Lucene search
SoaaronyDB7BE8D6-6CB7-4AE5-9C4E-805423AFA378HistoryJan 22, 2023 - 3:44 p.m.
heap-buffer-overflow in function utfc_ptr2len
2023-01-2215:44:03
soaarony
www.huntr.dev
14
heap-buffer-overflow
addresssanitizer
vim-version
pocs
fuzzing
0.001 Low
EPSS
Percentile
19.8%
Description
Heap-based Buffer Overflow in function utfc_ptr2len at mbyte.c:2145
Vim Version
git log
commit ebfec1c531f32d424bb2aca6e7391ef3bfcbfe20 (HEAD -> master, tag: v9.0.1234, origin/master, origin/HEAD)
Both POCs also apply to v9.0.1262:
git log
commit f2e30d0c448b9754d0d4daa901b51fbbf4c30747 (HEAD -> master, tag: v9.0.1262, origin/master, origin/HEAD)
Proof of Concept
./vim -u NONE -i NONE -n -m -X -Z -e -s -S POC4 -c :qa!
=================================================================
==2677684==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000006ed2 at pc 0x55eb9e00811e bp 0x7fff6aa0cb30 sp 0x7fff6aa0cb20
READ of size 1 at 0x602000006ed2 thread T0
#0 0x55eb9e00811d in utfc_ptr2len /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2145
#1 0x55eb9e142732 in get_visual_text /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:3678
#2 0x55eb9e148a2b in nv_zg_zw /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2613
#3 0x55eb9e148a2b in nv_zet /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:2990
#4 0x55eb9e1378c5 in normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/normal.c:938
#5 0x55eb9dd79252 in exec_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8887
#6 0x55eb9dd79c11 in exec_normal_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8850
#7 0x55eb9dd79c11 in ex_normal /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:8768
#8 0x55eb9dd92d41 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#9 0x55eb9dd92d41 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#10 0x55eb9e467315 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1726
#11 0x55eb9e46dbd0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1872
#12 0x55eb9e46dbd0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1217
#13 0x55eb9dd92d41 in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2580
#14 0x55eb9dd92d41 in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:993
#15 0x55eb9eac1b81 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3146
#16 0x55eb9eac1b81 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:782
#17 0x55eb9d9c98e7 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:433
#18 0x7f58cd15dd8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#19 0x7f58cd15de3f in __libc_start_main_impl ../csu/libc-start.c:392
#20 0x55eb9d9d0594 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x199594)
0x602000006ed2 is located 0 bytes to the right of 2-byte region [0x602000006ed0,0x602000006ed2)
allocated by thread T0 here:
#0 0x7f58cdbf7867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55eb9d9d0aea in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/limweicheng/Desktop/Fuzz/vim/src/mbyte.c:2145 in utfc_ptr2len
Shadow bytes around the buggy address:
0x0c047fff8d80: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c047fff8d90: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8da0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c047fff8db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff8dc0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 01 fa
=>0x0c047fff8dd0: fa fa 00 00 fa fa 01 fa fa fa[02]fa fa fa fd fa
0x0c047fff8de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8df0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff8e10: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 07 fa
0x0c047fff8e20: fa fa 01 fa fa fa 01 fa fa fa 05 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2677684==ABORTING
Related
cvelist
cvelist
CVE-2023-4751 Heap-based Buffer Overflow in vim/vim
2023-09-03 18:54:47
debiancve
debiancve
CVE-2023-4751
2023-09-03 19:15:43
nvd
nvd
CVE-2023-4751
2023-09-03 19:15:43
ubuntucve
ubuntucve
CVE-2023-4751
2023-09-03 00:00:00
prion
prion
Heap overflow
2023-09-03 19:15:00
redhatcve
redhatcve
CVE-2023-4751
2023-09-05 15:13:45
cve
cve
CVE-2023-4751
2023-09-03 19:15:43
veracode
veracode
Buffer Overflow
2023-10-08 23:09:50
alpinelinux
alpinelinux
CVE-2023-4751
2023-09-03 19:15:43
nessus
nessus
Amazon Linux AMI : vim (ALAS-2023-1826)
2023-09-25 00:00:00
EulerOS Virtualization 2.10.1 : vim (EulerOS-SA-2023-3514)
2024-01-16 00:00:00
EulerOS 2.0 SP10 : vim (EulerOS-SA-2023-3233)
2024-01-16 00:00:00
amazon
amazon
Important: vim
2023-09-13 23:15:00
Important: vim
2023-09-27 22:48:00
openvas
openvas
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2023-3486)
2023-12-22 00:00:00
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2023-3198)
2023-11-10 00:00:00
Huawei EulerOS: Security Advisory for vim (EulerOS-SA-2023-3233)
2023-11-10 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2023-3.0-0645
2023-09-07 00:00:00
ubuntu
ubuntu
Vim vulnerabilities
2023-10-25 00:00:00
cloudfoundry
cloudfoundry
USN-6452-1: Vim vulnerabilities | Cloud Foundry
2023-12-04 00:00:00
osv
osv
vim vulnerabilities
2023-10-25 16:47:19
apple
apple
About the security content of macOS Sonoma 14.1
2023-10-25 00:00:00