Use After Free in function string_quote at vim/src/strings.c:777
git log
commit c9b6570fab46bf2c246a954cfb8c0d95fe2746b3 (grafted, HEAD -> master, tag: v9.0.0203, origin/master, origin/HEAD)
./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc1_uaf.dat -c :qa!
=================================================================
==60044==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000250 at pc 0x7f3438582a7d bp 0x7ffd85eaae90 sp 0x7ffd85eaa638
READ of size 2 at 0x604000000250 thread T0
#0 0x7f3438582a7c in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:354
#1 0x559d5c7889ba in string_quote /home/fuzz/vim/src/strings.c:777
#2 0x559d5c35cf02 in echo_string_core /home/fuzz/vim/src/eval.c:5470
#3 0x559d5c83ea0e in tv2string /home/fuzz/vim/src/typval.c:2413
#4 0x559d5c809fc3 in fill_assert_error /home/fuzz/vim/src/testing.c:236
#5 0x559d5c80cdac in f_assert_fails /home/fuzz/vim/src/testing.c:730
#6 0x559d5c36f041 in call_internal_func /home/fuzz/vim/src/evalfunc.c:2984
#7 0x559d5c874b6f in call_func /home/fuzz/vim/src/userfunc.c:3632
#8 0x559d5c86b461 in get_func_tv /home/fuzz/vim/src/userfunc.c:1834
#9 0x559d5c88102f in ex_call /home/fuzz/vim/src/userfunc.c:5592
#10 0x559d5c3d91e8 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#11 0x559d5c3d048b in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#12 0x559d5c6f340d in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
#13 0x559d5c6f453f in do_source /home/fuzz/vim/src/scriptfile.c:1801
#14 0x559d5c6f10ce in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
#15 0x559d5c6f1133 in ex_source /home/fuzz/vim/src/scriptfile.c:1200
#16 0x559d5c3d91e8 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#17 0x559d5c3d048b in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#18 0x559d5c3ce825 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
#19 0x559d5c9ca784 in exe_commands /home/fuzz/vim/src/main.c:3133
#20 0x559d5c9c38f2 in vim_main2 /home/fuzz/vim/src/main.c:780
#21 0x559d5c9c31aa in main /home/fuzz/vim/src/main.c:432
#22 0x7f3438191082 in __libc_start_main ../csu/libc-start.c:308
#23 0x559d5c24fe4d in _start (/home/fuzz/vim/src/vim+0x139e4d)
0x604000000250 is located 0 bytes inside of 34-byte region [0x604000000250,0x604000000272)
freed by thread T0 here:
#0 0x7f343862840f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x559d5c25053a in vim_free /home/fuzz/vim/src/alloc.c:625
#2 0x559d5c832cdd in clear_tv /home/fuzz/vim/src/typval.c:115
#3 0x559d5c39e5b3 in set_vim_var_string /home/fuzz/vim/src/evalvars.c:2677
#4 0x559d5c9d3e32 in emsg_core /home/fuzz/vim/src/message.c:686
#5 0x559d5c9d454f in emsg /home/fuzz/vim/src/message.c:785
#6 0x559d5c6698a5 in seen_endbrace /home/fuzz/vim/src/regexp_bt.c:1228
#7 0x559d5c6a2ece in nfa_regatom /home/fuzz/vim/src/regexp_nfa.c:1491
#8 0x559d5c6a6bed in nfa_regpiece /home/fuzz/vim/src/regexp_nfa.c:2152
#9 0x559d5c6a7adc in nfa_regconcat /home/fuzz/vim/src/regexp_nfa.c:2396
#10 0x559d5c6a7ba9 in nfa_regbranch /home/fuzz/vim/src/regexp_nfa.c:2429
#11 0x559d5c6a802e in nfa_reg /home/fuzz/vim/src/regexp_nfa.c:2490
#12 0x559d5c6a8460 in re2post /home/fuzz/vim/src/regexp_nfa.c:2910
#13 0x559d5c6bbe5b in nfa_regcomp /home/fuzz/vim/src/regexp_nfa.c:7445
#14 0x559d5c6bc701 in vim_regcomp /home/fuzz/vim/src/regexp.c:2734
#15 0x559d5c34c39c in pattern_match /home/fuzz/vim/src/eval.c:2053
#16 0x559d5c80c861 in f_assert_fails /home/fuzz/vim/src/testing.c:666
#17 0x559d5c36f041 in call_internal_func /home/fuzz/vim/src/evalfunc.c:2984
