heap-buffer-overflow in utf_ptr2char in vim/vim

Valid

Reported on

Mar 1st 2023


Description

Heap-buffer-overflow in utf_ptr2char at mbyte.c:1825.

vim version

git log
commit f0300fc7b81e63c2584dc3a763dedea4184d17e5 (grafted, HEAD -> master, tag: v9.0.1365, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S poc8_hbo.dat -c :qa
=================================================================
==28015==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000008900 at pc 0x55bde0d0e239 bp 0x7fff1bc7f540 sp 0x7fff1bc7f530
READ of size 1 at 0x621000008900 thread T0
    #0 0x55bde0d0e238 in utf_ptr2char /home/fuzz/vim/src/mbyte.c:1825
    #1 0x55bde0d410af in gchar_cursor /home/fuzz/vim/src/misc1.c:550
    #2 0x55bde0dbe950 in adjust_cursor_eol /home/fuzz/vim/src/ops.c:1873
    #3 0x55bde0ed97e7 in do_put /home/fuzz/vim/src/register.c:2301
    #4 0x55bde0db035d in nv_put_opt /home/fuzz/vim/src/normal.c:7378
    #5 0x55bde0daf772 in nv_put /home/fuzz/vim/src/normal.c:7255
    #6 0x55bde0d866e1 in normal_cmd /home/fuzz/vim/src/normal.c:939
    #7 0x55bde0bff4d3 in exec_normal /home/fuzz/vim/src/ex_docmd.c:8887
    #8 0x55bde0bff292 in exec_normal_cmd /home/fuzz/vim/src/ex_docmd.c:8850
    #9 0x55bde0bfeb36 in ex_normal /home/fuzz/vim/src/ex_docmd.c:8768
    #10 0x55bde0bdad87 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #11 0x55bde0bd1ef2 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #12 0x55bde0f01d65 in do_source_ext /home/fuzz/vim/src/scriptfile.c:1759
    #13 0x55bde0f02fe0 in do_source /home/fuzz/vim/src/scriptfile.c:1905
    #14 0x55bde0effa08 in cmd_source /home/fuzz/vim/src/scriptfile.c:1250
    #15 0x55bde0effa6d in ex_source /home/fuzz/vim/src/scriptfile.c:1276
    #16 0x55bde0bdad87 in do_one_cmd /home/fuzz/vim/src/ex_docmd.c:2580
    #17 0x55bde0bd1ef2 in do_cmdline /home/fuzz/vim/src/ex_docmd.c:993
    #18 0x55bde0bd028c in do_cmdline_cmd /home/fuzz/vim/src/ex_docmd.c:587
    #19 0x55bde12037ab in exe_commands /home/fuzz/vim/src/main.c:3146
    #20 0x55bde11fc8ea in vim_main2 /home/fuzz/vim/src/main.c:782
    #21 0x55bde11fc19c in main /home/fuzz/vim/src/main.c:433
    #22 0x7fcb6ae03082 in __libc_start_main ../csu/libc-start.c:308
    #23 0x55bde0a44e4d in _start (/home/fuzz/vim/src/vim+0x142e4d)

0x621000008900 is located 0 bytes to the right of 4096-byte region [0x621000007900,0x621000008900)
allocated by thread T0 here:
    #0 0x7fcb6b29a808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x55bde0a4528a in lalloc /home/fuzz/vim/src/alloc.c:246
    #2 0x55bde0a4507b in alloc /home/fuzz/vim/src/alloc.c:151
    #3 0x55bde1207c37 in mf_alloc_bhdr /home/fuzz/vim/src/memfile.c:885
    #4 0x55bde1205f48 in mf_new /home/fuzz/vim/src/memfile.c:375
    #5 0x55bde0d2bba8 in ml_new_data /home/fuzz/vim/src/memline.c:4138
    #6 0x55bde0d19983 in ml_open /home/fuzz/vim/src/memline.c:391
    #7 0x55bde0a618ea in open_buffer /home/fuzz/vim/src/buffer.c:192
    #8 0x55bde1202add in create_windows /home/fuzz/vim/src/main.c:2915
    #9 0x55bde11fc6ac in vim_main2 /home/fuzz/vim/src/main.c:713
    #10 0x55bde11fc19c in main /home/fuzz/vim/src/main.c:433
    #11 0x7fcb6ae03082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/vim/src/mbyte.c:1825 in utf_ptr2char
Shadow bytes around the buggy address:
  0x0c427fff90d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff90e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff90f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff9110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff9120:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff9170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==28015==ABORTING

poc download url:

https://raw.githubusercontent.com/Janette88/vim/main/poc8_hbo.dat

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

We are processing your report and will contact the vim team within 24 hours. a year ago
We have contacted a member of the vim team and are waiting to hear back a year ago
Bram Moolenaar validated this vulnerability a year ago

I can reproduce it with Valgrind, get an "uninitialized value" error, but it looks like the same problem.

janette88 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar marked this as fixed in 9.0.1376 with commit 1c73b6 a year ago
Bram Moolenaar has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation