Buffer Over-read in function utf_ptr2char

2022-05-2203:06:47

jieyongma

www.huntr.dev

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

29.7%

JSON

Description

Buffer Over-read in function utf_ptr2char at mbyte.c:1794

vim version

git log
commit 31d9948e3a2529c2f619d56bdb48291dc261233d (HEAD -&gt; master, tag: v8.2.5026, origin/master, origin/HEAD)

POC

./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poc_h10_n_s.dat -c :qa!
=================================================================
==3756371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000013d00 at pc 0x000000a464c9 bp 0x7fffffff4d30 sp 0x7fffffff4d28
READ of size 1 at 0x621000013d00 thread T0
    #0 0xa464c8 in utf_ptr2char /home/fuzz/fuzz/vim/vim/src/mbyte.c:1794:9
    #1 0xaac9f3 in gchar_pos /home/fuzz/fuzz/vim/vim/src/misc1.c:523:9
    #2 0x10a9485 in findsent /home/fuzz/fuzz/vim/vim/src/textobject.c:50:6
    #3 0xa1b89e in getmark_buf_fnum /home/fuzz/fuzz/vim/vim/src/mark.c:354:6
    #4 0xa1ae69 in getmark_buf /home/fuzz/fuzz/vim/vim/src/mark.c:287:12
    #5 0xda6891 in nfa_regmatch /home/fuzz/fuzz/vim/vim/src/./regexp_nfa.c:6786:9
    #6 0xd96fd0 in nfa_regtry /home/fuzz/fuzz/vim/vim/src/./regexp_nfa.c:7193:14
    #7 0xd94cb7 in nfa_regexec_both /home/fuzz/fuzz/vim/vim/src/./regexp_nfa.c:7388:14
    #8 0xcf6ed1 in nfa_regexec_multi /home/fuzz/fuzz/vim/vim/src/./regexp_nfa.c:7608:12
    #9 0xcf3e72 in vim_regexec_multi /home/fuzz/fuzz/vim/vim/src/regexp.c:2866:14
    #10 0x7af73f in ex_substitute /home/fuzz/fuzz/vim/vim/src/ex_cmds.c:4008:11
    #11 0x7dc8e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
    #12 0x7c96a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
    #13 0xe5884c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
    #14 0xe552a6 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
    #15 0xe54bdc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
    #16 0xe542be in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
    #17 0x7dc8e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
    #18 0x7c96a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
    #19 0x7ce2f1 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
    #20 0x1424832 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
    #21 0x14209cb in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
    #22 0x14160c5 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
    #23 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #24 0x41ea6d in _start (/home/fuzz/fuzz-vim/vim/src/vim+0x41ea6d)

0x621000013d00 is located 0 bytes to the right of 4096-byte region [0x621000012d00,0x621000013d00)
allocated by thread T0 here:
    #0 0x499ccd in malloc (/home/fuzz/fuzz-vim/vim/src/vim+0x499ccd)
    #1 0x4cb3aa in lalloc /home/fuzz/fuzz/vim/vim/src/alloc.c:246:11
    #2 0x4cb28a in alloc /home/fuzz/fuzz/vim/vim/src/alloc.c:151:12
    #3 0x142e2e5 in mf_alloc_bhdr /home/fuzz/fuzz/vim/vim/src/memfile.c:884:21
    #4 0x142d0f7 in mf_new /home/fuzz/fuzz/vim/vim/src/memfile.c:375:26
    #5 0xa620b8 in ml_new_data /home/fuzz/fuzz/vim/vim/src/memline.c:4080:15
    #6 0xa60a61 in ml_open /home/fuzz/fuzz/vim/vim/src/memline.c:394:15
    #7 0x50119a in open_buffer /home/fuzz/fuzz/vim/vim/src/buffer.c:186:9
    #8 0x142207c in create_windows /home/fuzz/fuzz/vim/vim/src/main.c:2875:9
    #9 0x142034a in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:711:5
    #10 0x14160c5 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
    #11 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/vim/src/mbyte.c:1794:9 in utf_ptr2char
Shadow bytes around the buggy address:
  0x0c427fffa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=&gt;0x0c427fffa7a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3756371==ABORTING