#18 0x559d5c874b6f in call_func /home/fuzz/vim/src/userfunc.c:3632
#19 0x559d5c86b461 in get_func_tv /home/fuzz/vim/src/userfunc.c:1834
#20 0x559d5c88102f in ex_call /home/fuzz/vim/src/userfunc.c:5592
#21 0x559d5c3d91e8 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#22 0x559d5c3d048b in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#23 0x559d5c6f340d in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
#24 0x559d5c6f453f in do_source /home/fuzz/vim/src/scriptfile.c:1801
#25 0x559d5c6f10ce in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
#26 0x559d5c6f1133 in ex_source /home/fuzz/vim/src/scriptfile.c:1200
#27 0x559d5c3d91e8 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#28 0x559d5c3d048b in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#29 0x559d5c3ce825 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
previously allocated by thread T0 here:
#0 0x7f3438628808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x559d5c25028a in lalloc /home/fuzz/vim/src/alloc.c:246
#2 0x559d5c25007b in alloc /home/fuzz/vim/src/alloc.c:151
#3 0x559d5c7860f5 in vim_strsave /home/fuzz/vim/src/strings.c:27
#4 0x559d5c39e682 in set_vim_var_string /home/fuzz/vim/src/evalvars.c:2682
#5 0x559d5c9d3e32 in emsg_core /home/fuzz/vim/src/message.c:686
#6 0x559d5c9d454f in emsg /home/fuzz/vim/src/message.c:785
#7 0x559d5c3d991b in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2623
#8 0x559d5c3d048b in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#9 0x559d5c3ce825 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
#10 0x559d5c80c375 in f_assert_fails /home/fuzz/vim/src/testing.c:617
#11 0x559d5c36f041 in call_internal_func /home/fuzz/vim/src/evalfunc.c:2984
#12 0x559d5c874b6f in call_func /home/fuzz/vim/src/userfunc.c:3632
#13 0x559d5c86b461 in get_func_tv /home/fuzz/vim/src/userfunc.c:1834
#14 0x559d5c88102f in ex_call /home/fuzz/vim/src/userfunc.c:5592
#15 0x559d5c3d91e8 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#16 0x559d5c3d048b in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#17 0x559d5c6f340d in do_source_ext /home/fuzz/vim/src/scriptfile.c:1674
#18 0x559d5c6f453f in do_source /home/fuzz/vim/src/scriptfile.c:1801
#19 0x559d5c6f10ce in cmd_source /home/fuzz/vim/src/scriptfile.c:1174
#20 0x559d5c6f1133 in ex_source /home/fuzz/vim/src/scriptfile.c:1200
#21 0x559d5c3d91e8 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2570
#22 0x559d5c3d048b in do_cmdline /home/fuzz/vim/src/ex_docmd.c:992
#23 0x559d5c3ce825 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:586
#24 0x559d5c9ca784 in exe_commands /home/fuzz/vim/src/main.c:3133
#25 0x559d5c9c38f2 in vim_main2 /home/fuzz/vim/src/main.c:780
#26 0x559d5c9c31aa in main /home/fuzz/vim/src/main.c:432
#27 0x7f3438191082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:354 in __interceptor_strlen
Shadow bytes around the buggy address:
0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c087fff8000: fa fa 00 00 00 00 00 04 fa fa 00 00 00 00 00 04
0x0c087fff8010: fa fa 00 00 00 00 02 fa fa fa fd fd fd fd fd fa
0x0c087fff8020: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c087fff8030: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 01 fa
=>0x0c087fff8040: fa fa 00 00 00 00 02 fa fa fa[fd]fd fd fd fd fa
0x0c087fff8050: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 02 fa
0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==60044==ABORTING
<p><a href=“https://github.com/Janette88/vim/blob/main/poc1_uaf.dat”>poc1_uaf.dat</a></p>