Heap Use After Free in function ins_compl_get_exp

2023-01-2214:49:36

jieyongma

www.huntr.dev

heap use after free

function ins_compl_get_exp

insexpand.c:3846

poc

address 0x625000006394

asan

vim version

git log

0.001 Low

EPSS

Percentile

23.1%

JSON

Description

Heap Use After Free in function ins_compl_get_exp at insexpand.c:3846

vim version

git log
commit 7193323b7796c05573f3aa89d422e848feb3a8dc (HEAD -&gt; master, tag: v9.0.1223, origin/master, origin/HEAD)

POC

./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf01_s.dat -c :qa!
=================================================================
==2302704==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000006394 at pc 0x555555d4d2c1 bp 0x7fffffffbcc0 sp 0x7fffffffbcb0
WRITE of size 4 at 0x625000006394 thread T0
    #0 0x555555d4d2c0 in ins_compl_get_exp /home/fuzz/vim/src/insexpand.c:3846
    #1 0x555555d4fd14 in find_next_completion_match /home/fuzz/vim/src/insexpand.c:4058
    #2 0x555555d510a5 in ins_compl_next /home/fuzz/vim/src/insexpand.c:4160
    #3 0x555555d5bb23 in ins_complete /home/fuzz/vim/src/insexpand.c:5018
    #4 0x5555558d1dc5 in edit /home/fuzz/vim/src/edit.c:1289
    #5 0x555555f87569 in invoke_edit /home/fuzz/vim/src/normal.c:7049
    #6 0x555555f870dd in nv_edit /home/fuzz/vim/src/normal.c:7019
    #7 0x555555f28ab6 in normal_cmd /home/fuzz/vim/src/normal.c:938
    #8 0x555555b1b122 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
    #9 0x555555b1aab7 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
    #10 0x555555b199ff in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
    #11 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #12 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #13 0x55555633a827 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1672
    #14 0x55555633d026 in do_source /home/fuzz/vim/src/scriptfile.c:1818
    #15 0x555556335719 in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
    #16 0x555556335872 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #17 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #18 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #19 0x555555aa1bbc in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
    #20 0x555556adbcd0 in exe_commands /home/fuzz/vim/src/main.c:3146
    #21 0x555556ac5d78 in vim_main2 /home/fuzz/vim/src/main.c:782
    #22 0x555556ac3250 in main /home/fuzz/vim/src/main.c:433
    #23 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308
    #24 0x55555569724d in _start (/home/fuzz/vim/src/vim+0x14324d)

0x625000006394 is located 4756 bytes inside of 9424-byte region [0x625000005100,0x6250000075d0)
freed by thread T0 here:
    #0 0x7ffff769040f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
    #1 0x555555698b50 in vim_free /home/fuzz/vim/src/alloc.c:615
    #2 0x5555556ec3a1 in free_buffer /home/fuzz/vim/src/buffer.c:984
    #3 0x5555556e9f36 in close_buffer /home/fuzz/vim/src/buffer.c:769
    #4 0x5555556ee794 in empty_curbuf /home/fuzz/vim/src/buffer.c:1246
    #5 0x5555556f1c07 in do_buffer_ext /home/fuzz/vim/src/buffer.c:1439
    #6 0x5555556f5da5 in do_buffer /home/fuzz/vim/src/buffer.c:1652
    #7 0x5555556f5f53 in do_bufdel /home/fuzz/vim/src/buffer.c:1686
    #8 0x555555af1448 in ex_bunload /home/fuzz/vim/src/ex_docmd.c:5543
    #9 0x555555abd90f in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #10 0x555555aa5e49 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #11 0x555556722c9c in call_user_func /home/fuzz/vim/src/userfunc.c:3041
    #12 0x55555672545f in call_user_func_check /home/fuzz/vim/src/userfunc.c:3203
    #13 0x55555672bbf6 in call_func /home/fuzz/vim/src/userfunc.c:3759
    #14 0x555556727e3b in call_callback /home/fuzz/vim/src/userfunc.c:3504
    #15 0x55555653cd8f in find_tagfunc_tags /home/fuzz/vim/src/tag.c:1480
    #16 0x5555565415b9 in findtags_apply_tfu /home/fuzz/vim/src/tag.c:1847
    #17 0x555556552ed2 in find_tags /home/fuzz/vim/src/tag.c:3153
    #18 0x555555d46a70 in get_next_tag_completion /home/fuzz/vim/src/insexpand.c:3400
    #19 0x555555d4b5d2 in get_next_completion_match /home/fuzz/vim/src/insexpand.c:3715
    #20 0x555555d4cbad in ins_compl_get_exp /home/fuzz/vim/src/insexpand.c:3823
    #21 0x555555d4fd14 in find_next_completion_match /home/fuzz/vim/src/insexpand.c:4058
    #22 0x555555d510a5 in ins_compl_next /home/fuzz/vim/src/insexpand.c:4160
    #23 0x555555d5bb23 in ins_complete /home/fuzz/vim/src/insexpand.c:5018
    #24 0x5555558d1dc5 in edit /home/fuzz/vim/src/edit.c:1289
    #25 0x555555f87569 in invoke_edit /home/fuzz/vim/src/normal.c:7049
    #26 0x555555f870dd in nv_edit /home/fuzz/vim/src/normal.c:7019
    #27 0x555555f28ab6 in normal_cmd /home/fuzz/vim/src/normal.c:938
    #28 0x555555b1b122 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
    #29 0x555555b1aab7 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850

previously allocated by thread T0 here:
    #0 0x7ffff7690808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x555555697ed6 in lalloc /home/fuzz/vim/src/alloc.c:246
    #2 0x5555556978ce in alloc_clear /home/fuzz/vim/src/alloc.c:177
    #3 0x5555556fcc86 in buflist_new /home/fuzz/vim/src/buffer.c:2156
    #4 0x55555692e35a in win_alloc_firstwin /home/fuzz/vim/src/window.c:4251
    #5 0x55555692da9e in win_alloc_first /home/fuzz/vim/src/window.c:4185
    #6 0x555556ac6cd4 in common_init /home/fuzz/vim/src/main.c:976
    #7 0x555556ac204e in main /home/fuzz/vim/src/main.c:186
    #8 0x7ffff71f9082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/vim/src/insexpand.c:3846 in ins_compl_get_exp
Shadow bytes around the buggy address:
  0x0c4a7fff8c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=&gt;0x0c4a7fff8c70: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff8cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2302704==ABORTING