Heap-use-after-free in function buflist_altfpos in vim in vim/vim

Valid

Reported on

Aug 17th 2023


Description

Heap-use-after-free in function buflist_altfpos at buffer.c:3703

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S ./poc_huaf -c :qa!

==1404==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000011940 at pc 0x0000004a4dbe bp 0x7ffc6204d090 sp 0x7ffc6204d080
READ of size 4 at 0x625000011940 thread T0
    #0 0x4a4dbd in buflist_altfpos /home/fuzz/asan_program/vim/src/buffer.c:3703
    #1 0x78a8b7 in do_ecmd /home/fuzz/asan_program/vim/src/ex_cmds.c:2694
    #2 0x457614 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:738
    #3 0x457614 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
    #4 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #5 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #6 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
    #7 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
    #8 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
    #9 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
    #10 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #11 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #12 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
    #13 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
    #14 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
    #15 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)
    #16 0x446fde  (/home/fuzz/bug_finder/bug_validate/vimtest1/vim_asan+0x446fde)

0x625000011940 is located 64 bytes inside of 9176-byte region [0x625000011900,0x625000013cd8)
freed by thread T0 here:
    #0 0x7fee9555c23f in free (/lib64/libasan.so.5+0x10c23f)
    #1 0x47886c in apply_autocmds_group /home/fuzz/asan_program/vim/src/autocmd.c:2385
    #2 0x481acf in apply_autocmds /home/fuzz/asan_program/vim/src/autocmd.c:1780
    #3 0xb0cfda in may_trigger_modechanged /home/fuzz/asan_program/vim/src/misc1.c:2806
    #4 0xbcd17e in end_visual_mode_keep_button /home/fuzz/asan_program/vim/src/normal.c:1165
    #5 0xbcd17e in end_visual_mode /home/fuzz/asan_program/vim/src/normal.c:1120
    #6 0xbcd17e in reset_VIsual /home/fuzz/asan_program/vim/src/normal.c:1190
    #7 0xbcd17e in reset_VIsual /home/fuzz/asan_program/vim/src/normal.c:1186
    #8 0x7899d4 in do_ecmd /home/fuzz/asan_program/vim/src/ex_cmds.c:2653
    #9 0x457614 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:738
    #10 0x457614 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
    #11 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #12 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #13 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
    #14 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
    #15 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
    #16 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
    #17 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #18 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #19 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
    #20 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
    #21 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
    #22 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)

previously allocated by thread T0 here:
    #0 0x7fee9555c82e in calloc (/lib64/libasan.so.5+0x10c82e)
    #1 0x447ab4 in lalloc /home/fuzz/asan_program/vim/src/alloc.c:246
    #2 0x447ab4 in alloc_clear /home/fuzz/asan_program/vim/src/alloc.c:177
    #3 0x140d552 in win_alloc /home/fuzz/asan_program/vim/src/window.c:5502
    #4 0x1454b36 in win_split_ins /home/fuzz/asan_program/vim/src/window.c:1187
    #5 0x457164 in do_argfile /home/fuzz/asan_program/vim/src/arglist.c:708
    #6 0x457164 in ex_rewind /home/fuzz/asan_program/vim/src/arglist.c:649
    #7 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #8 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #9 0xf03484 in do_source_ext /home/fuzz/asan_program/vim/src/scriptfile.c:1760
    #10 0xf21643 in do_source /home/fuzz/asan_program/vim/src/scriptfile.c:1906
    #11 0xf21643 in cmd_source /home/fuzz/asan_program/vim/src/scriptfile.c:1251
    #12 0xf21643 in ex_source /home/fuzz/asan_program/vim/src/scriptfile.c:1277
    #13 0x8047e5 in do_one_cmd /home/fuzz/asan_program/vim/src/ex_docmd.c:2582
    #14 0x80d399 in do_cmdline /home/fuzz/asan_program/vim/src/ex_docmd.c:994
    #15 0x15ec5af in exe_commands /home/fuzz/asan_program/vim/src/main.c:3173
    #16 0x15ec5af in vim_main2 /home/fuzz/asan_program/vim/src/main.c:790
    #17 0x442afa in main /home/fuzz/asan_program/vim/src/main.c:441
    #18 0x7fee94545554 in __libc_start_main (/lib64/libc.so.6+0x22554)

SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzz/asan_program/vim/src/buffer.c:3703 in buflist_altfpos
Shadow bytes around the buggy address:
  0x0c4a7fffa2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fffa320: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c4a7fffa330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a7fffa370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1404==ABORTING

here are three different triggering poc : https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf1?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf2?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf3?raw=true

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

We are processing your report and will contact the vim team within 24 hours. 6 months ago
fizz-is-on-the-way
6 months ago

Researcher


hello, I am new to huntr.dev. I am tring to upload the POC, but I just can't find the place. please let me know ! thanks

We have contacted a member of the vim team and are waiting to hear back 6 months ago
fizz-is-on-the-way
6 months ago

Researcher


here are three different triggering poc : https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf1?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf2?raw=true https://github.com/fizz-is-on-the-way/vim/blob/main/poc_huaf3?raw=true

fizz-is-on-the-way modified the report
6 months ago
Christian
6 months ago

Maintainer


those pocs don't seem to be available anymore

fizz-is-on-the-way
6 months ago

Researcher


sorry,the repository was private before. I just make it public. Please try it agian

fizz-is-on-the-way
6 months ago

Researcher


the version of vim is 9.0.1672

Christian
6 months ago

Maintainer


Fixed as of https://github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974c

Christian Brabandt validated this vulnerability 6 months ago

Thanks!

fizz-is-on-the-way has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
fizz-is-on-the-way
6 months ago

Researcher


Can you assign a CVE for this? thanks

Christian
6 months ago

Maintainer


I have no ida how to do this.

fizz-is-on-the-way
6 months ago

Researcher


well, the website says it will be assigned a CVE within one hour! And I see most valid bug was assigned CVE.

fizz-is-on-the-way
6 months ago

Researcher


maybe you need to mark this as fixed

fizz-is-on-the-way
6 months ago

Researcher


the poc were now change to : https://github.com/fizz-is-on-the-way/poc_vim/blob/main/poc_huaf1?raw=true https://github.com/fizz-is-on-the-way/poc_vim/blob/main/poc_huaf2?raw=true https://github.com/fizz-is-on-the-way/poc_vim/blob/main/poc_huaf3?raw=true

Christian Brabandt marked this as fixed in 9.0.1840 with commit e1dc9a 6 months ago
Christian Brabandt has been awarded the fix bounty
This vulnerability has now been published 6 months ago
fizz-is-on-the-way
6 months ago

Researcher


thanks!

to join this conversation