      r8 0x00007ffff7fb8000         r9 0x0000000000000002     r10 0x0000602000007240     r11 0x00000000000000e0     r12 0x00007fffffffbd30     r13 0x00000ffffffff772     r14 0x00007fffffffbb90     r15 0x0000555556d86b60
     rip 0x00005555562c5865     eflags [ PF ZF IF ]            cs 0x00000033              ss 0x0000002b              ds 0x00000000              es 0x00000000              fs 0x00000000              gs 0x00000000        
─── Source ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 1463      bd-&gt;endspaces = 0;
 1464      if ((pnew = alloc(bd-&gt;startspaces + bd-&gt;endspaces + bd-&gt;textlen + 1))
 1465                                        == NULL)
 1466      return FAIL;
 1467      y_current-&gt;y_array[y_idx] = pnew;
!1468      vim_memset(pnew, ' ', (size_t)bd-&gt;startspaces);
 1469      pnew += bd-&gt;startspaces;
 1470      mch_memmove(pnew, bd-&gt;textstart, (size_t)bd-&gt;textlen);
 1471      pnew += bd-&gt;textlen;
 1472      vim_memset(pnew, ' ', (size_t)bd-&gt;endspaces);
─── Stack ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[0] from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468
[1] from 0x00005555562c35be in op_yank+11347 at register.c:1290
[2] from 0x0000555555f96bb0 in op_delete+8257 at ops.c:742
[3] from 0x0000555555fa95ba in op_change+1153 at ops.c:1754
[4] from 0x0000555555fd2499 in do_pending_operator+44344 at ops.c:4123
[5] from 0x0000555555f29d65 in normal_cmd+21183 at normal.c:960
[6] from 0x0000555555b1bb28 in exec_normal+1640 at ex_docmd.c:8887
[7] from 0x0000555555b1b4bd in exec_normal_cmd+73 at ex_docmd.c:8850
[8] from 0x0000555555b1a405 in ex_normal+5241 at ex_docmd.c:8768
[9] from 0x0000555555abe321 in do_one_cmd+59341 at ex_docmd.c:2580
[+]
─── Threads ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
[1] id 1972438 name vim from 0x00005555562c5865 in yank_copy_line+900 at register.c:1468
─── Variables ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
arg bd = 0x7fffffffbc20: {startspaces = -1,endspaces = 2,textlen = 0,textstart = 0x621000009cff "",t…, y_idx = 0, exclude_trailing_space = 0
loc pnew = 0x602000007250 "\276\276": 190 '\276'
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
&gt;&gt;&gt; p bd-&gt;startspaces
$2 = -1
&gt;&gt;&gt;